Also.. Check your /var/log/messages file and your /path/to/apache/logs/error_log for the following items. The Log Forensics team at Fate Labs recently did an analysis of apache-nosejob and sshd. Here are some common footprints those exploits leave. ------- apache chunking exploit --------- [Sat Aug 31 02:38:15 2002] [notice] Apache/1.3.24 (Unix) configured -- resuming normal operations [Sat Aug 31 02:38:15 2002] [notice] Accept mutex: flock (Default: flock) [Sat Aug 31 02:38:25 2002] [notice] child pid 18709 exit signal Segmentation fault (11) [Sat Aug 31 02:38:25 2002] [notice] child pid 2755 exit signal Segmentation fault (11) [Sat Aug 31 02:38:25 2002] [notice] child pid 28354 exit signal Segmentation fault (11) [Sat Aug 31 02:38:25 2002] [notice] child pid 27110 exit signal Segmentation fault (11) [Sat Aug 31 02:38:25 2002] [notice] child pid 28888 exit signal Segmentation fault (11) [Sat Aug 31 02:38:25 2002] [notice] child pid 32142 exit signal Segmentation fault (11) [Sat Aug 31 02:38:27 2002] [notice] child pid 6740 exit signal Segmentation fault (11) [Sat Aug 31 02:38:27 2002] [notice] child pid 21507 exit signal Segmentation fault (11) [Sat Aug 31 02:38:28 2002] [notice] child pid 4969 exit signal Segmentation fault (11) [Sat Aug 31 02:38:28 2002] [notice] child pid 27417 exit signal Segmentation fault (11) [Sat Aug 31 02:38:28 2002] [notice] child pid 14010 exit signal Segmentation fault (11) [Sat Aug 31 02:38:28 2002] [notice] child pid 12271 exit signal Segmentation fault (11) [Sat Aug 31 02:38:29 2002] [notice] child pid 16779 exit signal Segmentation fault (11) [Sat Aug 31 02:38:29 2002] [notice] child pid 23834 exit signal Segmentation fault (11) [Sat Aug 31 02:38:29 2002] [notice] child pid 17386 exit signal Segmentation fault (11) [Sat Aug 31 02:38:29 2002] [notice] child pid 12003 exit signal Segmentation fault (11) ------- sshd crc32 --------- Aug 28 16:59:20 researchat_private sshd[29178]: log: Connection from 192.168.0.1port 56215 Aug 28 16:59:28 researchat_private sshd[29179]: log: Connection from 192.168.0.1port 59150 Aug 28 16:59:35 researchat_private sshd[29180]: log: Connection from 192.168.0.1port 51777 Aug 28 16:59:42 researchat_private sshd[29180]: fatal: Local: Corrupted check bytes on input. Aug 28 16:59:42 researchat_private sshd[29181]: log: Connection from 192.168.0.1port 53554 Aug 28 16:59:49 researchat_private sshd[29182]: log: Connection from 192.168.0.1port 63955 Aug 28 16:59:55 researchat_private sshd[29182]: fatal: Local: Corrupted check bytes on input. Aug 28 17:03:38 researchat_private sshd[29212]: fatal: Local: crc32 compensation attack: network attack detected ------------------------------ The biggest talltale sign that an SSHD attack took place are attempts to connect to the SSHD process from the same IP Address dozens of times, and of course... A warning from the SSHD process that a crc32 compensation attack is being detected. To get packet dumps from the attacks we ran, goto http://www.fatelabs.com and click on Research -> Log Project Hope this helps. Eric/Loki Fate Research Labs www.fatelabs.com -----Original Message----- From: Ver Allan Sumabat [mailto:ver_allanat_private] Sent: Tuesday, September 10, 2002 6:08 AM To: incidentsat_private Subject: possible ssh hack Hi, We have just recently been hacked. I have no idea how he came in. Here are my preliminary investigations: 1. He was able to add a user without logging in. **Unmatched Entries** Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse map address 10.13.41.4. Sep 5 10:39:35 srv1 sshd[20514]: Accepted password for root from 10.13.41.4 port 4207 Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse map address 10.13.41.4. Sep 5 17:30:41 srv1 sshd[23299]: Accepted password for root from 10.13.41.4 port 2491 Sep 5 22:16:59 srv1 useradd[23532]: new group: name=war, gid=502 Sep 5 22:16:59 srv1 useradd[23532]: new user: name=war, uid=502, gid=502, home=/home/war, shell=/bin/bash Sep 5 22:17:31 srv1 sshd[23534]: Accepted password for war from 212.179.207.211 port 2746 Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from socket failed: Connection reset by peer Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP; restarting. 2. He installed a tarball w00tkit.tgz in /home/war 3. After running chkrootkit, the significant lines are: ... Checking `ifconfig'... INFECTED ... Searching for Showtee... Warning: Possible Showtee Rootkit installed ... Checking `lkm'... You have 1 process hidden for ps command Warning: Possible LKM Trojan installed 4. ssh won't run anymore Can anyone help me on how the intrusion was done? Thanks. Regards, Allan __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 15:40:07 PDT