PLEASE HELP!, MY LINUX have been HACKED~

PLEASE HELP!, MY LINUX have been HACKED~

Post by Leo » Thu, 05 Apr 2001 19:38:49



Dear all,

 Today I turn on my linux and I recieved a mail from sendmail regarding
a failed message posted to

following:

---------- Forwarded message ----------
Date: Wed, 4 Apr 2001 03:15:21 +0800


Subject: Warning: could not send message for past 4 hours

    **********************************************
    **      THIS IS A WARNING MESSAGE ONLY      **
    **  YOU DO NOT NEED TO RESEND YOUR MESSAGE  **
    **********************************************

The original message was received at Tue, 3 Apr 2001 21:57:12 +0800

   ----- The following addresses had transient non-fatal errors -----

   ----- Transcript of session follows -----
451 4.4.1 timeout writing message to smtp.hknet.com

Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

After reading that message, I was curious because I never use ROOT to
send message out and aparently, that

didn't send such message.  Inside the message
I found two attachment, one dat file and the other text file,..
Unfortunetly, when I read the text fileI see ALL the confidential
information all my system all pasted in there. The format looks
something like this:

/**************************HOST IP*****************************/
and then i see the whole ifconfig pasted here. then..
/**************************PS*********************************/
i see ps -aux, then
/**************************HISTORY***************************/
root's command history.. then
/************************HOSTS*****************************/
host file, AND EVEN
/************************PASSWD***************************/
passwd file , with ROOTS and all users' password unecrypted!!!!

I use redhat 7 and i'm sure i have shadow + md5 password enabled.

If anyone have any idea what's going wrong , please let me know and how
am i getting the file. I know that
sina provide freemail service but it has an extension of sinaman.com or
sinagirl.com, but NOT sina.com
is that why i am getting the mail bounced back???

Any help would be appreciated. Thank you very much !
 Leo

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Leo » Thu, 05 Apr 2001 19:45:00


One more thing after i read the email, I  checked my log file (
/var/log/message ) to see what happened.   Apparently, i have lost ALL the
stuff  before date APRIL 3rd ( day of mail send )...   So i couldn't trace
what happened, Although information from my other
logfiles still exists, i.e. my "loginlog"  I cannot find any clue from
there. =(

 THanks


> Dear all,

>  Today I turn on my linux and I recieved a mail from sendmail regarding
> a failed message posted to

> following:

> ---------- Forwarded message ----------
> Date: Wed, 4 Apr 2001 03:15:21 +0800


> Subject: Warning: could not send message for past 4 hours

>     **********************************************
>     **      THIS IS A WARNING MESSAGE ONLY      **
>     **  YOU DO NOT NEED TO RESEND YOUR MESSAGE  **
>     **********************************************

> The original message was received at Tue, 3 Apr 2001 21:57:12 +0800

>    ----- The following addresses had transient non-fatal errors -----

>    ----- Transcript of session follows -----
> 451 4.4.1 timeout writing message to smtp.hknet.com

> Warning: message still undelivered after 4 hours
> Will keep trying until message is 5 days old

> After reading that message, I was curious because I never use ROOT to
> send message out and aparently, that

> didn't send such message.  Inside the message
> I found two attachment, one dat file and the other text file,..
> Unfortunetly, when I read the text fileI see ALL the confidential
> information all my system all pasted in there. The format looks
> something like this:

> /**************************HOST IP*****************************/
> and then i see the whole ifconfig pasted here. then..
> /**************************PS*********************************/
> i see ps -aux, then
> /**************************HISTORY***************************/
> root's command history.. then
> /************************HOSTS*****************************/
> host file, AND EVEN
> /************************PASSWD***************************/
> passwd file , with ROOTS and all users' password unecrypted!!!!

> I use redhat 7 and i'm sure i have shadow + md5 password enabled.

> If anyone have any idea what's going wrong , please let me know and how
> am i getting the file. I know that
> sina provide freemail service but it has an extension of sinaman.com or
> sinagirl.com, but NOT sina.com
> is that why i am getting the mail bounced back???

> Any help would be appreciated. Thank you very much !
>  Leo


 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by dbian.. » Thu, 05 Apr 2001 19:55:03



Quote:> One more thing after i read the email, I  checked my log file (
> /var/log/message ) to see what happened.   Apparently, i have lost ALL the
> stuff  before date APRIL 3rd ( day of mail send )...   So i couldn't trace

Looks like somebody have installed some trojan that tryied to
mail out information about your system.
I suggest you re-install your machine to get rid of the
trojan and other rootkit that could be in your machine.
I also suggest some good readings about security and
firewalling.

Davide

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Sande » Thu, 05 Apr 2001 20:21:04


I got hacked once, several times actually. See:

http://www.cert.org/nav/recovering.html

check /etc/inetd.conf and /etc/xinetd.d if there are lines starting with a
strange port (>1024) granting them root access.
Build yourself a firewall with ipchains, log all outgoing denied traffic and
mail it to a trusted host.

Basicly what I did whas wipping all (!!) vulnarable boxes on my network (7),
close down the internetconnection, and started building from the ground.
Only install the things you need. SSH rather than telnet, no rsh, no
sendmail if you can use balsa or something similar etc. No DNS either. It is
a lot of work, but once you've so, you got a very managable network. If you
get hacked again, you can be pretty sure what they've hacked.

I wiped everything because these guys are way out my leage and probably left
themselfes five rootkits and one decoy for you to find. You're happy because
you found the decoy and consider your system clean again.

I hate 'm.



> One more thing after i read the email, I  checked my log file (
> /var/log/message ) to see what happened.   Apparently, i have lost ALL the
> stuff  before date APRIL 3rd ( day of mail send )...   So i couldn't trace
> what happened, Although information from my other
> logfiles still exists, i.e. my "loginlog"  I cannot find any clue from
> there. =(

>  THanks


> > Dear all,

> >  Today I turn on my linux and I recieved a mail from sendmail regarding
> > a failed message posted to

> > following:

> > ---------- Forwarded message ----------
> > Date: Wed, 4 Apr 2001 03:15:21 +0800


> > Subject: Warning: could not send message for past 4 hours

> >     **********************************************
> >     **      THIS IS A WARNING MESSAGE ONLY      **
> >     **  YOU DO NOT NEED TO RESEND YOUR MESSAGE  **
> >     **********************************************

> > The original message was received at Tue, 3 Apr 2001 21:57:12 +0800

> >    ----- The following addresses had transient non-fatal errors -----

> >    ----- Transcript of session follows -----
> > 451 4.4.1 timeout writing message to smtp.hknet.com

> > Warning: message still undelivered after 4 hours
> > Will keep trying until message is 5 days old

> > After reading that message, I was curious because I never use ROOT to
> > send message out and aparently, that

> > didn't send such message.  Inside the message
> > I found two attachment, one dat file and the other text file,..
> > Unfortunetly, when I read the text fileI see ALL the confidential
> > information all my system all pasted in there. The format looks
> > something like this:

> > /**************************HOST IP*****************************/
> > and then i see the whole ifconfig pasted here. then..
> > /**************************PS*********************************/
> > i see ps -aux, then
> > /**************************HISTORY***************************/
> > root's command history.. then
> > /************************HOSTS*****************************/
> > host file, AND EVEN
> > /************************PASSWD***************************/
> > passwd file , with ROOTS and all users' password unecrypted!!!!

> > I use redhat 7 and i'm sure i have shadow + md5 password enabled.

> > If anyone have any idea what's going wrong , please let me know and how
> > am i getting the file. I know that
> > sina provide freemail service but it has an extension of sinaman.com or
> > sinagirl.com, but NOT sina.com
> > is that why i am getting the mail bounced back???

> > Any help would be appreciated. Thank you very much !
> >  Leo

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Christopher Alber » Thu, 05 Apr 2001 21:07:15



> Dear all,

>  Today I turn on my linux and I recieved a mail from sendmail regarding
> a failed message posted to

> following:

> ---------- Forwarded message ----------
> Date: Wed, 4 Apr 2001 03:15:21 +0800


> Subject: Warning: could not send message for past 4 hours

>     **********************************************
>     **      THIS IS A WARNING MESSAGE ONLY      **
>     **  YOU DO NOT NEED TO RESEND YOUR MESSAGE  **
>     **********************************************

> The original message was received at Tue, 3 Apr 2001 21:57:12 +0800

>    ----- The following addresses had transient non-fatal errors -----


Leo,

Your compromised. Sorry, time for mkfs and a fresh install.
Get your box off line--it is being used to attack others.
You can look at
http://www.cert.org/tech_tips/root_compromise.html

And to find out more about the "adore" worm that is on your system you
can see:

http://www.sans.org/y2k/adore.htm

At that link there is an "adorefind" program which will find and
eliminate the adore worm, but frankly you cant really be sure if that is
all there is. SInce the sans posting a few days ago, adore could have
mutated. Reformat, and reinstall after you have read some security docs.

Chris

P.S: Please don't multi-post

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Hal Burgi » Thu, 05 Apr 2001 22:57:46



> Today I turn on my linux and I recieved a mail from sendmail regarding

>it basically it says the following:

[...]

Quote:>If anyone have any idea what's going wrong , please let me know and how
>am i getting the file. I know that sina provide freemail service but it
>has an extension of sinaman.com or sinagirl.com, but NOT sina.com is
>that why i am getting the mail bounced back???

You've been cracked by a new worm, because you did not apply the updates
to fix security holes. I beleive these are the exact same holes that are
used by Ramen and Lion worms: wu-ftp, rpc, LPRng (IIRC).

Why the mail can't be delivered, is the least of your worries, and I
would consider deleting it ASAP!

--
Hal B




--

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Peter T. Breue » Fri, 06 Apr 2001 01:19:47




>> One more thing after i read the email, I  checked my log file (
>> /var/log/message ) to see what happened.   Apparently, i have lost ALL the
>> stuff  before date APRIL 3rd ( day of mail send )...   So i couldn't trace
> Looks like somebody have installed some trojan that tryied to
> mail out information about your system.

SOunds like he's been tr0n'ed. Lion or ramen worm. attack through
bind (< 8.2.2? ) or wuftp <= 2.6.0.

Quote:> I suggest you re-install your machine to get rid of the
> trojan and other rootkit that could be in your machine.
> I also suggest some good readings about security and
> firewalling.

Yep.

Peter

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Hal Burgi » Fri, 06 Apr 2001 02:59:09



Quote:

>You've been cracked by a new worm, because you did not apply the updates
>to fix security holes. I beleive these are the exact same holes that are
>used by Ramen and Lion worms: wu-ftp, rpc, LPRng (IIRC).

Also, BIND.

http://www.sans.org/y2k/adore.htm

--
Hal B




--

 
 
 

PLEASE HELP!, MY LINUX have been HACKED~

Post by Bill Unr » Fri, 06 Apr 2001 03:25:39



>Dear all,
> Today I turn on my linux and I recieved a mail from sendmail regarding
>a failed message posted to

>following:
>---------- Forwarded message ----------
>Date: Wed, 4 Apr 2001 03:15:21 +0800


>Subject: Warning: could not send message for past 4 hours

Yup, you have been hit by the adore worm. See
http://www.sans.org/y2k/adore.htm

It has sent your stuff to three different main addresses. Perhaps some
are now being shut down.

They got in through one of the security holes which you forgot to patch
(It is important that you keep up to date with the security patches for
your system-- from www.redhat.com)
LPRng,wuftp,bind,...

 
 
 

1. Help I am having OOP problems in Linux

I need some help with the basic of OOP in Linux I attempted to
convert some programming that I have done, in DOS, and Windows
ie:

#include <iostream.h>

main(void)
{
cout << "hello world.";
return 0;

when I compile this little short and nasty program using the following
command line

gcc sample.C -o sample

I get the following error

/tmp/cca024501.o; In function 'main':
/tmp/cca024501.o(.text+0x9): undefined reference to 'cout'
/tmp/cca024501.o(.text+0xe): undefined reference to
'ostream::operator<<char const *)

can anyone tell me what went wrong and what did I do wrong
as a form of a test to see if I can program in Linux?

Thanks

Kevin

2. How does GCC find header files?

3. Help: Am I the Only one in the world having problems installing SR5

4. Mouse woes

5. I am having fun with Slack, but need help with DHCP setup

6. Can PPP query?

7. Help, I've fallen and am accused of hacking!

8. Resolving Names

9. $$$20,000 for hacking help, Am Serious!!

10. I am having trouble setting up KDE, and any help would be most appreciated

11. Student having a problem booting Linux Red Hat 7.0 Please Help

12. Please Help - Linux:Having trouble using fifo (named pipes)

13. Having problems installing LINUX..please help me