Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-16-2004, 03:49 PM   #1
LQ Newbie
Registered: Sep 2004
Posts: 1

Rep: Reputation: 0
twitch@Stealth -- what is this?

This morning we found a nice program taking up all system resources on a box. I've googled around for this program and can't find anything about it.

Somehow some Brazillian got into our system, created an account called apachi and began scanning around for .db files -- we figured looking for credit cards. We have none stored.

Anyway, the program that was running was in /tmp -- "st" it was called. We copied it over to an isolated machine and ran it with --help.

It says:

warning this program is very dangerous
run as
st-kill <host> <port>

The twitch@Stealth part is done in K-RAD ansi colors.

We can't figure out exactly what it does or what it was used for. The hacker also put in a directory in /tmp called .sux -- inside a in Portugese which I cannot fully translate. This is where the *.db lookups were and scanning httpd files.

Anyone seen this yet? Where do I properly report it? Can't find anything on google about it at all, and we want to know how this got here, what it was doing, and why.

Thanks for any help.

Old 09-17-2004, 12:49 AM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I believe that's a flooder:

Sounds like you got a several cracking tools installed on your system. You should take it offline immediately and do a full format and re-installation from trusted media (not from a backup). When you re-install, make sure to immediately update the packages on your system or download the patches before hand and burn them to a cd and install before even putting it back online. Also consider all passwords and authentication tokens on that system to be compromised as well. You should also verify that any machines that have been in contact with this one are not compromised as well (having traffic sniffed and keystokes logged is becoming much more common).

If you'd like to do some forensic analysis on the system (see what's installed, try and find the means of entry, etc) you should really make a bit-by-bit copy of the drive and work with that instead. But you will absolutely need to take your system offline immediately and re-install.

If you wish to report it, you can contact you ISP as well as the ISP of the intruder. Usually providing them with any relevant logs can be helpfull. Otherwise chalk it up as a learning experience and spend some time securing your box to prevent it from happening again.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Stealth Analysis brianthegreat Linux - Security 3 10-30-2005 11:37 AM
Stealth cpu's EdR Linux - Newbie 4 10-14-2004 02:35 PM
iptables port forwarding - *twitch* stuii Linux - Security 7 09-04-2003 03:50 PM
How to stealth port #113 ? johnm1957 Linux - Networking 5 06-05-2002 11:25 PM
Ok Finegan...Home stretch to becoming an addict. *twitch twitch* taz.devil General 18 04-07-2002 05:17 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:52 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration