Thanks for all the responses. I'll summarise them in approximately order of volume: 1. Congrats to all the people out of the office. Hope you're having fun. 2. I downloaded the virus, but didn't do anything more than run strings over it. I didn't realise it was infected with a virus already, though, that's certainly interesting. 3. I haven't managed to get a copy of 73.tgz; I think he copied it in by hand, possibly by scp after he reset the root password. I think this was where the "./setup muie 55055 angelboy@the-darkside.info" came from. 4. This was caught because he did rm -rf /var/log, which stopped exim from running as it couldn't log incoming and outgoing mail. There was also some kind of monitor app running that fired off a whole bunch of rm threads deleting everything he touched whenever someone tried to log in (I think). I logged in to see a whole bunch of threads doing something like ./evil rm -rf directoryname, after which I had the client pull the power. 5. After I booted off a superrescue CD to have a poke around, I found a whole bunch of files in /bin, /usr/bin, /usr/sbin, /sbin which had been modified in the previous 24 hours. 6. After copying off the most recently modified data (no executables) I formatted and reinstalled Debian from CD. Data was restored from backup and the most recently modified data was eyeballed and put back (it was only 5 text files). 7. I still have access to all the files that were left after the rm run. If anyone would like a copy of any of the system files to tinker with, let me know and I'll pull them off. 8. I haven't contacted anyone because I don't have any hard evidence of where the intrusion came from. The cahcepu.net appears to be run by the guy who tried to get in anyway so I didn't feel it was too worthwhile. Once again, thanks for everyone's comments! Cheers, Steve ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 07:58:25 PDT