How I got hacked last week: Redhat 7
Steve here,
Several have voiced an interest in the hack. Well here is a guess and some
facts:
THE HACK:
For those interested in the hack, I think it was the "Dameon worm" but
could not find any evidence of the trace files on my system. Here is what
happened:
1. I get a letter from "hacked@attrition.org" saying: "Urgent! Security
incident on your machine! Attrition.org is a non-profit, hobby web site
that monitors
computer crime on the internet. In the past few minutes, we
have been notified that your domain was hacked, and your web
page defaced. This means that the intruder has edited your
web page in some way. Due to this, it is quite likely that
one or all of the machines on your network are compromised.
You may wish to take immediate action to correct this problem
and respond to the intrusion."
2, I noticed my clock went forward maybe a day and had to reset it via
"date" command.
3. I notice a single page was changed: "index.html"
Here is the code from that page:
<!-- BEGIN Naviscope Javascript -->
<script language='javascript'>
NS_ActualOpen=window.open;
function NS_NullWindow(){this.window;}
function NS_NewOpen(url,nam,atr){return(new NS_NullWindow());}
window.open=NS_NewOpen;
</script>
<!-- END Naviscope Javascript -->
<html>
<head>
<title>..:: Quit Crew ::..</title>
</head>
<body bgcolor="#FFFFFF">
<center>
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0";
ID=devil WIDTH=731 HEIGHT=562>
<PARAM NAME=movie VALUE="qc.swf">
<PARAM NAME=loop VALUE=false>
<PARAM NAME=quality VALUE=high>
<PARAM NAME=bgcolor VALUE=#FFFFFF>
</OBJECT>
</center>
</body>
</html>
=========
end code
4. I have noticed nothing other than these changes.
So there you have it. I didn't even ever get to see what the flash was all
about it just loaded forever without anything. You know for all my trouble,
I should have at least got some free artwork!
Steve
Reply to: