Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: GertJan Spoelman (sl_at_gjs.cc)
Date: Sat Jul 27 2002 - 06:37:02 CDT
On Saturday 27 July 2002 13:08, Joe & Sesil Morris (NTM) wrote:
> I found out yesterday that our server has been intruded. The intruder
> even was able to su to root (according to the logs). They logged in via
> /dev/console, and via the bash history I was able to get the commands
> they typed in. They are as follows.
> PROMPT_COMMAND='pwd>&7;kill -STOP $$'
> cd "`echo -e '\057\150\157\155\145\057\152\157\145'`"
> Do any of you recognize these commands, and can tell me what they do?
> BTW, this is SuSE 8.0. I still haven't figured out how they got in. I
> run SUSEfirewall2, and all incoming ports are blocked on the internet
> interface. I tried to compile chkrootkit and no go, so I need some
> help, if you would be so kind. Thanks.
It's not an intrusion, I see loads of messages like that too in my bashhistory
on a 8.0 box which isn't connected directly to the internet, I haven't yet
investigated it further but I think it's caused by mc (Midnight Commander),
do you use that too?
-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here