[lug] HACKED!

philburt stortsky ppld.phil.stortz at hotmail.com
Mon Feb 27 12:43:26 MST 2012

my machine has clearly been hacked and infected.  any help greatly appreciated.  I have a wireshark capture of my machine trying to access the akami ftp site when nothing other than wireshark was running!  additionally my machine is looking up downloads.suse.org  and the download.nvidiacom site every several minutes, again without any other activity.  

i'm running open suse 12.1, automatic updates is set to not check for updates.  packagekitd is also frequently running for no good reason, fairly alarming as it suggest someone has been futsing with my system.  what logs should i look at?  transmission is also randomly terminating without any notice of crash or any apparent reason further suggesting that someone wants bandwidth on my machine, most likely to steal files or run some sort of bot trying to attack other sites (as the akami ftp access suggest).  the akami ftp site is password protected for "anonymous" logins and my machine is responding with a password that seems to work specifically "yast at 10.x.x"  where x is a number i've blanked out for obvious reasons.  Scary!

on further examination of the wireshark capture my machine is entering the suse directory at the akami site ( which is NOT from a dns query further suggesting a virus/bot infection since the ip address is obviously hard coded!  further after it succesfully logs into the akami site and changes directory a 951 byte file named "repo.md.xml" is being downloaded and then my system is logged out of the akami site.  very odd indeed!

any one have any idea wtf is going on?  is this a virus/bot or strange behaviour somehow normal???  

this install has been running less than 1 month.  also experiancing apparent high load/delays randomly further suggesting a slow down but the task monitors etc. don't show any apps using a lot of cpu time.  i'ts a dual core athlon running at 3Ghz and usually fairly peppy.  also having dropouts in audio playing movies that go away later when playing the same file and have not occured before on at least 2 different players (vlc and caffeine, vlc has it's own codecs so it's not a codec issue).

I have forwarded the wireshark capture to akami security of course.

"The difference between genius and stupidity is that genius has it's limits"  Albert Einstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20120227/3a8d6d5b/attachment.html>

More information about the LUG mailing list