KWSN Orbiting Fortress Forum Index KWSN Orbiting Fortress
KWSN Distributed Computing Teams forum
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ooohhh BUGGER!!!!

 
Post new topic   Reply to topic    KWSN Orbiting Fortress Forum Index -> Ye Olde Help Scrolls
View previous topic :: View next topic  
Author Message
Grawlfang
Prince
Prince


Joined: 18 Feb 2005
Posts: 1256
Location: The Land of our lord JC, silly walks and all
PostPosted: Wed Mar 19, 2008 8:06 pm    Post subject: ooohhh BUGGER!!!! Reply with quote
Well I did wonder why my workrate had dropped a little...

....got back home this evening, logged on and found that my PC wasn't processing milkyway@home at all, but 100% CPU was bound up on something called pscan2

Bloody script kiddie had got in (well in fact two of them had) and installed some kit on my machine.

I wouldn't mind but I protect my machine via public key authentication - well I did, but it seems that a recent upgrade to Zenwalk 4.8 undid all my clever sshd_config and put a basic one in its place...which meant that one of the usernames I gave to one of children (which had a simple password) got broken into...

So, to the point..

Anyone know what a kit that installs into a '.pa' directory does (they installed it in /tmp/mds/.pa) ? The files it contains seem to be :-

Code:

root[mds]# tar ztvf pa1.tgz
drwx------ web/web           0 2007-04-05 09:08 .pa/
-rwxr-xr-x web/web         218 2006-07-14 23:51 .pa/a
-rwxr-xr-x web/web        1184 2007-04-16 04:19 .pa/a1
-rwxr-xr-x web/web         215 2006-01-11 01:19 .pa/a2
-rwxr-xr-x web/web        7213 2006-01-11 01:40 .pa/a4
-rwx------ web/web         208 2006-01-11 01:08 .pa/a5
-rwxr-xr-x web/web         141 2007-04-16 04:21 .pa/a6
-rwxr-xr-x web/web      171740 2006-07-14 23:51 .pa/pico
-rwxr-xr-x web/web        8958 2006-01-15 17:51 .pa/sshf
-rwxr-xr-x web/web        8973 2006-01-15 17:51 .pa/sshf0
-rwxr-xr-x web/web        4196 2007-04-16 04:23 .pa/start
-rw-r--r-- web/web         201 2007-04-16 04:32 .pa/README
-rw-r--r-- web/web           0 2006-07-14 23:51 .pa/22.pscan.22
-rw-r--r-- web/web      190148 2006-03-01 15:04 .pa/pass_file
-rwxr-xr-x web/web         159 2006-01-11 00:29 .pa/test.sh
-rw-r--r-- web/web       22354 2004-12-01 23:31 .pa/common
-rwxr-xr-x web/web      846832 2006-07-14 23:51 .pa/ssh-scan
-rwx------ web/web       25503 2006-07-14 23:51 .pa/pscan2
-rwxr-xr-x web/web         265 2004-11-24 23:21 .pa/gen-pass.sh
-rwxr-xr-x web/web      249980 2001-02-13 12:36 .pa/screen
-rwxr-xr-x web/web         107 2006-07-14 23:50 .pa/pass_sh
-rw-r--r-- web/web         136 2007-04-16 04:22 .pa/vuln.txt
-rw-r--r-- web/web      190148 2006-03-22 12:45 .pa/pass_filees


There was also a fontx.tgz installed in the broken into users home directory which contained :-

Code:

root[kiddie]# tar ztvf fontx.tgz
drwxr-xr-x prueba/prueba     0 2008-01-07 07:15 .font-UNIX/
-rw-r--r-- prueba/prueba 16652 2005-07-21 05:24 .font-UNIX/hide
-rw-r--r-- prueba/prueba   200 2005-07-21 06:01 .font-UNIX/run
-rw-r--r-- prueba/prueba  3205 2008-01-07 07:15 .font-UNIX/mech.set
drwxr-xr-x prueba/prueba     0 2008-01-07 07:14 .font-UNIX/randfiles/
-rw-r--r-- prueba/prueba  3982 2002-12-29 23:21 .font-UNIX/randfiles/randinsult.e
-rw-r--r-- prueba/prueba   519 2002-12-29 23:21 .font-UNIX/randfiles/randnicks.e
-rw-r--r-- prueba/prueba  1465 2002-12-29 23:21 .font-UNIX/randfiles/randversions.e
-rw-r--r-- prueba/prueba   830 2002-12-29 23:21 .font-UNIX/randfiles/randkicks.e
drwxr-xr-x prueba/prueba     0 2008-02-27 01:52 .font-UNIX/randfiles/.font/
-rwxr-xr-x prueba/prueba 16652 2005-07-21 05:24 .font-UNIX/randfiles/.font/hide
-rwxr-xr-x prueba/prueba   588 2008-02-27 01:00 .font-UNIX/randfiles/.font/1
-rwxr-xr-x prueba/prueba   199 2008-02-27 02:10 .font-UNIX/randfiles/.font/run
-rwxr-xr-x prueba/prueba  9283 2008-02-27 02:13 .font-UNIX/randfiles/.font/mech.set
-rwxr-xr-x prueba/prueba   588 2008-02-27 01:00 .font-UNIX/randfiles/.font/2
-rwxr-xr-x prueba/prueba    44 2008-02-25 12:22 .font-UNIX/randfiles/.font/livezone.dir
-rwxr-xr-x prueba/prueba 468134 2001-05-15 14:05 .font-UNIX/randfiles/.font/sshd
drwxr-xr-x prueba/prueba      0 2007-12-26 09:10 .font-UNIX/randfiles/.font/randfiles/
-rw-r--r-- prueba/prueba   3982 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randinsult.e
-rw-r--r-- prueba/prueba    519 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randnicks.e
-rw-r--r-- prueba/prueba   1465 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randversions.e
-rw-r--r-- prueba/prueba    830 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randkicks.e
-rw-r--r-- prueba/prueba  55316 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randsay.e
-rw-r--r-- prueba/prueba   5195 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randaway.e
-rw-r--r-- prueba/prueba   2495 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randpickup.e
-rw-r--r-- prueba/prueba   3651 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randsignoff.e
-rwxr-xr-x prueba/prueba   1033 2008-02-27 01:00 .font-UNIX/randfiles/.font/mech.levels
-rwxr-xr-x prueba/prueba     80 2008-02-25 12:22 .font-UNIX/randfiles/.font/cron.d
-rwx--x--x prueba/prueba      5 2008-02-27 01:55 .font-UNIX/randfiles/.font/mech.pid
-rwxr-xr-x prueba/prueba    588 2008-02-27 01:00 .font-UNIX/randfiles/.font/0
-rwxr-xr-x prueba/prueba   2532 2005-07-21 06:03 .font-UNIX/randfiles/.font/config
-rwxr-xr-x prueba/prueba     76 2008-02-27 01:55 .font-UNIX/randfiles/.font/LinkEvents
-rwxr-xr-x prueba/prueba    588 2008-02-27 01:00 .font-UNIX/randfiles/.font/3
-rwxr-xr-x prueba/prueba    764 2007-12-26 08:53 .font-UNIX/randfiles/.font/conf
-rwxr-xr-x prueba/prueba    265 2008-02-25 12:22 .font-UNIX/randfiles/.font/y2kupdate
-rw-r--r-- prueba/prueba  55316 2002-12-29 23:21 .font-UNIX/randfiles/randsay.e
-rw-r--r-- prueba/prueba   5195 2002-12-29 23:21 .font-UNIX/randfiles/randaway.e
-rw-r--r-- prueba/prueba   2495 2002-12-29 23:21 .font-UNIX/randfiles/randpickup.e
-rw-r--r-- prueba/prueba   3651 2002-12-29 23:21 .font-UNIX/randfiles/randsignoff.e
-rw-r--r-- prueba/prueba      6 2007-12-26 08:28 .font-UNIX/mech.pid
-rw-r--r-- prueba/prueba   2532 2005-07-21 06:03 .font-UNIX/config
-rw-r--r-- prueba/prueba     34 2007-12-26 08:28 .font-UNIX/LinkEvents
-rw-r--r-- prueba/prueba 468134 2001-05-15 14:05 .font-UNIX/emech


And finally I found a new user added - 'sshhd' - any clues what may have been installed [or attempted to be installed] with this ?

Fortunately (as I know of no current secrity issues with my version of Zenwalk) they only got into a restricted user account (not even in the same group as my main login) so I don't think too much damage was done - but if anyone knows what these kits do I'd love to know ?

Ni! [and a little embarrased]
Fang
_________________
Listen; Strange women laying in ponds, distributing swords, is no basis for a system of government.

Back to top
View user's profile Send private message Visit poster's website
jonnyv
Happy Fun Admin
KWSN Castellan


Joined: 15 May 2002
Posts: 2098
Location: Scottsdale, AZ
PostPosted: Wed Mar 19, 2008 8:34 pm    Post subject: Reply with quote
The first one sounds a bit like this: http://ubuntuforums.org/archive/index.php/t-253373.html

The second one looks like some sort of IRC robot.
_________________
KWSN Forum Admin
Founding Member of the Migratory Coconuts
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KWSN Orbiting Fortress Forum Index -> Ye Olde Help Scrolls All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Optimized Seti@Home App | BOINC Stats