Dear all,

A client in my server put these files in his bin directory. I don't know what he want to do. Is he try to hack my server later? Because owing to some issue, I have disabled his login.

Here is the files:
1.
alias l 'ls -alt'
alias c 'clear'
alias rm 'rm'
alias cp 'cp'
set term=vt100
set clobber

set path=($path . $HOME/bin /usr/bin /usr/local/bin /usr/sbin)
set path=($path /usr/X11R6/bin /usr/X11R6/bin /usr/bin/X11)
set path=($path /usr/bin/X11 /usr/local/c++ /bin /usr/include)

2.
if ($?prompt) then
set prompt="`uname -n`> "
set notify
set history = 32
alias push "pushd ."
# alias pd pushd
alias pop popd
alias vt52 "set term = vt52"
alias ti745 "set term = ti745 ; stty -tabs"
alias ti785 "set term = ti745 ; stty -tabs"
alias vt100 "set term = vt100"
stty echoe
endif
umask 077
set path=($path . $HOME/bin /usr/bin /usr/local/bin /usr/sbin)
set path=($path /usr/X11R6/bin /usr/X11R6/bin /usr/bin/X11)
set path=($path /usr/bin/X11 /usr/local/c++ /bin /usr/include)
set filec
set noclobber
set prompt="`uname -n`:${cwd}> "
alias ls 'ls -aF'
alias dir ls
alias deltree 'rm -rf'
alias ren mv
alias del rm
alias cp 'cp -i'
alias mv 'mv -i'
alias rm 'rm -i'
alias pwd 'echo $cwd'
alias cd 'cd \!*; set prompt = "`hostname|cut -d. -f1`:`dirs`/> "'
alias pushd 'pushd \!*; set prompt = "`hostname`:$cwd> "'
alias popd 'popd; set prompt = "`hostname`:$cwd> "'
alias rgrep find . -name \!:2 -exec grep -i \!^ {} /dev/null \\\;
alias lr "ls -lagFqt \!* | head"
limit coredumpsize 0


Can someone help me?

Are you the administrator of this server?
He isn't hacking, he's just defining aliases so he can use DOS commands to work in a *nix shell.

1.
alias l 'ls -alt'
alias c 'clear'
alias rm 'rm'
alias cp 'cp'
set term=vt100
set clobber

He seems a bit dense with building aliases that don't do anything, but nothing harmful.

set path=($path . $HOME/bin /usr/bin /usr/local/bin /usr/sbin)
set path=($path /usr/X11R6/bin /usr/X11R6/bin /usr/bin/X11)
set path=($path /usr/bin/X11 /usr/local/c++ /bin /usr/include)

he's adding one of the sbin dirs to his path but he can't execute anything inside it thanks to real OSs having permissions systems that are secure.
he's also setting his path to include the xwin directories. no biggie.


2.
if ($?prompt) then
set prompt="`uname -n`> "
set notify
set history = 32
alias push "pushd ."
# alias pd pushd
alias pop popd
alias vt52 "set term = vt52"
alias ti745 "set term = ti745 ; stty -tabs"
alias ti785 "set term = ti745 ; stty -tabs"
alias vt100 "set term = vt100"
stty echoe
endif

more aliases for various term types.


umask 077

setting the default permissions that will be set on files they create.


set path=($path . $HOME/bin /usr/bin /usr/local/bin /usr/sbin)
set path=($path /usr/X11R6/bin /usr/X11R6/bin /usr/bin/X11)
set path=($path /usr/bin/X11 /usr/local/c++ /bin /usr/include)

repetative path definitions


set filec
set noclobber
set prompt="`uname -n`:${cwd}> "
alias ls 'ls -aF'
alias dir ls
alias deltree 'rm -rf'
alias ren mv
alias del rm
alias cp 'cp -i'
alias mv 'mv -i'
alias rm 'rm -i'
alias pwd 'echo $cwd'
alias cd 'cd \!*; set prompt = "`hostname|cut -d. -f1`:`dirs`/> "'
alias pushd 'pushd \!*; set prompt = "`hostname`:$cwd> "'
alias popd 'popd; set prompt = "`hostname`:$cwd> "'

DOS and various list aliases


alias rgrep find . -name \!:2 -exec grep -i \!^ {} /dev/null \\\;

a really dumb alias that won't work because of several syntax errors.


alias lr "ls -lagFqt \!* | head"

I'm guessing he's trying to show the first several lines of each file matched in his ls but it won't work the way he has it setup.


limit coredumpsize 0

duh

The point is, he can't 'hack' your system as a generic user unless you make an opening for him to use. Either way, there is nothing wrong with these.

-- Gordon



s/(\d{2})/chr($1)/ge + print if $_ = '8284703280698276687967';

Hi Gordon,

Thanks for your help. Your explanation is really helpful. Recently, a lot of Linux server got hacked within our internal network. The hacker just stop the apache, ftp, dns....

I have already upgrade all software to the lastest version, hope everything fine :-).