On Saturday 27 July 2002 13:08, Joe & Sesil Morris (NTM) wrote:
> I found out yesterday that our server has been intruded. The intruder
> even was able to su to root (according to the logs). They logged in via
> /dev/console, and via the bash history I was able to get the commands
> they typed in. They are as follows.
> PROMPT_COMMAND='pwd>&7;kill -STOP $$'
> cd "`echo -e '\057\150\157\155\145\057\152\157\145'`"
<snip>
> Do any of you recognize these commands, and can tell me what they do?
> BTW, this is SuSE 8.0. I still haven't figured out how they got in. I
> run SUSEfirewall2, and all incoming ports are blocked on the internet
> interface. I tried to compile chkrootkit and no go, so I need some
> help, if you would be so kind. Thanks.

It's not an intrusion, I see loads of messages like that too in my bashhistory
on a 8.0 box which isn't connected directly to the internet, I haven't yet
investigated it further but I think it's caused by mc (Midnight Commander),
do you use that too?

-- 
    GertJan
-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]