I was once invited to analyze a Linux machine that was invaded. I ended up writing an article about it to the brazilian Linux Magazine.

The problem with the machine was a VERY weak root password. We could also find the tools they used to break that machine, cause they have installed it to attack other machines.

We could see a file containing about 18000 user+password combinations, a modified SSH client and a script that runs it all based on an IP range.

In our case, the attack was silent. They just wanted to use the machine to attack other machines. Pretty stupid.

It easy to learn about this attacks. Just connect to the Internet a machine with a plain Linux installation and ‘passw0rd’ as the root’s password, wait 1 or 2 weeks and your machine will be attacked. One way to verify the crackers are already in is to reinstall the netstat command (because they’ll modify your previous one) and see if there is some connection to IRC ports (around 6667).

If you investigate this IRC bot you’ll able to connect the IRC server, find the chat room, and actually talk to the cracker. I did this once and was not very funny.

Take care Oded !