What version of SSHD were you running, check commonly exploited services. 1. SSHD (crc32) 2. FTPD 3. Apache (chunking) Get back to us with the versions you were running of SSH, FTP, and Apache and we can help you out. How hardened was the OS? Did you turn off all RPC services, etc. We need more info. Eric/Loki Internet Warfare and Intelligence Fate Research Labs www.fatelabs.com -----Original Message----- From: Ver Allan Sumabat [mailto:ver_allanat_private] Sent: Tuesday, September 10, 2002 6:08 AM To: incidentsat_private Subject: possible ssh hack Hi, We have just recently been hacked. I have no idea how he came in. Here are my preliminary investigations: 1. He was able to add a user without logging in. **Unmatched Entries** Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse map address 10.13.41.4. Sep 5 10:39:35 srv1 sshd[20514]: Accepted password for root from 10.13.41.4 port 4207 Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse map address 10.13.41.4. Sep 5 17:30:41 srv1 sshd[23299]: Accepted password for root from 10.13.41.4 port 2491 Sep 5 22:16:59 srv1 useradd[23532]: new group: name=war, gid=502 Sep 5 22:16:59 srv1 useradd[23532]: new user: name=war, uid=502, gid=502, home=/home/war, shell=/bin/bash Sep 5 22:17:31 srv1 sshd[23534]: Accepted password for war from 212.179.207.211 port 2746 Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from socket failed: Connection reset by peer Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP; restarting. 2. He installed a tarball w00tkit.tgz in /home/war 3. After running chkrootkit, the significant lines are: ... Checking `ifconfig'... INFECTED ... Searching for Showtee... Warning: Possible Showtee Rootkit installed ... Checking `lkm'... You have 1 process hidden for ps command Warning: Possible LKM Trojan installed 4. ssh won't run anymore Can anyone help me on how the intrusion was done? Thanks. Regards, Allan __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 15:35:03 PDT