[clug] Need opinions about actions of an intruder...
Leigh Purdie
intersect at gmail.com
Thu Aug 10 12:52:54 GMT 2006
Agree with Jim.
Your box was probably being prepared for hosting a phishing attack
against ebay users.
They're downloading images & data from ebay so that they can establish
a web server on your computer that looks and smells like an ebay page.
They'll then bounce out a million emails, telling users something like
"Hey, I haven't received my item from you", and pointing them to the
ebay bit of your web site.
This will lead the user through a login process that will grab their
ebay username/password, and ask them to also verify their
paypal/bank/credit card details (whatever they can get away with).
The good news is that the hacker is MOST LIKELY long gone. They've
thrown a script on your box that practically automates the process of
setting up a phising site, and they'll move on to other options, and
wait for the emails to roll in. They're unlikely to care about your
data - they probably don't even know (or care about) the geographical
location of your server. (note: capitalised above, because there's
still a chance they're hanging around, or that they're doing other
nasty things...)
Regards,
Leigh.
On 8/10/06, Nedim Hadzimahmutovic <h.nedim at gmail.com> wrote:
> Hi,
>
> at work an old RH 9 box, which was 'maintained' by a coworker, was
> hacked. While I was debugging asterisk on that box, I noticed a
> strange process. Later I examined /var/log/messages and noticed
> someone logged as user 'news' with uid 0. We did a backup of files,
> and also a compete reinstall of the box (FC4). The strange process was
> this one:
>
> root 7664 0.3 0.1 2024 884 ? S 13:35 0:00 sh -c
> lynx -dump "http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306"
> | grep @ >>
> root 7665 1.6 0.2 4960 2280 ? S 13:35 0:00 lynx
> -dump http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306
>
> What do you think the intruder was doing?
>
> --
> Linux Web Hosting Services
> http://www.tophosting.ba
> --------------------------------------------
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
More information about the linux
mailing list