[clug] Need opinions about actions of an intruder...
mst at dishevelled.net
Thu Aug 10 10:13:56 GMT 2006
"Nedim Hadzimahmutovic" <h.nedim at gmail.com> writes:
> at work an old RH 9 box, which was 'maintained' by a coworker, was
> hacked. While I was debugging asterisk on that box, I noticed a
> strange process. Later I examined /var/log/messages and noticed
> someone logged as user 'news' with uid 0. We did a backup of files,
> and also a compete reinstall of the box (FC4). The strange process was
> this one:
> root 7664 0.3 0.1 2024 884 ? S 13:35 0:00 sh -c
> lynx -dump "http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306"
> | grep @ >>
> root 7665 1.6 0.2 4960 2280 ? S 13:35 0:00 lynx
> -dump http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306
> What do you think the intruder was doing?
Some sort of attempt at harvesting email addresses perhaps? Very
<mst at dishevelled.net>
More information about the linux