On friday, I was updating a server, one that we recently took over for maintenance, and noticed that there was unusual activity in the bash history.  Someone logged in as root, went to a directory called .ICE, and ran a program.

Piecing together the story, it appears that the server was hacked by a bot network, using romanian software.  Then, someone in taiwan issued a UDP flood attack on half a dozen TOR nodes.

If you have a .ICE directory in ~root, you might want to check it out.  The rootkit scanners did not find the offending software, but they did find two users with superuser privilieges (UID 0), named “security”, and “sec”.  The root password had also been reset, and the “security” user didn’t appear to be used.  Idiots.

Inside the .ICE directory, there were programs named  “smurf”, “stealth”, “flood”, and “killer”.  It also
appeared to install a chat server of some kind.  According to the chat logs,
one of the users has an IP address from Taiwan.  I found a list of 15k ip addresses, which could be other bots in the network. There’s also some software with comments in Romanian, and after some googling, I found a website in romania with the same code.  There, the software is in a directory called “beast”

This entry was posted on Sunday, November 9th, 2008 at 10:00 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.