[clug] Need opinions about actions of an intruder...

Nedim Hadzimahmutovic h.nedim at gmail.com
Thu Aug 10 09:18:23 GMT 2006


at work an old RH 9 box, which was 'maintained' by a coworker, was
hacked. While I was debugging asterisk on that box, I noticed a
strange process. Later I examined /var/log/messages and noticed
someone logged as user 'news' with uid 0. We did a backup of files,
and also a compete reinstall of the box (FC4). The strange process was
this one:

root      7664  0.3  0.1  2024  884 ?        S    13:35   0:00 sh -c
lynx -dump "http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306"
| grep @ >>
root      7665  1.6  0.2  4960 2280 ?        S    13:35   0:00 lynx
-dump http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306

What do you think the intruder was doing?

Linux Web Hosting Services

More information about the linux mailing list