[lug] [clue] HACKED!
David L. Willson
DLWillson at TheGeek.NU
Mon Feb 27 13:21:51 MST 2012
Could this be innocuous? Could it be that you're running [Open]SUSE, and your machine's trying to update itself?
David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
Freedom is better when you earn it. Learn Linux.
----- Original Message -----
> my machine has clearly been hacked and infected. any help greatly
> appreciated. I have a wireshark capture of my machine trying to
> access the akami ftp site when nothing other than wireshark was
> running! additionally my machine is looking up downloads.suse.org
> and the download.nvidiacom site every several minutes, again without
> any other activity.
> i'm running open suse 12.1, automatic updates is set to not check for
> updates. packagekitd is also frequently running for no good reason,
> fairly alarming as it suggest someone has been futsing with my
> system. what logs should i look at? transmission is also randomly
> terminating without any notice of crash or any apparent reason
> further suggesting that someone wants bandwidth on my machine, most
> likely to steal files or run some sort of bot trying to attack other
> sites (as the akami ftp access suggest). the akami ftp site is
> password protected for "anonymous" logins and my machine is
> responding with a password that seems to work specifically
> "yast at 10.x.x" where x is a number i've blanked out for obvious
> reasons. Scary!
> on further examination of the wireshark capture my machine is
> entering the suse directory at the akami site (22.214.171.124) which
> is NOT from a dns query further suggesting a virus/bot infection
> since the ip address is obviously hard coded! further after it
> succesfully logs into the akami site and changes directory a 951
> byte file named "repo.md.xml" is being downloaded and then my system
> is logged out of the akami site. very odd indeed!
> any one have any idea wtf is going on? is this a virus/bot or strange
> behaviour somehow normal???
> this install has been running less than 1 month. also experiancing
> apparent high load/delays randomly further suggesting a slow down
> but the task monitors etc. don't show any apps using a lot of cpu
> time. i'ts a dual core athlon running at 3Ghz and usually fairly
> peppy. also having dropouts in audio playing movies that go away
> later when playing the same file and have not occured before on at
> least 2 different players (vlc and caffeine, vlc has it's own codecs
> so it's not a codec issue).
> I have forwarded the wireshark capture to akami security of course.
> "The difference between genius and stupidity is that genius has it's
> limits" Albert Einstein
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LUG