Hi, We have just recently been hacked. I have no idea how he came in. Here are my preliminary investigations: 1. He was able to add a user without logging in. **Unmatched Entries** Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse map address 10.13.41.4. Sep 5 10:39:35 srv1 sshd[20514]: Accepted password for root from 10.13.41.4 port 4207 Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse map address 10.13.41.4. Sep 5 17:30:41 srv1 sshd[23299]: Accepted password for root from 10.13.41.4 port 2491 Sep 5 22:16:59 srv1 useradd[23532]: new group: name=war, gid=502 Sep 5 22:16:59 srv1 useradd[23532]: new user: name=war, uid=502, gid=502, home=/home/war, shell=/bin/bash Sep 5 22:17:31 srv1 sshd[23534]: Accepted password for war from 212.179.207.211 port 2746 Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from socket failed: Connection reset by peer Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP; restarting. 2. He installed a tarball w00tkit.tgz in /home/war 3. After running chkrootkit, the significant lines are: ... Checking `ifconfig'... INFECTED ... Searching for Showtee... Warning: Possible Showtee Rootkit installed ... Checking `lkm'... You have 1 process hidden for ps command Warning: Possible LKM Trojan installed 4. ssh won't run anymore Can anyone help me on how the intrusion was done? Thanks. Regards, Allan __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 09:04:34 PDT