Hacked Servers
Aus HS Syswiki
Version vom 9. September 2015, 09:21 Uhr von Hja (Diskussion | Beiträge)
Server List:
- -tux25 [Done]
- -tux307 [Not in Prod]
- -tux163
- -tux247
- -tux219
- -tux3.at
Command line used to find SUID files owned by user root:
find / -type f -user root \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null > ~/sysadmin/hack/suidfiles.txt
Find hacked .htaccess files:
mkdir -p ~/sysadmin/hack && /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find /home/www/ -type f -name .htaccess -exec egrep -l 'alecspiegel|khiuh3.php|162.216.6.208' {} \; 2>/dev/null > ~/sysadmin/hack/list_`date -I`
tux25:~/sysadmin # cat suidfiles.txt -rwsr-xr-x 1 root 74720 12. Okt 2007 /bin/mount ---s--x--x 1 root 226 31. Aug 16:01 /bin/delp -rwsr-xr-x 1 root 57184 12. Okt 2007 /bin/umount -rwsr-xr-x 1 root 35936 21. Sep 2007 /bin/ping6 -rwsr-xr-x 1 root 32304 21. Sep 2007 /bin/su -rwsr-xr-x 1 root 40192 21. Sep 2007 /bin/ping -rwsr-xr-x 1 shadow 23384 21. Sep 2007 /sbin/unix_chkpwd -rwsr-xr-x 1 shadow 10864 21. Sep 2007 /sbin/unix2_chkpwd -r-sr-xr-x 1 bin 154584 18. Jan 2012 /var/dcc/libexec/dccsight -rwsr-xr-x 1 daemon 10952 21. Sep 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 root 27081 21. Sep 2007 /usr/lib64/pt_chown -rwsr-xr-x 1 root 10856 22. Sep 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -rwxr-sr-x 1 103 15056 22. Sep 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 trusted 40672 21. Sep 2007 /usr/bin/crontab -rwsr-xr-x 1 root 10856 21. Sep 2007 /usr/bin/man -rwsr-xr-x 1 root 10856 21. Sep 2007 /usr/bin/mandb -rwsr-xr-x 1 shadow 78888 21. Sep 2007 /usr/bin/chfn -rwsr-xr-x 1 root 144344 27. Jan 2009 /usr/bin/sudo -rwsr-xr-x 1 root 19680 21. Sep 2007 /usr/bin/newgrp -rwxr-sr-x 1 tty 15016 21. Sep 2007 /usr/bin/write -rwsr-xr-x 1 shadow 19552 21. Sep 2007 /usr/bin/expiry -rwsr-xr-x 1 shadow 82424 21. Sep 2007 /usr/bin/gpasswd -rwsr-xr-x 1 shadow 82744 21. Sep 2007 /usr/bin/chage -rwsr-xr-x 1 shadow 78208 21. Sep 2007 /usr/bin/passwd -rwsr-xr-x 1 shadow 74232 21. Sep 2007 /usr/bin/chsh -rwxr-sr-x 1 tty 15152 21. Sep 2007 /usr/bin/wall -rwsr-x--- 1 dialout 58856 28. Mai 2008 /usr/sbin/mtr -r-xr-sr-x 1 mail 2856959 5. Dez 2014 /usr/sbin/sendmail -rwsr-xr-x 1 root 10784 4. Jul 2008 /usr/sbin/zypp-checkpatches-wrapper -r-sr-xr-x 1 bin 189707 23. Aug 2010 /usr/local/bin/cdcc -r-sr-xr-x 1 bin 584923 23. Aug 2010 /usr/local/bin/dccproc -rws--x--x 1 root 58453 16. Jan 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -rws--x--x 1 root 58453 16. Jul 09:13 /usr/local/apache2-2.2.29/sbin/suexec2