LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-16-2004, 02:49 PM   #1
techra
LQ Newbie
 
Registered: Sep 2004
Posts: 1

Rep: Reputation: 0
twitch@Stealth -- what is this?


This morning we found a nice program taking up all system resources on a box. I've googled around for this program and can't find anything about it.

Somehow some Brazillian got into our system, created an account called apachi and began scanning around for .db files -- we figured looking for credit cards. We have none stored.

Anyway, the program that was running was in /tmp -- "st" it was called. We copied it over to an isolated machine and ran it with --help.

It says:

twitch@Stealth
warning this program is very dangerous
run as
st-kill <host> <port>

The twitch@Stealth part is done in K-RAD ansi colors.

We can't figure out exactly what it does or what it was used for. The hacker also put in a directory in /tmp called .sux -- inside a file.sh in Portugese which I cannot fully translate. This is where the *.db lookups were and scanning httpd files.

Anyone seen this yet? Where do I properly report it? Can't find anything on google about it at all, and we want to know how this got here, what it was doing, and why.

Thanks for any help.

Taylor
 
Old 09-16-2004, 11:49 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I believe that's a flooder:
http://www.netsys.com/full-disclosur.../msg00715.html

Sounds like you got a several cracking tools installed on your system. You should take it offline immediately and do a full format and re-installation from trusted media (not from a backup). When you re-install, make sure to immediately update the packages on your system or download the patches before hand and burn them to a cd and install before even putting it back online. Also consider all passwords and authentication tokens on that system to be compromised as well. You should also verify that any machines that have been in contact with this one are not compromised as well (having traffic sniffed and keystokes logged is becoming much more common).

If you'd like to do some forensic analysis on the system (see what's installed, try and find the means of entry, etc) you should really make a bit-by-bit copy of the drive and work with that instead. But you will absolutely need to take your system offline immediately and re-install.

If you wish to report it, you can contact you ISP as well as the ISP of the intruder. Usually providing them with any relevant logs can be helpfull. Otherwise chalk it up as a learning experience and spend some time securing your box to prevent it from happening again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stealth Analysis brianthegreat Linux - Security 3 10-30-2005 10:37 AM
Stealth cpu's EdR Linux - Newbie 4 10-14-2004 01:35 PM
iptables port forwarding - *twitch* stuii Linux - Security 7 09-04-2003 02:50 PM
How to stealth port #113 ? johnm1957 Linux - Networking 5 06-05-2002 10:25 PM
Ok Finegan...Home stretch to becoming an addict. *twitch twitch* taz.devil General 18 04-07-2002 04:17 PM


All times are GMT -5. The time now is 04:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration