Today, I have just found that one of my machine has been hacked by unknown intruder. That machine is Rocks 4.1 which is an extension of CentOS 4.2 Final. Actually, I didn"t know that it was hacked before notification from NOC. My NOC received the notification from eBay. I am one of the team to investigate this problem. Below steps are what I do.

1. My colleage found that there were many process named `(swapd)`. Unfortunately, the executable was removed.
2. So I looked for login record using `last`. I found one weird login namely `ftpd`.
3. As I remember, I have never started any ftp service on this machine! There was something wrong with user ftpd.
4. So I opened /etc/passwd and /etc/shadow to find more information about user ftpd.
5. Sadly, it was on the last line and enabled logging in. This must be some kind of backdoor.
6. Then I tried to find out more using netstat and ps. Nothing found! This is so strange because I couldn’t use netstat -p. It seemed netstat were replaced by rootkits.
7. So I didn’t believe anything I saw and started to verify common executable like netstat and ps using rpm -V.
8. Well, they were replaced by rootkits like I thought. So I downloaded all necessary executables from another machine.
9. Next step was to see what command user ftpd had done in .bash_history. Nothing.
10. So I backed to verify history of user root. Bingo! The intruder forgot to remove history of root.
11. In the history, I found commands for preparing eBay phishing in 4 steps!
12. Create .eBay directory in /var/www/html
13. Download http://www.pishat.com/ebay.tgz and extract it in .eBay
14. Download http://www.pishat.com/neptune.tar and extract it somewhere
15. Run install script

Once I had the ebay.tgz, I looked into the code and found that it was a kind of phishing against eBay! At the last step, the victim’s credit card information will be sent to . Are you hacked? Don’t worry too much. If you are already hacked, you are hacked. You can change nothing. For me, this machine is just for installation testing so I will just simply reinstall it again and again.

Technorati Tags: English, Security, Tips and Tricks, Hack, EBay, Phishing, Pishat, Multecarti