Hallihallo, hab mir heute kurzzeitig einen ungebetenen Gast auf meinem Heimischen NAS/HTPC eingefangen. Falls jemand wissen will, wie ein "Schädling" auf einem Linux-System aussehen kann, solle er angehängtes Archiv begutachten.
Dateien:
. ./lib ./lib/log ./lib/2 ./lib/2/muhrc ./lib/init ./lib/config ./lib/dir ./lib/muhrc ./lib/mess ./lib/h.c ./lib/inst ./lib/h ./lib/run ./lib/.servers ./lib/run2 ./lib/.ss ./lib/.clean ./lib/y ./lib/f ./lib/cron.d ./lib/restart ./lib/servers ./lib/ips ./lib/.muh ./lib/.muh/muh.spec ./lib/.muh/config.status ./lib/.muh/muh.spec.in ./lib/.muh/VERSION ./lib/.muh/config.log ./lib/.muh/TODO ./lib/.muh/COPYING ./lib/.muh/config.h ./lib/.muh/install-sh ./lib/.muh/configure.ac ./lib/.muh/ChangeLog ./lib/.muh/stamp-h.in ./lib/.muh/misc ./lib/.muh/misc/muh-check ./lib/.muh/misc/muhrc.in ./lib/.muh/misc/muhrc ./lib/.muh/misc/muh-rotatelog ./lib/.muh/misc/Makefile.am ./lib/.muh/misc/Makefile ./lib/.muh/misc/Makefile.in ./lib/.muh/run ./lib/.muh/config.h.in ./lib/.muh/doc ./lib/.muh/doc/version.texi ./lib/.muh/doc/muh.texinfo ./lib/.muh/doc/muh.info ./lib/.muh/doc/Makefile.am ./lib/.muh/doc/Makefile ./lib/.muh/doc/stamp-vti ./lib/.muh/doc/mdate-sh ./lib/.muh/doc/Makefile.in ./lib/.muh/missing ./lib/.muh/src ./lib/.muh/src/dlink.h ./lib/.muh/src/ignore.h ./lib/.muh/src/dlink.c ./lib/.muh/src/ascii.h ./lib/.muh/src/irc.h ./lib/.muh/src/irc.c ./lib/.muh/src/parser.y ./lib/.muh/src/commands.h ./lib/.muh/src/log.h ./lib/.muh/src/perm.h ./lib/.muh/src/perm.c ./lib/.muh/src/channels.h ./lib/.muh/src/table.h ./lib/.muh/src/match.c ./lib/.muh/src/Makefile.am ./lib/.muh/src/lexer.l ./lib/.muh/src/commands.c ./lib/.muh/src/muh.h ./lib/.muh/src/Makefile ./lib/.muh/src/parser.c ./lib/.muh/src/channels.c ./lib/.muh/src/dcc.h ./lib/.muh/src/common.c ./lib/.muh/src/muh.c ./lib/.muh/src/lexer.c ./lib/.muh/src/parser.h ./lib/.muh/src/log.c ./lib/.muh/src/table.c ./lib/.muh/src/match.h ./lib/.muh/src/tools.h ./lib/.muh/src/tools.c ./lib/.muh/src/messages.h ./lib/.muh/src/common.h ./lib/.muh/src/ignore.c ./lib/.muh/src/ascii.c ./lib/.muh/src/dcc.c ./lib/.muh/src/Makefile.in ./lib/.muh/README ./lib/.muh/mkinstalldirs ./lib/.muh/Makefile.am ./lib/.muh/NEWS ./lib/.muh/configure ./lib/.muh/Makefile ./lib/.muh/conf ./lib/.muh/aclocal.m4 ./lib/.muh/stamp-h ./lib/.muh/AUTHORS ./lib/.muh/Makefile.in ./lib/.muh/INSTALL
Eingefangen hab ich mir das durch ein sehr dämliches Passwort (die User/Passwort-Kombo remote/remote ist auch dämlich).
Fakt ist, das alle infizierten Rechner sich in den Kanal #secret im undernet.org IRC anmelden, der angreifende Rechner kommt aus Spanien: