[clug] mc-root anyone?
Kim Holburn
kim at holburn.net
Thu Jun 18 12:54:55 GMT 2009
On 2009/Jun/18, at 6:34 AM, Michael Still wrote:
> Hi.
>
> I just hd my ISP inform me that my machines were sending suspicious
> traffic (yes, my ISP is really that cool), and I quickly found an
> account with a poor password.
Privilege escalation from a local account is usually easier than
remote access.
> The home directory for that account has a
> directory named " ", which contained another directory called mc-root.
> The contents there seem to be some sort of IRC controller, an update
> system, and a ssh scanner. The updates and scanner are controlled
> out of
> a cron job.
mc-root seems to be a directory name used by multimedia players. Any
other interesting file names?
> Now, I've deleted the compromised account, moved its home directory to
> one side, and disabled the cron job. tcpdump confirms no more ssh
> scanning coming from the machine. I'm also using update-manager to
> upgrade to the lastest Ubuntu, which will hopefully replace all the
> system files just in case one of them is owned in some other manner.
>
> Two questions:
>
> - is there anything else I should do to this machine?
Boot off a live security distro and scan?
> - does anyone else know what this thing is? Bing searching doesn't
> turn
> much up.
Bing searching? You?
You're searching for a linux remote exploit on a Microsoft search
engine? That's kinda strange.
http://translate.google.com/translate?u=http://www.haiyangtop.net/safety/book/show.asp
?id=3767
Not much relevance though.
Kim
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the linux
mailing list