greetings community,
iīm trying forensics on a real breakin for the first time and, well
itīs
a really difficult task. I read some papers on forensic and TCT but iīm
stuck in finding out what exactly happend.
1) The Situation
On Jul 2 i installed an OpenBSD 3.1 Host in our DMZ, foolish as i was
i did _not_ patched it directly. This was the time when the gobbels
ssh remote root exploit was released. The machine had only one
open port... ssh.
2) The Break in
On Jul 4 i wanted to patch the server, doing a usual 'ps ax' bevore
showed me the following very suspect lines:
14838 C0 Is+ 0:00.02 login -p
--\^[[20~0\^[[20~\^[[18~\^[[18~4cxs\^[[13~\^[
1012 C0 I+ 0:00.01 krb4-or-pwd -s
login\^[[20~0\^[[20~\^[[18~\^[[18~4cxs\^[[13~\^[ default
(login_krb4-or-pw)
after iīve seen that i (*maybeafailure*) stopped this to services with
'kill' and
halted the machine.
3) My forensic...
I turned power off, and put the harddisk into my develop box, mounting
it
read-only.
laboratory# mount -o ro /dev/ad1s4 /mnt
Next step was 'graverobber', 'unrm' and 'lazarus' from TCT:
laboratory# script
laboratory# grave-robber -v /mnt
laboratory# unrm /dev/ad1s4 >unrm_output
laboratory# lazarus -h unrm_output
Well, now i got 1.8 gig output which could be analysed... but for what?
Looking at
every single file seems to take a whole lifetime, since i have no clue
what
the
attacker could have done i dunno what to look for. What makes this much
harder is
that there were some files recovered which seem to be from a previous
installation.
So i tried a find on atime:
laboratory#find /mnt -atime -20 -type f
/mnt/bin/cat
/mnt/bin/chgrp
/mnt/bin/chmod
/mnt/bin/date
/mnt/bin/dd
/mnt/bin/domainname
/mnt/bin/hostname
/mnt/bin/ksh
/mnt/bin/rksh
/mnt/bin/rm
/mnt/bin/sh
/mnt/bin/sleep
/mnt/etc/kerberosIV/krb.extra
/mnt/etc/exports
/mnt/etc/gettytab
/mnt/etc/group
/mnt/etc/hosts
/mnt/etc/login.conf
/mnt/etc/motd
/mnt/etc/myname
/mnt/etc/netstart
/mnt/etc/rc
/mnt/etc/rc.conf
/mnt/etc/rc.local
/mnt/etc/rc.securelevel
/mnt/etc/services
/mnt/etc/spwd.db
/mnt/etc/ssh/sshd_config
/mnt/etc/ssh/ssh_host_dsa_key
/mnt/etc/ssh/ssh_host_rsa_key
/mnt/etc/ssh/ssh_host_key
/mnt/etc/sysctl.conf
/mnt/etc/syslog.conf
/mnt/etc/ttys
/mnt/etc/wsconsctl.conf
/mnt/etc/fstab
/mnt/etc/hostname.xl0
/mnt/etc/mygate
/mnt/etc/resolv.conf
/mnt/etc/kbdtype
/mnt/sbin/brconfig
/mnt/sbin/chown
/mnt/sbin/dmesg
/mnt/sbin/ifconfig
/mnt/sbin/kbd
/mnt/sbin/ldconfig
/mnt/sbin/mount
/mnt/sbin/mount_ffs
/mnt/sbin/route
/mnt/sbin/savecore
/mnt/sbin/swapctl
/mnt/sbin/swapon
/mnt/sbin/sysctl
/mnt/sbin/ttyflags
/mnt/usr/bin/cmp
/mnt/usr/bin/find
/mnt/usr/bin/install
/mnt/usr/bin/mktemp
/mnt/usr/bin/perl
/mnt/usr/bin/perl5.6.1
/mnt/usr/bin/sed
/mnt/usr/bin/wc
/mnt/usr/lib/libc.so.28.3
/mnt/usr/lib/libm.so.0.1
/mnt/usr/lib/libperl.so.6.1
/mnt/usr/lib/libutil.so.7.1
/mnt/usr/libdata/perl5/Exporter.pm
/mnt/usr/libdata/perl5/i386-openbsd/5.6.1/Fcntl.pm
/mnt/usr/libdata/perl5/i386-openbsd/5.6.1/XSLoader.pm
/mnt/usr/libdata/perl5/i386-openbsd/5.6.1/auto/Fcntl/Fcntl.so
/mnt/usr/libdata/perl5/site_perl/i386-openbsd/_h2ph_pre.ph
/mnt/usr/libdata/perl5/site_perl/i386-openbsd/sys/syscall.ph
/mnt/usr/libexec/auth/login_krb4-or-pwd
/mnt/usr/libexec/ld.so
/mnt/usr/libexec/vi.recover
/mnt/usr/sbin/dev_mkdb
/mnt/usr/sbin/kvm_mkdb
/mnt/usr/share/nls/C/libc.cat
/mnt/usr/share/zoneinfo/Europe/Berlin
/mnt/bsd
Some strange output, i canīt remeber having used much of these
(except vi/cat)
Now i tried the same with directorys:
laboratory# find /mnt -atime -20 -type d
/mnt/dev
/mnt/etc
/mnt/usr/lib
/mnt/usr/local/lib
And last but not least i used 'mactime' from TCT and found many entrys
which could not be mine:
laboratory#mactime 02/07/2002
~~~~~~~~~~~~~~~~~~mactimeoutput~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jul 02 02 11:00:06 110592 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/gzcat
110592 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/gzip
110592 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/gunzip
Jul 02 02 12:53:54 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/id
Jul 02 02 12:54:32 3917 .a. -r--r--r-- root/toor wheel
/mnt/usr/libdata/perl5/IPC/Open2.pm
10282 .a. -r--r--r-- root/toor wheel
/mnt/usr/libdata/perl5/IPC/Open3.pm
3876 .a. -r--r--r-- root/toor wheel
/mnt/usr/libdata/perl5/Symbol.pm
2624 .a. -r--r--r-- root/toor wheel
/mnt/usr/libdata/perl5/strict.pm
4166 .a. -r--r--r-- root/toor wheel
/mnt/usr/libdata/perl5/Carp.pm
Jul 02 02 12:54:33 40287 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/adduser
5651 .a. -r--r--r-- root/toor wheel
/mnt/usr/libdata/perl5/Exporter/Heavy.pm
Jul 02 02 12:55:05 318 .a. -rw-r--r-- root/toor wheel
/mnt/etc/group.bak
301 mac -rw-r--r-- root/toor wheel
/mnt/etc/adduser.message
1473 mac -rw-r--r-- root/toor wheel
/mnt/etc/adduser.conf
Jul 02 02 12:56:12 128 mac -rw------- admin admin
/mnt/home/admin/.rhosts
318 ..c -rw-r--r-- root/toor wheel
/mnt/etc/group.bak
188416 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/encrypt
318 .a. -rw-r--r-- root/toor wheel
/mnt/etc/skel/.login
201 .a. -rw-r--r-- root/toor wheel
/mnt/etc/skel/.profile
40960 m.c -rw-r--r-- root/toor wheel
/mnt/etc/pwd.db
512 .a. drwxr-xr-x root/toor wheel
/mnt/etc/skel
861 m.c -rw------- root/toor wheel
/mnt/etc/master.passwd
105 mac -rw-r--r-- admin admin
/mnt/home/admin/.mailrc
40960 m.c -rw------- root/toor wheel
/mnt/etc/spwd.db
110592 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/pwd_mkdb
105 .a. -rw-r--r-- root/toor wheel
/mnt/etc/skel/.mailrc
769 .a. -rw-r--r-- root/toor wheel
/mnt/etc/skel/.cshrc
677 mac -rw-r--r-- root/toor wheel
/mnt/etc/passwd
73728 .a. -r-xr-xr-x root/toor bin
/mnt/bin/cp
128 .a. -rw------- root/toor wheel
/mnt/etc/skel/.rhosts
769 m.c -rw-r--r-- admin admin
/mnt/home/admin/.cshrc
208 .a. -rw-r--r-- root/toor wheel
/mnt/etc/shells
318 m.c -rw-r--r-- admin admin
/mnt/home/admin/.login
512 m.c drwxr-xr-x root/toor wheel /mnt/home
38933 .a. -rw-r--r-- root/toor wheel
/mnt/etc/mail/submit.cf
Jul 02 02 13:00:02 40960 .a. -rw-r--r-- root/toor wheel
/mnt/etc/pwd.db
Jul 02 02 13:00:11 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/who
Jul 02 02 13:00:30 16384 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/last
Jul 02 02 13:00:50 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/touch
Jul 02 02 13:03:17 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/uname
Jul 02 02 13:04:17 24576 .a. -r-sr-xr-x root/toor bin
/mnt/usr/bin/login
Jul 02 02 13:04:29 512 m.c drwxr-xr-x admin admin
/mnt/home/admin
Jul 02 02 13:05:36 0 .a. crw------- root/toor wheel
/mnt/dev/klog
0 .a. brw-r----- root/toor operator
/mnt/dev/wd0b
Jul 02 02 13:06:01 56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT+0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT-0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/Greenwich
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT-0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Greenwich
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT+0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT0
Jul 02 02 13:08:51 512 .a. drwxr-xr-x root/toor wheel
/mnt/usr/local/sbin
6 .a. -rw------- admin admin
/mnt/home/admin/.history
4437 .a. -rw-r--r-- root/toor wheel
/mnt/etc/protocols
512 .a. drwxr-xr-x root/toor wheel
/mnt/usr/games
769 .a. -rw-r--r-- admin admin
/mnt/home/admin/.cshrc
102 .a. -rw-r--r-- root/toor wheel
/mnt/etc/csh.login
Jul 02 02 13:08:52 2826240 .a. -r--r--r-- root/toor bin
/mnt/usr/share/misc/termcap.db
Jul 02 02 13:08:53 36864 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/tset
36864 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/reset
318 .a. -rw-r--r-- admin admin
/mnt/home/admin/.login
Jul 02 02 13:08:55 42411 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libdes.so.7.0
95384 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libkrb.so.9.0
801706 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libcrypto.so.5.1
Jul 02 02 13:09:05 2048 .a. drwxr-xr-x root/toor wheel /mnt/sbin
3584 .a. drwxr-xr-x root/toor wheel
/mnt/usr/sbin
102 .a. -rw-r--r-- root/toor wheel
/mnt/etc/csh.cshrc
16384 .a. -r-sr-xr-x root/toor bin
/mnt/usr/bin/su
266240 .a. -r-xr-xr-x root/toor bin
/mnt/bin/csh
512 .a. drwxr-xr-x root/toor wheel
/mnt/usr/local/bin
512 .a. drwxr-xr-x root/toor wheel /mnt/home
669 .a. -rw-r--r-- root/toor wheel
/mnt/.cshrc
1024 .a. drwxr-xr-x root/toor wheel /mnt/bin
669 .a. -rw-r--r-- root/toor wheel
/mnt/root/.cshrc
6144 .a. drwxr-xr-x root/toor wheel
/mnt/usr/bin
Jul 02 02 13:09:09 196608 .a. -r-xr-Sr-x root/toor kmem
/mnt/bin/ps
0 .a. crw-r----- root/toor kmem
/mnt/dev/mem
Jul 02 02 13:09:39 861 .a. -rw------- root/toor wheel
/mnt/etc/master.passwd
282624 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/view
2048 m.c drwxr-xr-x root/toor wheel /mnt/etc
12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/vipw
282624 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/vi
282624 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/ex
Jul 02 02 13:09:41 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/tput
12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/clear
Jul 02 02 13:09:52 167936 .a. -r-xr-xr-x root/toor bin
/mnt/bin/ls
512 .a. drwxrwxr-x root/toor man
/mnt/usr/src
Jul 02 02 13:10:01 16384 .a. -r-xr-xr-x root/toor bin
/mnt/usr/libexec/atrun
Jul 02 02 13:10:22 3108864 .a. -r--r--r-- root/toor bin
/mnt/usr/share/misc/terminfo.db
Jul 02 02 13:10:55 32319360 .a. -rw-r--r-- root/toor man
/mnt/usr/src/src.tar.gz
Jul 02 02 13:13:07 32319360 m.c -rw-r--r-- root/toor man
/mnt/usr/src/src.tar.gz
Jul 02 02 13:13:11 257069 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libcurses.so.8.0
70195 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libedit.so.0.0
257069 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libtermlib.so.8.0
98304 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/ftp
257069 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libtermcap.so.8.0
Jul 02 02 13:13:13 55094 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libz.so.1.4
512 m.c drwxrwxr-x root/toor man
/mnt/usr/src
32768 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/cron
25633 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libwrap.so.2.0
147456 .a. -r-xr-xr-x root/toor bin
/mnt/sbin/halt
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC3
24576 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/syslogd
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC5
0 mac crw-rw-rw- root/toor wheel
/mnt/dev/ptyp0
212992 .a. -r-x------ root/toor bin
/mnt/sbin/init
73728 .a. -r-xr-xr-x root/toor bin
/mnt/bin/stty
147456 .a. -r-xr-xr-x root/toor bin
/mnt/sbin/reboot
20480 .a. -r-xr-xr-x root/toor bin
/mnt/usr/libexec/getty
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC0
12823 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libkafs.so.8.0
290816 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/sshd
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC1
0 ma. crw-rw-rw- root/toor wheel
/mnt/dev/ttyp0
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC2
132237 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libasn1.so.2.0
248541 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libkrb5.so.3.0
Jul 02 02 13:13:14 6 m.c -rw------- admin admin
/mnt/home/admin/.history
293 .a. -rw-r--r-- root/toor wheel
/mnt/etc/fbtab
0 ..c crw------- root/toor wheel
/mnt/dev/wsmouse0
0 ..c crw------- root/toor wheel
/mnt/dev/wskbd0
335 .a. -rw-r--r-- root/toor wheel
/mnt/etc/rc.shutdown
Jul 02 02 13:03:17 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/uname
Jul 02 02 13:04:17 24576 .a. -r-sr-xr-x root/toor bin
/mnt/usr/bin/login
Jul 02 02 13:04:29 512 m.c drwxr-xr-x admin admin
/mnt/home/admin
Jul 02 02 13:05:36 0 .a. crw------- root/toor wheel
/mnt/dev/klog
0 .a. brw-r----- root/toor operator
/mnt/dev/wd0b
Jul 02 02 13:06:01 56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT+0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/Greenwich
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Greenwich
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT+0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT-0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/GMT0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT-0
56 .a. -r--r--r-- root/toor bin
/mnt/usr/share/zoneinfo/Etc/GMT0
Jul 02 02 13:08:51 6 .a. -rw------- admin admin
/mnt/home/admin/.history
102 .a. -rw-r--r-- root/toor wheel
/mnt/etc/csh.login
512 .a. drwxr-xr-x root/toor wheel
/mnt/usr/local/sbin
769 .a. -rw-r--r-- admin admin
/mnt/home/admin/.cshrc
512 .a. drwxr-xr-x root/toor wheel
/mnt/usr/games
4437 .a. -rw-r--r-- root/toor wheel
/mnt/etc/protocols
Jul 02 02 13:08:52 2826240 .a. -r--r--r-- root/toor bin
/mnt/usr/share/misc/termcap.db
Jul 02 02 13:08:53 318 .a. -rw-r--r-- admin admin
/mnt/home/admin/.login
36864 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/tset
36864 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/reset
Jul 02 02 13:08:55 42411 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libdes.so.7.0
95384 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libkrb.so.9.0
801706 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libcrypto.so.5.1
Jul 02 02 13:09:05 102 .a. -rw-r--r-- root/toor wheel
/mnt/etc/csh.cshrc
6144 .a. drwxr-xr-x root/toor wheel /mnt/usr/bin
669 .a. -rw-r--r-- root/toor wheel
/mnt/.cshrc
16384 .a. -r-sr-xr-x root/toor bin
/mnt/usr/bin/su
512 .a. drwxr-xr-x root/toor wheel
/mnt/usr/local/bin
1024 .a. drwxr-xr-x root/toor wheel /mnt/bin
2048 .a. drwxr-xr-x root/toor wheel /mnt/sbin
3584 .a. drwxr-xr-x root/toor wheel
/mnt/usr/sbin
266240 .a. -r-xr-xr-x root/toor bin
/mnt/bin/csh
512 .a. drwxr-xr-x root/toor wheel /mnt/home
669 .a. -rw-r--r-- root/toor wheel
/mnt/root/.cshrc
Jul 02 02 13:09:09 0 .a. crw-r----- root/toor kmem
/mnt/dev/mem
196608 .a. -r-xr-Sr-x root/toor kmem
/mnt/bin/ps
Jul 02 02 13:09:39 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/vipw
861 .a. -rw------- root/toor wheel
/mnt/etc/master.passwd
2048 m.c drwxr-xr-x root/toor wheel /mnt/etc
282624 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/view
282624 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/vi
282624 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/ex
Jul 02 02 13:09:41 12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/clear
12288 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/tput
Jul 02 02 13:09:52 512 .a. drwxrwxr-x root/toor man
/mnt/usr/src
167936 .a. -r-xr-xr-x root/toor bin
/mnt/bin/ls
Jul 02 02 13:10:01 16384 .a. -r-xr-xr-x root/toor bin
/mnt/usr/libexec/atrun
Jul 02 02 13:10:22 3108864 .a. -r--r--r-- root/toor bin
/mnt/usr/share/misc/terminfo.db
Jul 02 02 13:10:55 32319360 .a. -rw-r--r-- root/toor man
/mnt/usr/src/src.tar.gz
Jul 02 02 13:13:07 32319360 m.c -rw-r--r-- root/toor man
/mnt/usr/src/src.tar.gz
Jul 02 02 13:13:11 257069 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libtermcap.so.8.0
70195 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libedit.so.0.0
257069 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libcurses.so.8.0
98304 .a. -r-xr-xr-x root/toor bin
/mnt/usr/bin/ftp
257069 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libtermlib.so.8.0
Jul 02 02 13:13:13 20480 .a. -r-xr-xr-x root/toor bin
/mnt/usr/libexec/getty
0 mac crw-rw-rw- root/toor wheel /mnt/dev/ptyp0
147456 .a. -r-xr-xr-x root/toor bin
/mnt/sbin/reboot
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC0
248541 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libkrb5.so.3.0
512 m.c drwxrwxr-x root/toor man
/mnt/usr/src
25633 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libwrap.so.2.0
290816 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/sshd
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC1
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC2
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC3
0 ma. crw------- root/toor wheel
/mnt/dev/ttyC5
32768 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/cron
12823 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libkafs.so.8.0
55094 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libz.so.1.4
73728 .a. -r-xr-xr-x root/toor bin
/mnt/bin/stty
24576 .a. -r-xr-xr-x root/toor bin
/mnt/usr/sbin/syslogd
132237 .a. -r--r--r-- root/toor bin
/mnt/usr/lib/libasn1.so.2.0
147456 .a. -r-xr-xr-x root/toor bin
/mnt/sbin/halt
212992 .a. -r-x------ root/toor bin
/mnt/sbin/init
0 ma. crw-rw-rw- root/toor wheel
/mnt/dev/ttyp0
Jul 02 02 13:13:14 293 .a. -rw-r--r-- root/toor wheel
/mnt/etc/fbtab
0 ..c crw------- root/toor wheel
/mnt/dev/wsmouse0
335 .a. -rw-r--r-- root/toor wheel
/mnt/etc/rc.shutdown
0 ..c crw------- root/toor wheel
/mnt/dev/wskbd0
6 m.c -rw------- admin admin
/mnt/home/admin/.history
~~~~~~~~~~~~~~~~~~mactimeoutput~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3) What have i learned till now?
I found many entrys from which i think there not mine, all those
touching,
editing,
kerberos,... is strange cause i never touched this box after it was
installed, but i
still feel not able to say: "the attacker has done this, and this,
installed
this..."
Most likely the box was compromised with the ssh-gobbels exploit.
4) What didnīt i now?
* who was the attacker?
* what has he done after breaking in?
* has he altered any data?
* has he installed a rootkit/ddos/whatever
So, thatīs my story, i hope somebody on this list can point me
where and how i can find out more about this accident.
regards & thanks in advantage
Ingram
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 04:01:03 PDT