[plug] Just got rooted

[David Broadway]

Hiya Guys,

Yesterday I got a return email from my <root> account I'm not on my computer 
atm to give you all the details besides what I've got in my head atm.

The email that was returned, basicly had the Information about my computer, 
Mhz, etc, df information (diskspace) a log of a ping to rc3.yahoo.com (if I 
remmeber right) like it was done with the pipe command >. and something else 
at the bottom. it was returned because of my address being wrong. eg. my 
servers host wasn't 'real' to the internet. my servers hostname, 
rhserver1.djnitrous.com (not really)

Anyway. Later on I found that /bin/top, /bin/ps, /bin/netstat etc wasn't 
working anymore. Like it wasn't to be found on my system. but really it was 
under /bin the files. Later on I found my conneciton sending/reciveing data. 
fuck knows what it was doing.

as I can see it happened at 11am I got it downed the connection about 1pm so 
the uptime was only about 2hr or online. I've got all the logs to go thru.

I check out www.chkrootkit.org (and I found the machine to be infected with 
something(I'm not sure) and some of the infrected files were, /bin/ps, 
netstat, top. etc.

I also found but looking around the system some weird file. can't remember 
the name of it atm starting with cXXXXXXX.tar and it was in the rootdir of 
the ftpd

later on I find lots of weird files under /var/spool/cron/.../ (files and 
subdirs) lots of uncomplied stuff. Plus under the ftpd root. which is, 
/var/ftp.. there was /var/ftp/.trei   and that had lots of weird files under 
it and subdirs like under the /var/spool/cron/.../

Anyway, I'll send out more details on what the files were etc and stuff 
later when I get back online. since I dont have them in front of me.

I WAS ROOOOOOOOOOOOOOOTED!!!

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com