Linux Box's been hit.

2025-04-09

Not my box. This is a Linux workstation of my friend's company.

3/21/2004 around 10pm, my friend logged on his box in office from his home. "netstat -nlp" found port 80 and 443 was using by a process called xntps. Checked /etc/rc.d/rc.sysinit, there was "/usr/sbin/xntps -q" showed on the last line. Believed the box had been installed rootkit.

"# killall -9 xntps" wouldn't work. Probably killall had been replaced.

Did "# /etc/init.d/syslog restart", removed xntps from process list.

Checked "/var/log/", log files had all been erased. Checked "/etc/secure", had following message:

Mar 21 21:31:06 www useradd[5424]: new user: name=admin, uid=0, gid=0, home=/usr/lib/.admin/, shell=/bin/bash
Mar 21 21:32:57 www sshd[5426]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:32:57 www sshd[5426]: Failed password for ROOT from 194.102.107.185 port 1697
Mar 21 21:33:02 www sshd[5426]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:33:02 www sshd[5426]: Failed password for ROOT from 194.102.107.185 port 1697
Mar 21 21:33:08 www sshd[5426]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:33:08 www sshd[5426]: Failed password for ROOT from 194.102.107.185 port 1697
Mar 21 21:33:30 www sshd[5426]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:33:30 www sshd[5426]: Failed password for ROOT from 194.102.107.185 port 1697
Mar 21 21:33:53 www sshd[5426]: Failed password for ROOT from 194.102.107.185 port 1697
Mar 21 21:34:10 www useradd[5428]: new user: name=ftpd, uid=0, gid=0, home=/usr/lib/.ftpd/, shell=/bin/bash
Mar 21 21:34:42 www sshd[5426]: Connection closed by 194.102.107.185
Mar 21 21:35:32 www sshd[5432]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:35:32 www sshd[5432]: Failed password for ROOT from 194.102.107.185 port 1698
Mar 21 21:35:40 www sshd[5432]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:35:40 www sshd[5432]: Failed password for ROOT from 194.102.107.185 port 1698
Mar 21 21:35:57 www sshd[5432]: ROOT LOGIN REFUSED FROM 194.102.107.185
Mar 21 21:35:57 www sshd[5432]: Failed password for ROOT from 194.102.107.185 port 1698
Mar 21 21:36:00 www sshd[5432]: Connection closed by 194.102.107.185

tried to modify the passwd for admin and ftpd. Couldn't. Here is the wrong move. He rebooted the box instead of shut it down. Can't logged in after. Next day, everything has been erased.

Note: You think Linux box is securer than windows? Maybe. But you still have to be carefull and do your administration job effective.