[lug] [clue] HACKED!

David L. Willson DLWillson at TheGeek.NU
Mon Feb 27 13:21:51 MST 2012

Could this be innocuous? Could it be that you're running [Open]SUSE, and your machine's trying to update itself? 

David L. Willson 
Trainer, Engineer, Enthusiast 
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP 
Freedom is better when you earn it. Learn Linux. 

----- Original Message -----

> my machine has clearly been hacked and infected. any help greatly
> appreciated. I have a wireshark capture of my machine trying to
> access the akami ftp site when nothing other than wireshark was
> running! additionally my machine is looking up downloads.suse.org
> and the download.nvidiacom site every several minutes, again without
> any other activity.

> i'm running open suse 12.1, automatic updates is set to not check for
> updates. packagekitd is also frequently running for no good reason,
> fairly alarming as it suggest someone has been futsing with my
> system. what logs should i look at? transmission is also randomly
> terminating without any notice of crash or any apparent reason
> further suggesting that someone wants bandwidth on my machine, most
> likely to steal files or run some sort of bot trying to attack other
> sites (as the akami ftp access suggest). the akami ftp site is
> password protected for "anonymous" logins and my machine is
> responding with a password that seems to work specifically
> "yast at 10.x.x" where x is a number i've blanked out for obvious
> reasons. Scary!

> on further examination of the wireshark capture my machine is
> entering the suse directory at the akami site ( which
> is NOT from a dns query further suggesting a virus/bot infection
> since the ip address is obviously hard coded! further after it
> succesfully logs into the akami site and changes directory a 951
> byte file named "repo.md.xml" is being downloaded and then my system
> is logged out of the akami site. very odd indeed!

> any one have any idea wtf is going on? is this a virus/bot or strange
> behaviour somehow normal???

> this install has been running less than 1 month. also experiancing
> apparent high load/delays randomly further suggesting a slow down
> but the task monitors etc. don't show any apps using a lot of cpu
> time. i'ts a dual core athlon running at 3Ghz and usually fairly
> peppy. also having dropouts in audio playing movies that go away
> later when playing the same file and have not occured before on at
> least 2 different players (vlc and caffeine, vlc has it's own codecs
> so it's not a codec issue).

> I have forwarded the wireshark capture to akami security of course.

> "The difference between genius and stupidity is that genius has it's
> limits" Albert Einstein
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20120227/1c2a70d6/attachment.html>

More information about the LUG mailing list