debian7 compromised (rk)
Hi all :-) First of all sorry for my english.
2 day ago a hacker crow (BALUARI TEAM) with brute forces programs has
compromised my debian 7, changes root password and installed a rootkit.
last
root pts/0 31.14.106.154 Mon Jul 1 12:28 - 12:28 (00:00)
root pts/0 31.14.106.154 Mon Jul 1 09:43 - 09:45 (00:01)
(for router problem I start my server 2 days ago)
/var/log/syslog
Jul 11 06:26:01 server5 /USR/SBIN/CRON[4522]: (root) CMD
(/root/Agent/update >/dev/null 2>&1)
Immediately I see by netstat a connection:
tcp 0 0 0.0.0.0:34600 0.0.0.0:* LISTEN -
and
tcp 0 0 192.168.1.250:55834 173.230.241.139:6667 ESTABLISHED -
this IP: 173.230.241.139 is a Romanian VPS server with IRC server and 3
channels
I connect to this channel and I known staff of hackers.
Today I done a backup of this script that contains a huge list of server
compromised. Later I re-install whole system.
Can be usuful send this rk?
thanks
Pol
Reply to: