hello all,
I run a ftp server and few other kinds of servers from my home machine(hotline, kdx, sshremotelogin, vnc and a few other random ones). I have dydns running and stuff and stupidly i have have left it completely unprotected until now. Anyway I did a fresh install a few days ago and left for tour. All my old info was compressed into a disk image. I logged in to ssh on saturday morning and everything seemed fine ls command was working fine then and was able to mount a disk image or 2 remotely to get some gps stuff i needed. when i got home i was using terminal for something and the ls command said it could not open the bianary. I played around for a bit and found a hidden file called "h.txt" it conatianed some log of terminal entries . Here is that file:
1 ls
2 ls
3 cd /
4 ls
5 cd Volumes/
6 ls
7 mount
8 dd if=/dev/disk1s9 of=/dev/disk0s3 bs=32k &
9 mount
10 df
11 umount
12 umount /Volumes/MX120/
13 fuser -v /Volumes/MX120/
14 lsof
15 man lsof
16 :q
17 q
18 q
19 q
20 man nohup
21 cd /Volumes/MX120/
22 l -al
23 ls -al
24 du -sSh
25 du -sh
26 df
27 df -h
28 mount
29 ls -l
30 ls -l /Volumes/Backup/
31 clear
32 ls -l
33 rm -rf /Volumes/MX120/*
34 nohup rm -rf /Volumes/MX120/* &
35 clear
36 cd ..
37 clear
38 df -h
39 watch `df -h`
40 df -h
41 df -h /Volumes/MX120/
42 clear
43 clear
44 df -h /Volumes/MX120/
45 df -h /Volumes/MX120/
46 df -h /Volumes/MX120/
47 df -h /Volumes/MX120/
48 df -h /Volumes/MX120/
49 df -h /Volumes/MX120/
50 df -h /Volumes/MX120/
51 df -h /Volumes/MX120/
52 df -h /Volumes/MX120/
53 df -h /Volumes/MX120/
54 df -h /Volumes/MX120/
55 df -h /Volumes/MX120/
56 ps
57 df -h /Volumes/MX120/
58 df -h /Volumes/MX120/
59 df -h /Volumes/MX120/
60 exit
61 ps
62 ps
63 ps
64 ps
65 df -h /Volumes/MX120/
66 df -h /Volumes/MX120/
67 df -h /Volumes/MX120/
68 df -h /Volumes/MX120/
69 df -h /Volumes/MX120/
70 cd /Volumes/MX120/
71 ls -al
72 ls -lh
73 rm -rf *
74 rm -rf .
75 ls -l
76 ls -l
77 cd .TemporaryItems/
78 ls
79 ls -l
80 rm -rf *
81 ls -l
82 clear
83 ls
84 sl -l
85 cd ..
86 ls
87 clear
88 ls -l
89 cd ..
90 ls
91 cd Backup/
92 ls
93 ls
94 clear
95 cp -arv * ../MX120/
96 cp -Rv * ../MX120/
97 ls
98 nohup cp -Rv * ../MX120/ &
99 cp -Rv * ../MX120/ &
100 df -h
101 ps
102 kill -9 1156
103 kill -9 1158
104 ls- l
105 ps
106 clear
107 cd ../MX120/
108 ls
109 rm -rf *
110 df -h
111 cd ../Backup/
112 ls
113 nohup cp -Rv * ../MX120/ &
114 df -h /Volumes/MX120/
115 df -h /Volumes/MX120/
116 df -h /Volumes/MX120/
117 df -h /Volumes/MX120/
118 df -h /Volumes/MX120/
119 df -h /Volumes/MX120/
120 df -h /Volumes/MX120/
121 df -h /Volumes/MX120/
122 df -h /Volumes/MX120/
123 df -h /Volumes/MX120/
124 ps
125 pachectl start
126 pachectl
127 /etc/rc.d/init.d/httpd start
128
/etc/rc.d/init.d/httpd start
129 -sh: /etc/rc.d/init.d/httpd: No such file or directory
130 003065b2d31c:~ root#
131 /etc/rc.d/init.d/httpd start
132 -sh: /etc/rc.d/init.d/httpd: No such file or directory
133 003065b2d31c:~ root#
134 /etc/rc.d/init.d/httpd start
135 -sh: /etc/rc.d/init.d/httpd: No such file or directory
136 003065b2d31c:~ root#
137 apachectl
138 apachectl start
139 apachectl restart
140 apachectl fullstatus
141 apachectl graceful
142 apachectl configtest\
143 apachectl configtest
144 cat /private/etc/httpd/users/s
xealex.con
f
145 cat /private/etc/httpd/users/*
.conf
146 apachectl
147 apachectl stop
148 apachectl start
149 exit
150 cd /var/tmp
151 ls
152 ls -all
153 mkdir ".. "
154 php
155 php -v
156 telnet localhost 25
157 ls
158 cd ".. "
159 cd send
160 php ebay.php
161 /etc/rc.d/init.d/httpd start
162 /etc/rc.d/init.d/sendmail start
163 cd ..
164 cd ..
165 rm -rf ".. "
166 exit
167 ls
168 cd /
169 las
170 ls
171 cd users
172 ls
173 cd sxealex
174 ls
175 cd /
176 ls
177 cd volumes
178 ls
179 cd Macintosh\ HD 200GB
180 ls
181 cd Macintosh\ HD\ 200GB
182 cd Macintosh\HD\200GB
183 ls
184 cd volumes
185 cd Macintosh\HD\200GB
186 ls
187 cd ../../
188 ls
189 cd Macintosh\ HD\ 200GB
190 ls
191 man hdid
192 hdid Macintosh\ HD.sparseimage
193 ls
194 cd ../
195 cd /var/tmp
196 ls
197 ls -all
198 cd " "
199 cd " "
200 ls
201 cd .sex
202 ls
203 ./sendeb.pl
204 chmod +x *
205 ./sendeb.pl
206 ls
207 pico
208 pico users
209 ./sendeb.pl
210 echo muie | mail stefmarvin@yahoo.com
211 exitexit
212 exit
213 history > h.txt
So as you can see that last entry had an email address which id never seen. So I assumed that someone hacked into my compy. I then googled the email and ended up finding out the guy lives in romania. I oddly found his address and phone number and stuff :) . I then searched some more and I found something called shv5 which i guess is a rootkit. Id never heard of these b4 and researched them a little and it turns out they hijack your root user and install trojans inplace of everyday commands and stuff as you all probably know and keystroke loggers... so maybe hes reading this right now. I havent been entering anything on the computer that isnt public info besides my computer password and the experts exchange password. I plan on reinstalling I think unless anyone has any better ideas. What I'm mostly worried and/or curious about is whether or not the root kit actually worked (considering it maybe have been built for a x86 box)and if he got any info from me. I am not reinstalling right away and I just kinda wanna see what the guy is doing so that when I actually set up securty next time I know what to be extra careful about. Also id like to change all my passwords of online services into nice big ones unlike my current ones. Anyway when I try ls i get 003065b2d31c:~ root# ls
-sh: /bin/ls: cannot execute binary file so this is what is making me think the root kit was unsuccesful in hurting anything really? Also anyideas on finding his ip? The email was retarted if it is really his.... Anyway I just wanna see everything he did if possible. I hope this question is clear enough any input would be appreciated. Thanks alot.
-Alex
Start Free Trial
