hacked?

[uk101man]

Hi,

I'm very new to *nix, I've been using for 4 hours!

This is what I've found:

Using "tail /var/log/cron" show this:

"Aug 2 11:22:01 asterisk1 crond[17727]: (root) CMD ( chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core)"

In /etc/cron.d there is a file called core.29811

I think they person is using this exploit

Am I right?

How can I find the IP address of the person doing this?

Regards
Tom

[Geoff]

What services are running on your linux box?
What version of the kernel are you running?

[uk101man]

I have no idea, it's an asterisk@home system. Sorry I can't give any more info but this is the first time I've used *nix!

In the logs located in /var/log/httpd there are alot of entries like these:

"193.109.122.29 - - [04/Jul/2007:02:28:56 +0100] "CONNECT 85.116.31.6:25396 HTTP/1.0" 405 315 "-" "pxyscand/2.1""


"89.171.148.82 - - [01/Jul/2007:09:49:06 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 333 "-" "-"
89.171.148.82 - - [01/Jul/2007:09:49:16 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0"

[contink]

Without seeing your entire log it'd be difficult to work out which line is the root cause of the problem but unless I misunderstood your system setup it's unlikely that the fp30reg.dll is the problem as that's a frontpage exploit (not generally an issue on a *nix box).

I took a quick look at the asterisk@home page and it seems you have a VOIP setup but as far as I can see you're using an old version of the software and should probably look at Tribox.

Once you've upgraded I'd then take some time to install a brute force detection system as well as looking at mod_security.