Re: Help with compromised linux box.

["Sander Smeenk (CistroN Medewerker)" <ssmeenk () CISTRON NL>]

Quoting Anthony Coley (beta_1_0 () HOTMAIL COM):
> My Linux box was compromised a couple of weeks ago.  Once I noticed this
> I removed it from the Internet and began trying to figure out what this
> person did.  I've found a program that was hidden in /dev/chr/stachel/
> and I want to know if someone would be willing to take a look at what
> I've found to help me identify what this person did?
> I've tar-ed the directory and it's about 650k, so it small.

I think the person who compromised your box tried to install, or installed
Stacheldraht (german for barbwire), a program used for DDoS attacks. Once
the program is installed and the computer is connected to the internet, the
'attacker' can issue a command to your box, and uses your internet bandwith
to (for example) pingflood a target.

With multiple hosts running Stacheldraht it's quite easy to flood a complete
network. Something like they did with Yahoo and eBay etc.

It's wise to check your computer thoroughly for weird open ports, and
weird looking running programs before you connect it to the Internet
again.

With regards,
Sander Smeenk.

--
| God.. root.. What's the difference?       God is forgiving...
| CistroN Internet Services, Linux Specialists & Perl Experts
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8  9BDB D463 7E41 08CE C94D