From: redhat-list-bounces@xxxxxxxxxx on behalf of Chris W. Parker Sent: Fri 8/19/2005 5:15 PM To: redhat-list@xxxxxxxxxx Subject: help i've been hacked. :( Hello, Currently the box is off the network but I have not been able to find any clues as to how it was exploited (though it's probably through an unpatched vulnerability). The network card is continuously set to promiscuous mode and I cannot shut off any services using the 'service' command. Also my grep binary is destroyed periodically (about every minute or so). If I take the card out of promiscuous mode with 'ifconfig eth0 -promisc' almost all commands I do set it back. Typing 'cat' will set it back into promiscuous mode (I can tell because one or more times the message 'promiscuous mode set' will appear on the screen), etc. With 'netstat --inet -a' I can see a connection to an irc server. What I need to find out is how far they've penetrated the network (have they been able to sniff and compromise passwords?) and what the purpose of the hack is. Is it to send spam? Is it to spread warez? etc. The very last log line in /var/log/secure is 'SSHD[nnn]: Bad protocol version identification `NICK mamef` from 82.77.26.80'. I thought maybe 'nick mamef' would hint at an exploit somewhere but Google didn't return any useful info. This box is just used as a webserver. My plan at this point is to take the SSL keys off the server, verify that my backups from a few days ago are working (php files and MySQL dump) and then reinstall with something like FC4. Also, I noticed that with 'ps -A' there are A LOT of awk and cat proccesses. A lot of them say <defunct> next to their name. What should I do? How can I figure out what's going on? Thanks, Chris. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list I would reboot the box get it into single user mode and do and look for new files and check your startup routines for changes. I would notify your network team that you have been hacked and that you are unsure if they left your box at the current moment and they can take a look if they have the sniffers setup where they went to next. I would start doing some forensics on your machine to see what was compromised, I would get your media togther because you might need to reinstall. Albert Smith Sr. Unix Systems Administrator HPCSA, RHCT Genex Services 440 E. Swedesford Rd. Wayne, PA 19087 albert.smith@xxxxxxxxxxxxxxxxx <mailto:albert.smith@xxxxxxxxxxxxxxxxx> (610) 964-5154
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list