Re: bash_history from Cracked Computer
if you run updatedb via cron (or run it from the shell by hand
recently) it'll tell you if you have any of the evil files
on your computer:
if you find any source files (*.c or *.pl) consider finding a
debian guru to hand them to in case this kind of thing can be
snuffed in the future. might help, you never know.
here's my run thru the command history...
somehow, your invader transferred some files here into
the /home/.dead/ at this point. must've used his own
ftp client, meaning he used your server--on my debian
box the FTP transfers are logged in
see if you've still got yours. it might help.
>cc anatomy.c -o anatomy
>cc kod.c -o kofd
i'd guess that 'anatomy' scans your directory tree
and reports it back to the IP supplied as its
command-line argument. or it may copy everything.
maybe it scans the structure of the remote site.
don't know. (you may still have the source code;
if so, it might be helpful to hand it off to
some of the C++ gurus around here so they can
wedge it out of existence...)
>cp kofd kod
hmm! he never directly called kod, but some of the other
programs may have.
looks like cut & paste, and maybe the last two didn't take.
so i guess he's now at /home/httpd/icons/small/.shit
unless there's a logout and login to another directory,
more files were transferred here somehow.
>chmod 777 *
>chmod +s *
>chmod 666 *
>chmod 777 *
>./pscan 167.64 111
and it looks like PSCAN does a whole zone at a time.
to what end, i don't know.
down a bit, there's
>./pscan 198.138 111
>./pscan 198.59 111
so the PSCAN program creates "wuftp.log" i guess.
of course, he zapped it before checking out.
i'd bet it was in home/httpd/icons/small/.shit/
along with some other files... may still be there.
seemed to run the PSCAN on an ip net range, then check
the wuftp log file, apparently to get other IP ranges
to scan. ?
(you might try seeing if there's any left on the system.
may be informative.)
now THIS part i would consider very bad news:
[obviously transferring linux kernel here]
>tar -zxvf linux.tar.gz
(i know, it's all bad news, but some is badder than others.)
there's also a
which reports as nonexistent just now, so it's probably a
transient or dynamically-allocated ppp-like address.
to find the where the IP's are he/she was interested in,
(in case it helps any, or you want to contact their
sysadmins) i did this in tcsh:
% grep anatomy bash_history.txt | cut -f2 "-d "
% foreach x(`!!`)
foreach x ( `grep anatomy bash_history.txt | cut -f2 "-d "` )
foreach? nslookup $x
maybe he/she had some friends in canada...?
and for the "./b" program:
foreach x ( `grep /b bash_history.txt | cut -f2 "-d " | sort | uniq` )
foreach? nslookup $x >> bash_crack
*** localhost can't find 18.104.22.168: Non-existent host/domain
*** localhost can't find 22.214.171.124: Non-existent host/domain
*** localhost can't find 126.96.36.199: Non-existent host/domain
*** localhost can't find 188.8.131.52: Non-existent host/domain
*** localhost can't find 184.108.40.206: Non-existent host/domain
*** localhost can't find 220.127.116.11: Non-existent host/domain
*** localhost can't find 18.104.22.168: Non-existent host/domain
*** localhost can't find 22.214.171.124: Non-existent host/domain
*** localhost can't find e126.96.36.199: Non-existent host/domain
sorry this happened! hopefully your troubles can help us all
avoid it in the future... do you have any idea how they originally