[clug] Need opinions about actions of an intruder...

Leigh Purdie intersect at gmail.com
Thu Aug 10 12:52:54 GMT 2006

Agree with Jim.

Your box was probably being prepared for hosting a phishing attack
against ebay users.

They're downloading images & data from ebay so that they can establish
a web server on your computer that looks and smells like an ebay page.
They'll then bounce out a million emails, telling users something like
"Hey, I haven't received my item from you", and pointing them to the
ebay bit of your web site.

This will lead the user through a login process that will grab their
ebay username/password, and ask them to also verify their
paypal/bank/credit card details (whatever they can get away with).

The good news is that the hacker is MOST LIKELY long gone. They've
thrown a script on your box that practically automates the process of
setting up a phising site, and they'll move on to other options, and
wait for the emails to roll in. They're unlikely to care about your
data - they probably don't even know (or care about) the geographical
location of your server. (note: capitalised above, because there's
still a chance they're hanging around, or that they're doing other
nasty things...)



On 8/10/06, Nedim Hadzimahmutovic <h.nedim at gmail.com> wrote:
> Hi,
> at work an old RH 9 box, which was 'maintained' by a coworker, was
> hacked. While I was debugging asterisk on that box, I noticed a
> strange process. Later I examined /var/log/messages and noticed
> someone logged as user 'news' with uid 0. We did a backup of files,
> and also a compete reinstall of the box (FC4). The strange process was
> this one:
> root      7664  0.3  0.1  2024  884 ?        S    13:35   0:00 sh -c
> lynx -dump "http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306"
> | grep @ >>
> root      7665  1.6  0.2  4960 2280 ?        S    13:35   0:00 lynx
> -dump http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306
> What do you think the intruder was doing?
> --
> Linux Web Hosting Services
> http://www.tophosting.ba
> --------------------------------------------
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list