RE: possible ssh hack

From: Loki (lokiat_private)
Date: Wed Sep 11 2002 - 11:55:05 PDT

Next message: Scott A. McIntyre: "What's the tool? (iis, ftp, 57/tcp)"

Previous message: Kyle Lai: "Re: Q328691 ?"
In reply to: Ver Allan Sumabat: "possible ssh hack"
Next in thread: Ver Allan Sumabat: "RE: possible ssh hack"
Next in thread: Loki: "RE: possible ssh hack"
Reply: Ver Allan Sumabat: "RE: possible ssh hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What version of SSHD were you running, check commonly exploited
services.

1. SSHD (crc32)
2. FTPD 
3. Apache (chunking)

Get back to us with the versions you were running of SSH, FTP, and
Apache and we can help you out. How hardened was the OS? Did you turn
off all RPC services, etc. We need more info.

Eric/Loki
Internet Warfare and Intelligence
Fate Research Labs
www.fatelabs.com

















-----Original Message-----
From: Ver Allan Sumabat [mailto:ver_allanat_private] 
Sent: Tuesday, September 10, 2002 6:08 AM
To: incidentsat_private
Subject: possible ssh hack


Hi,

We have just recently been hacked. I have no idea how
he came in. Here are my preliminary investigations:

1. He was able to add a user without logging in.

**Unmatched Entries**
Sep  5 10:39:33 srv1 sshd[20514]: Could not reverse
map address 10.13.41.4.
Sep  5 10:39:35 srv1 sshd[20514]: Accepted password
for root from 10.13.41.4
port 4207
Sep  5 17:30:36 srv1 sshd[23299]: Could not reverse
map address 10.13.41.4.
Sep  5 17:30:41 srv1 sshd[23299]: Accepted password
for root from 10.13.41.4
port 2491
Sep  5 22:16:59 srv1 useradd[23532]: new group:
name=war, gid=502
Sep  5 22:16:59 srv1 useradd[23532]: new user:
name=war, uid=502, gid=502,
home=/home/war, shell=/bin/bash
Sep  5 22:17:31 srv1 sshd[23534]: Accepted password
for war from
212.179.207.211 port 2746
Sep  5 22:19:17 srv1 sshd[23580]: fatal: Read from
socket failed: Connection
reset by peer
Sep  5 22:21:48 srv1 sshd[928]: Received SIGHUP;
restarting.


2. He installed a tarball w00tkit.tgz in /home/war

3. After running chkrootkit, the significant lines
are:

...
Checking `ifconfig'... INFECTED
...
Searching for Showtee... Warning: Possible Showtee
Rootkit installed
...
Checking `lkm'... You have     1 process hidden for ps
command
Warning: Possible LKM Trojan installed

4. ssh won't run anymore

Can anyone help me on how the intrusion was done?

Thanks.

Regards,

Allan

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Scott A. McIntyre: "What's the tool? (iis, ftp, 57/tcp)"
Previous message: Kyle Lai: "Re: Q328691 ?"
In reply to: Ver Allan Sumabat: "possible ssh hack"
Next in thread: Ver Allan Sumabat: "RE: possible ssh hack"
Next in thread: Loki: "RE: possible ssh hack"
Reply: Ver Allan Sumabat: "RE: possible ssh hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 15:35:03 PDT