Just suspended an account for credit card fraud due to a chargeback, and decided to peruse the little ****s site.

As well as information on who they were (they had an About Us page!), their site also had the tidbit below. Guys, please help me out on this. What are they talking about??

"This backdoor works on *UNIX boxes, running in the background under "/sbin/agetty 38400 tty7 linux" procces in the system. It opens port 26048 and while using telnet to connect to the remote b0x, it sends the authentification request for password. When the password is incorrect, the autentification is faild, when the password is right you get roott-shell !!! Recommended deamon connetion - NetCat."

Did they get the root password to the box they were on?

Thx.:angry:

The response has been overwhelming. Thanks.

Someone will come along and tell you what it is :rolleyes:
But, it ain't me. Just wait a minute.

Basically they described to you how they can get root access.
They said IF the passwor is correct it gets them to root access.
Look for unusuall thing on the server. Any changes.

There are a lot of typos, and some poor ambiguous wording.

What it looks like to me is an explanation of how to run a password search on a telnet port. Not very original, very practical on well administered systems, or likely to be useful unless a short or easy password was used.

I sure don't see anything that would make me think he broke your system. No password, no nothing, just a procedure for attempting logins over and over.

Do u have any reason to think your system is compromised? I mean, if the little twerp got root access, don't you think he would have done something with it?? :confused:

Not if he was smart (which in this case I doubt). When someone gains root, they are after one of two things:

- Destruction/Defacement, or
- Long-lasting access

The destructive ones (usually script kiddies) just want to prove that they did it, so they may deface your site or just trash the box.

However, if they intend to use your box for something like an IRC proxy, SPAM relay, or a DDoS attack on someone else, they will be very quiet and cover their tracks well. I know people who's boxes have been owned for long periods of time (2 years in one case, on a Raq3 no less. Mind you the actual owner of the server didn't know what telnet was, either).

A lot of times, someone will own your box, leave a back-door entrance, and just keep you on their list of machines for future use. It might never get used, or it might be used the same day...

I agree with u, but....

The only ways I know of to compromise a machine for future use (and I am by no means claiming to be expert in this) is to:

1) leave a process running (listening on a port for a cmd to do something or...

2) leave a new or compromised account login.

Either of these are not too hard to detect *if you look for them*. I can certainly understand why, if you suspect nothing, either of these might sit under your nose for a long time undetected...

The solution for 1) might be as simple as rebooting and running minimally and doing a careful screen of a ps output.

The solution for 2) is as old as Unix, careful scrutiny of the passwd file for stuff that shouldn't be there.

I've never been the victim of a hacker and I'm already sick of these guys. :mad:

Thanks for the input guys. There does not appear to be anything wrong on the box other than it's a little slow.

What suspicious processes should I be looking for? Also, where's the password file?

Thanks again.

Oh, and I am totally sick of these hacker / credit card fraud nerts too. :angry:

Finding a rogue process usually entails poring over the ps axl output listing looking for unfamiliar items. If you don't recognize something, do a search on the net to try to identify it.

This does require a good familiarity with *nix, or you will be spending lots of time ;)

change your root password and move on :)