Security Incidents mailing list archives
Re: Help with compromised linux box.
From: "Sander Smeenk (CistroN Medewerker)" <ssmeenk () CISTRON NL>
Date: Mon, 18 Sep 2000 09:55:55 +0200
Quoting Anthony Coley (beta_1_0 () HOTMAIL COM):
My Linux box was compromised a couple of weeks ago. Once I noticed this I removed it from the Internet and began trying to figure out what this person did. I've found a program that was hidden in /dev/chr/stachel/ and I want to know if someone would be willing to take a look at what I've found to help me identify what this person did? I've tar-ed the directory and it's about 650k, so it small.
I think the person who compromised your box tried to install, or installed Stacheldraht (german for barbwire), a program used for DDoS attacks. Once the program is installed and the computer is connected to the internet, the 'attacker' can issue a command to your box, and uses your internet bandwith to (for example) pingflood a target. With multiple hosts running Stacheldraht it's quite easy to flood a complete network. Something like they did with Yahoo and eBay etc. It's wise to check your computer thoroughly for weird open ports, and weird looking running programs before you connect it to the Internet again. With regards, Sander Smeenk. -- | God.. root.. What's the difference? God is forgiving... | CistroN Internet Services, Linux Specialists & Perl Experts | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D
Current thread:
- Help with compromised linux box. Anthony Coley (Sep 17)
- Re: Help with compromised linux box. Sander Smeenk (CistroN Medewerker) (Sep 18)
- Re: Help with compromised linux box. Erik Tayler (Sep 18)