[clue] HACKED!

Michael Fierro miguelito at biffster.org
Mon Feb 27 15:09:16 MST 2012 

Hmmm... I understand your concern, but I think I've gotta agree with
David. It sounds like SUSE is checking for updates. I know you said
that you disabled auto-checking, but it sure sounds like auto-checking
is still happening.



On Mon, Feb 27, 2012 at 1:21 PM, David L. Willson <DLWillson at thegeek.nu> wrote:
> Could this be innocuous? Could it be that you're running [Open]SUSE, and
> your machine's trying to update itself?
 ________________________________
>
> my machine has clearly been hacked and infected.  any help greatly
> appreciated.  I have a wireshark capture of my machine trying to access the
> akami ftp site when nothing other than wireshark was running!  additionally
> my machine is looking up downloads.suse.org  and the download.nvidiacom site
> every several minutes, again without any other activity.
>
> i'm running open suse 12.1, automatic updates is set to not check for
> updates.  packagekitd is also frequently running for no good reason, fairly
> alarming as it suggest someone has been futsing with my system.  what logs
> should i look at?  transmission is also randomly terminating without any
> notice of crash or any apparent reason further suggesting that someone wants
> bandwidth on my machine, most likely to steal files or run some sort of bot
> trying to attack other sites (as the akami ftp access suggest).  the akami
> ftp site is password protected for "anonymous" logins and my machine is
> responding with a password that seems to work specifically "yast at 10.x.x"
> where x is a number i've blanked out for obvious reasons.  Scary!
>
> on further examination of the wireshark capture my machine is entering the
> suse directory at the akami site (69.31.121.43) which is NOT from a dns
> query further suggesting a virus/bot infection since the ip address is
> obviously hard coded!  further after it succesfully logs into the akami site
> and changes directory a 951 byte file named "repo.md.xml" is being
> downloaded and then my system is logged out of the akami site.  very odd
> indeed!
>
> any one have any idea wtf is going on?  is this a virus/bot or strange
> behaviour somehow normal???
>
> this install has been running less than 1 month.  also experiancing apparent
> high load/delays randomly further suggesting a slow down but the task
> monitors etc. don't show any apps using a lot of cpu time.  i'ts a dual core
> athlon running at 3Ghz and usually fairly peppy.  also having dropouts in
> audio playing movies that go away later when playing the same file and have
> not occured before on at least 2 different players (vlc and caffeine, vlc
> has it's own codecs so it's not a codec issue).
>
> I have forwarded the wireshark capture to akami security of course.

-- 
Michael Fierro                                      biffster at gmail.com
"The truth of the matter is, I'm a bright enough guy, but I'm hardly a
genius." - Cory Doctorow

More information about the clue mailing list