Hacked using vulnerable FTP daemon.

From: Paul Tan (paul.tanat_private)
Date: Mon Sep 24 2001 - 23:43:03 PDT
Next message: venomous: "Nimda and others filter for apache"
Previous message: Kyle R. Hofmann: "Re: Tracking down the still infected hosts"
Next in thread: Patrick Andry: "Re: Hacked using vulnerable FTP daemon."
Reply: Patrick Andry: "Re: Hacked using vulnerable FTP daemon."
Reply: Bojan Zdravkovic: "Re: Hacked using vulnerable FTP daemon."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello experts,

                    I am helping a friend who got hacked last few days. 
Below is the logs from /var/log/messages, i managed to get the logs from 
the "last" command too. Is this sufficient info to call their ISP and 
get that guy?

Rgds,
Paul

If you need more evidence i can produce eg. rootkits and stuff i found 
on the webserver.


Sep 23 04:59:21 www inetd[1638]: pid 28367: exit status 1
Sep 23 07:29:23 www ftpd[28419]: FTP LOGIN REFUSED (ftp in 
/etc/ftpusers) FROM 213.41.95.158 [213.41.95.158], anonymous
Sep 23 17:31:55 www inetd[1638]: pid 28592: exit status 1
Sep 23 17:33:20 www ftpd[28594]: FTP LOGIN REFUSED (ftp in 
/etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp
Sep 23 17:33:47 www ftpd[28595]: FTP LOGIN REFUSED (ftp in 
/etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp
Sep 23 17:33:58 www inetd[1638]: pid 28596: exit status 1
Sep 23 17:52:38 www useradd[28609]: new user: name=jogja, uid=506, 
gid=10, home=/etc/jogja, shell=/bin/bash
Sep 23 17:55:34 www PAM_pwdb[28610]: password for (jogja/506) changed by 
((null)/0)
Sep 23 17:58:03 www PAM_pwdb[28612]: check pass; user unknown
Sep 23 17:58:04 www login[28612]: FAILED LOGIN 1 FROM 202.155.35.132 FOR 
ku ^H^H^H^H, User not known to the underlying authentication module
Sep 23 17:58:11 www PAM_pwdb[28612]: authentication failure; (uid=0) -> 
jogja for login service
Sep 23 17:58:12 www login[28612]: FAILED LOGIN 2 FROM 202.155.35.132 FOR 
jogja, Authentication failure
Sep 23 17:58:16 www PAM_pwdb[28612]: (login) session opened for user 
jogja by (uid=0)
Sep 23 17:58:46 www inetd[1638]: pid 28611: exit status 1
Sep 23 18:00:04 www PAM_pwdb[28632]: check pass; user unknown
Sep 23 18:00:05 www login[28632]: FAILED LOGIN 1 FROM 202.155.35.132 FOR 
D, User not known to the underlying authentication module
Sep 23 18:00:12 www PAM_pwdb[28632]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:02:32 www adduser[30101]: new group: name=D, gid=507
Sep 23 18:02:32 www adduser[30101]: new user: name=D, uid=507, gid=507, 
home=/home/D, shell=/bin/bash
Sep 23 18:02:48 www PAM_pwdb[30102]: password for (D/507) changed by 
(jogja/0)
Sep 23 18:02:55 www PAM_pwdb[28632]: (login) session closed for user jogja
Sep 23 18:02:55 www inetd[1638]: pid 28631: exit status 1
Sep 23 18:04:42 www PAM_pwdb[30107]: (login) session opened for user D 
by (uid=0)
Sep 23 18:07:26 www inetd[1638]: pid 30106: exit status 1
Sep 23 18:08:08 www PAM_pwdb[30132]: (login) session opened for user D 
by (uid=0)
Sep 23 18:12:08 www inetd[1638]: pid 30131: exit status 1
Sep 23 18:12:18 www inetd[1638]: pid 30159: exit status 1
Sep 23 18:13:06 www PAM_pwdb[30162]: (login) session opened for user D 
by (uid=0)
Sep 23 18:15:23 www PAM_pwdb[30162]: (login) session closed for user D
Sep 23 18:15:23 www inetd[1638]: pid 30161: exit status 1
Sep 23 18:36:15 www PAM_pwdb[30200]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:38:21 www ftpd[30221]: FTP LOGIN REFUSED (ftp in 
/etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp
Sep 23 18:40:01 www inetd[1638]: pid 30220: exit signal 13
Sep 23 18:40:01 www telnetd[30197]: ttloop: read: Connection reset by peer
Sep 23 18:40:01 www inetd[1638]: pid 30197: exit status 1
Sep 23 18:40:01 www ftpd[30196]: lost connection to 202.155.35.132 
[202.155.35.132]
Sep 23 18:40:01 www inetd[1638]: pid 30196: exit status 255
Sep 23 18:41:22 www PAM_pwdb[30200]: (login) session closed for user jogja
Sep 23 18:41:22 www inetd[1638]: pid 30199: exit status 1
Sep 23 18:42:37 www inetd[1638]: pid 28600: exit status 1
Sep 23 18:42:38 www PAM_pwdb[30226]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:48:17 www PAM_pwdb[30226]: (login) session closed for user jogja
Sep 23 18:48:17 www inetd[1638]: pid 30225: exit status 1
Sep 23 18:48:43 www PAM_pwdb[30256]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:57:49 www telnetd[30277]: ttloop: peer died: EOF
Sep 23 18:57:49 www inetd[1638]: pid 30277: exit status 1
Sep 23 18:58:36 www PAM_pwdb[30279]: (login) session opened for user D 
by (uid=0)
Sep 23 18:59:15 www inetd[1638]: pid 30278: exit status 1
Sep 23 18:59:29 www PAM_pwdb[30300]: (login) session opened for user D 
by (uid=0)
Sep 23 19:01:53 www PAM_pwdb[30300]: (login) session closed for user D
Sep 23 19:01:53 www inetd[1638]: pid 30299: exit status 1
Sep 23 19:03:07 www PAM_pwdb[31765]: (login) session opened for user D 
by (uid=0)
Sep 23 19:05:15 www PAM_pwdb[31765]: (login) session closed for user D
...skipping...
Sep 23 18:04:42 www PAM_pwdb[30107]: (login) session opened for user D 
by (uid=0)
Sep 23 18:07:26 www inetd[1638]: pid 30106: exit status 1
Sep 23 18:08:08 www PAM_pwdb[30132]: (login) session opened for user D 
by (uid=0)
Sep 23 18:12:08 www inetd[1638]: pid 30131: exit status 1
Sep 23 18:12:18 www inetd[1638]: pid 30159: exit status 1
Sep 23 18:13:06 www PAM_pwdb[30162]: (login) session opened for user D 
by (uid=0)
Sep 23 18:15:23 www PAM_pwdb[30162]: (login) session closed for user D
Sep 23 18:15:23 www inetd[1638]: pid 30161: exit status 1
Sep 23 18:36:15 www PAM_pwdb[30200]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:38:21 www ftpd[30221]: FTP LOGIN REFUSED (ftp in 
/etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp
Sep 23 18:40:01 www inetd[1638]: pid 30220: exit signal 13
Sep 23 18:40:01 www telnetd[30197]: ttloop: read: Connection reset by peer
Sep 23 18:40:01 www inetd[1638]: pid 30197: exit status 1
Sep 23 18:40:01 www ftpd[30196]: lost connection to 202.155.35.132 
[202.155.35.132]
Sep 23 18:40:01 www inetd[1638]: pid 30196: exit status 255
Sep 23 18:41:22 www PAM_pwdb[30200]: (login) session closed for user jogja
Sep 23 18:41:22 www inetd[1638]: pid 30199: exit status 1
Sep 23 18:42:37 www inetd[1638]: pid 28600: exit status 1
Sep 23 18:42:38 www PAM_pwdb[30226]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:48:17 www PAM_pwdb[30226]: (login) session closed for user jogja
Sep 23 18:48:17 www inetd[1638]: pid 30225: exit status 1
Sep 23 18:48:43 www PAM_pwdb[30256]: (login) session opened for user 
jogja by (uid=0)
Sep 23 18:57:49 www telnetd[30277]: ttloop: peer died: EOF
Sep 23 18:57:49 www inetd[1638]: pid 30277: exit status 1
Sep 23 18:58:36 www PAM_pwdb[30279]: (login) session opened for user D 
by (uid=0)
Sep 23 18:59:15 www inetd[1638]: pid 30278: exit status 1
Sep 23 18:59:29 www PAM_pwdb[30300]: (login) session opened for user D 
by (uid=0)
Sep 23 19:01:53 www PAM_pwdb[30300]: (login) session closed for user D
Sep 23 19:01:53 www inetd[1638]: pid 30299: exit status 1
Sep 23 19:03:07 www PAM_pwdb[31765]: (login) session opened for user D 
by (uid=0)
Sep 23 19:05:15 www PAM_pwdb[31765]: (login) session closed for user D
Sep 23 19:05:15 www inetd[1638]: pid 31764: exit status 1
Sep 23 19:06:51 www PAM_pwdb[31787]: (login) session opened for user D 
by (uid=0)
Sep 23 19:13:44 www PAM_pwdb[813]: (login) session opened for user D by 
(uid=0)
Sep 23 19:23:48 www inetd[1638]: pid 812: exit status 1
Sep 23 19:30:08 www PAM_pwdb[30256]: (login) session closed for user jogja
Sep 23 19:30:08 www inetd[1638]: pid 30255: exit status 1
Sep 23 19:30:49 www PAM_pwdb[868]: (login) session opened for user jogja 
by (uid=0)
Sep 23 19:38:00 www inetd[1638]: pid 867: exit status 1
Sep 23 19:38:32 www PAM_pwdb[2390]: authentication failure; (uid=0) -> 
jogja for login service
Sep 23 19:38:33 www login[2390]: FAILED LOGIN 1 FROM 202.155.35.132 FOR 
jogja, Authentication failure
Sep 23 19:38:47 www PAM_pwdb[2390]: (login) session opened for user 
jogja by (uid=0)
Sep 23 19:45:00 www PAM_pwdb[31787]: (login) session closed for user D
Sep 23 19:45:00 www inetd[1638]: pid 31786: exit status 1
Sep 23 19:51:33 www inetd[1638]: pid 2389: exit status 1
Sep 23 19:52:31 www PAM_pwdb[2429]: (login) session opened for user 
jogja by (uid=0)
Sep 23 19:58:24 www inetd[1638]: pid 2428: exit status 1
Sep 23 19:58:41 www PAM_pwdb[2461]: (login) session opened for user 
jogja by (uid=0)
Sep 23 20:52:49 www inetd[1638]: pid 2460: exit status 1
Sep 23 21:05:29 www PAM_pwdb[5396]: (login) session opened for user 
jogja by (uid=0)
Sep 23 21:51:22 www inetd[1638]: pid 5395: exit status 1
Sep 23 22:57:22 www PAM_pwdb[6889]: (login) session opened for user D by 
(uid=0)
Sep 23 23:42:01 www PAM_pwdb[6889]: (login) session closed for user D
Sep 23 23:42:01 www inetd[1638]: pid 6888: exit status 1
Sep 23 23:42:37 www ftpd[6969]: lost connection to 202.155.35.132 
[202.155.35.132]
Sep 23 23:42:37 www inetd[1638]: pid 6969: exit status 255
Sep 23 23:48:37 www PAM_pwdb[8425]: (login) session opened for user D by 
(uid=0)
Sep 23 23:51:28 www inetd[1638]: pid 8424: exit status 1
Sep 24 04:02:00 www anacron[8529]: Updated timestamp for job 
`cron.daily' to 2001-09-24
Sep 24 04:02:01 www syslogd 1.3-3: restart.
Sep 24 09:23:01 www ftpd[8785]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) 
FROM 217.125.56.172 [217.125.56.172], anonymous
Sep 24 09:49:39 www PAM_pwdb[8791]: (login) session opened for user 
jogja by (uid=0)
Sep 24 09:55:44 www inetd[1638]: pid 8813: exit status 1
Sep 24 09:56:47 www PAM_pwdb[8816]: check pass; user unknown
Sep 24 09:56:48 www login[8816]: FAILED LOGIN 1 FROM ykt-101.mega.net.id 
FOR joja^H^H^H^H^H^H^H^H^Hjogja, User not known to the underlying 
authentication module
Sep 24 09:57:11 www inetd[1638]: pid 8815: exit status 1
Sep 24 09:58:05 www PAM_pwdb[8818]: (login) session opened for user 
jogja by (uid=0)
Sep 24 10:36:30 www inetd[1638]: pid 8817: exit status 1
Sep 24 12:03:44 www inetd[1638]: pid 8790: exit status 1
Sep 24 13:58:52 www PAM_pwdb[10350]: (login) session opened for user 
jogja by (uid=0)
Sep 24 14:10:23 www PAM_pwdb[10350]: (login) session closed for user jogja
Sep 24 14:10:23 www inetd[1638]: pid 10349: exit status 1
Sep 24 14:56:45 www telnetd[11830]: ttloop: read: Connection reset by peer
Sep 24 14:56:45 www inetd[1638]: pid 11830: exit status 1
Sep 24 15:36:51 www PAM_pwdb[11845]: (login) session opened for user 
jogja by (uid=0)
Sep 24 18:30:48 www inetd[1638]: pid 11844: exit status 1
Sep 24 18:31:56 www PAM_pwdb[11933]: (login) session opened for user 
jogja by (uid=0)
Sep 24 18:57:20 www PAM_pwdb[13402]: (login) session opened for user 
jogja by (uid=0)
Sep 24 19:00:37 www PAM_pwdb[13428]: (login) session opened for user 
jogja by (uid=0)
Sep 24 20:16:01 www PAM_pwdb[16718]: (login) session opened for user 
root by LOGIN(uid=0)
Sep 24 20:17:09 www kernel: end_request: I/O error, dev 02:00 (floppy), 
sector 0
Sep 24 20:17:09 www insmod: Note: /etc/conf.modules is more recent than 
/lib/modules/2.2.14-5.0smp/modules.dep
Sep 24 20:17:09 www kernel: end_request: I/O error, dev 02:00 (floppy), 
sector 0
Sep 24 20:17:50 www last message repeated 2 times
Sep 24 20:18:47 www last message repeated 5 times
Sep 24 20:18:56 www insmod: Note: /etc/conf.modules is more recent than 
/lib/modules/2.2.14-5.0smp/modules.dep
Sep 24 20:18:56 www kernel: end_request: I/O error, dev 02:00 (floppy), 
sector 0
Sep 24 20:19:54 www PAM_pwdb[13545]: password for (paultan/505) changed 
by (root/0)
Sep 24 20:19:56 www PAM_pwdb[16718]: (login) session closed for user root
Sep 24 20:22:48 www /sbin/mingetty[13547]: tty4: invalid character ^[ in 
login name
Sep 24 20:22:53 www PAM_pwdb[13552]: (login) session opened for user 
root by LOGIN(uid=0)
Sep 24 20:24:26 www PAM_pwdb[13599]: (login) session opened for user 
jogja by (uid=0)
Sep 24 20:24:59 www PAM_pwdb[13621]: (login) session opened for user 
paultan by (uid=0)
Sep 24 20:25:25 www PAM_pwdb[13641]: (su) session opened for user root 
by paultan(uid=505)
Sep 24 20:48:26 www inetd[1638]: pid 11932: exit status 1
Sep 24 20:56:42 www PAM_pwdb[15158]: (login) session opened for user D 
by (uid=0)
Sep 24 21:04:28 www PAM_pwdb[15158]: (login) session closed for user D
Sep 24 21:04:28 www inetd[1638]: pid 15157: exit status 1
Sep 24 21:13:06 www inetd[1638]: pid 13598: exit status 1
Sep 24 21:39:14 www PAM_pwdb[13641]: (su) session closed for user root
Sep 24 21:39:14 www PAM_pwdb[13621]: (login) session closed for user paultan



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: venomous: "Nimda and others filter for apache"
Previous message: Kyle R. Hofmann: "Re: Tracking down the still infected hosts"
Next in thread: Patrick Andry: "Re: Hacked using vulnerable FTP daemon."
Reply: Patrick Andry: "Re: Hacked using vulnerable FTP daemon."
Reply: Bojan Zdravkovic: "Re: Hacked using vulnerable FTP daemon."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 08:13:36 PDT