+ Post New Thread
Results 1 to 4 of 4
*nix Thread, hacked? in Technical; Hi, I'm very new to *nix, I've been using for 4 hours! This is what I've found: Using "tail /var/log/cron" ...
  1. #1

    Join Date
    Jan 2006
    Location
    Hertfordshire
    Posts
    151
    Thank Post
    2
    Thanked 8 Times in 8 Posts
    Rep Power
    19

    hacked?

    Hi,

    I'm very new to *nix, I've been using for 4 hours!

    This is what I've found:

    Using "tail /var/log/cron" show this:

    "Aug 2 11:22:01 asterisk1 crond[17727]: (root) CMD ( chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core)"

    In /etc/cron.d there is a file called core.29811

    I think they person is using this exploit

    Am I right?

    How can I find the IP address of the person doing this?

    Regards
    Tom

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: hacked?

    What services are running on your linux box?
    What version of the kernel are you running?

  3. #3

    Join Date
    Jan 2006
    Location
    Hertfordshire
    Posts
    151
    Thank Post
    2
    Thanked 8 Times in 8 Posts
    Rep Power
    19

    Re: hacked?

    I have no idea, it's an asterisk@home system. Sorry I can't give any more info but this is the first time I've used *nix!

    In the logs located in /var/log/httpd there are alot of entries like these:

    "193.109.122.29 - - [04/Jul/2007:02:28:56 +0100] "CONNECT 85.116.31.6:25396 HTTP/1.0" 405 315 "-" "pxyscand/2.1""


    "89.171.148.82 - - [01/Jul/2007:09:49:06 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 333 "-" "-"
    89.171.148.82 - - [01/Jul/2007:09:49:16 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0"

  4. #4
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118

    Re: hacked?

    Without seeing your entire log it'd be difficult to work out which line is the root cause of the problem but unless I misunderstood your system setup it's unlikely that the fp30reg.dll is the problem as that's a frontpage exploit (not generally an issue on a *nix box).

    I took a quick look at the asterisk@home page and it seems you have a VOIP setup but as far as I can see you're using an old version of the software and should probably look at Tribox.

    Once you've upgraded I'd then take some time to install a brute force detection system as well as looking at mod_security.

SHARE:
+ Post New Thread

Similar Threads

  1. Website hacked...
    By _Bat_ in forum Web Development
    Replies: 8
    Last Post: 27th July 2007, 09:17 AM
  2. Microsoft.com Has Been Hacked
    By FN-GM in forum Web Development
    Replies: 2
    Last Post: 26th July 2007, 08:54 PM
  3. Hacked together printer script
    By Halfmad in forum Scripts
    Replies: 8
    Last Post: 25th June 2007, 01:29 PM
  4. Are we being hacked?
    By Paul_L in forum General Chat
    Replies: 2
    Last Post: 13th September 2006, 08:31 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •