debian7 compromised (rk)

To: debian-security@lists.debian.org
Subject: debian7 compromised (rk)
From: Security <sec@fuckaround.org>
Date: Sat, 13 Jul 2013 01:04:44 +0200
Message-id: <[🔎] 51E08B8C.9080505@fuckaround.org>

Hi all :-) First of all sorry for my english.

2 day ago a hacker crow (BALUARI TEAM) with brute forces programs has
compromised my debian 7, changes root password and installed a rootkit.

last

root     pts/0        31.14.106.154    Mon Jul  1 12:28 - 12:28  (00:00)
root     pts/0        31.14.106.154    Mon Jul  1 09:43 - 09:45  (00:01)

(for router problem I start my server 2 days ago)

/var/log/syslog

Jul 11 06:26:01 server5 /USR/SBIN/CRON[4522]: (root) CMD
(/root/Agent/update >/dev/null 2>&1)

Immediately I see by netstat a connection:

tcp 0 0 0.0.0.0:34600 0.0.0.0:* LISTEN -

and

tcp 0 0 192.168.1.250:55834 173.230.241.139:6667 ESTABLISHED -

this IP: 173.230.241.139 is a Romanian VPS server with IRC server and 3
channels

I connect to this channel and I known staff of hackers.

Today I done a backup of this script that contains a huge list of server
compromised. Later I re-install whole system.

Can be usuful send this rk?

thanks

Pol

Reply to:

Follow-Ups:
- Re: debian7 compromised (rk)
  - From: Scott Edwards <supadupa@gmail.com>

Prev by Date: Re: Testing needed: openjdk7 update for stable-security
Next by Date: Testing needed for openjdk-6 security updates
Previous by thread: Re: [SECURITY] [DSA 2720-1] icedove security update
Next by thread: Re: debian7 compromised (rk)
Index(es):
- Date
- Thread