Re: Non-existent user able to log in??? hacked????

To: debsec@sphaero.org
Cc: debian-security@lists.debian.org
Subject: Re: Non-existent user able to log in??? hacked????
From: Richard Atterer <richard@list04.atterer.net>
Date: Wed, 19 May 2004 00:48:50 +0200
Message-id: <[🔎] 20040518224850.GA4166@nenya.lan>
Mail-followup-to: debsec@sphaero.org, debian-security@lists.debian.org
In-reply-to: <[🔎] 40AA7042.6000504@sphaero.org>
References: <[🔎] 40AA7042.6000504@sphaero.org>

Hi Arnaud,

just some points - I have no idea whether you've been hacked.

On Tue, May 18, 2004 at 10:21:22PM +0200, A. Loonstra wrote:
> Last night I found the following in my wtmp:
>
> test     ftpd19097    141.222.42.5     Sat May 15 10:57 - 10:57  (00:00)
> 
> I had this test account once but removed account rightaway. So this
> shouldn't show up in my logs anyhow.

Are you sure there's nothing left over from that account? I know little
about wu-ftpd configuration - maybe some .db files need refreshing from the
respective user/password files, or similar?

> The weird thing is that syslog
> shows something else:
>
> May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5
> May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in
> /etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous

Looks a bit like the host tried a couple of very common login names. The IP
is owned by skidmore.edu, so this could be some dorm room hacker...

Regardless of whether that person was successful in getting on your
machine, it might be a good idea to contact the skidmore.edu admins
<http://www2.skidmore.edu/cits/staffdir/staff_dir.cfm>. They might be able
to tell who was logged into the machine at the time, or has been assigned
that IP. They most probably won't tell you who, but might educate the 
person in question about the fact that what they do is unlawful.

(Dunno about America, but in Germany, the act of "Daten ausspähen" is a
crime - roughly paraphrased, this means accessing files which are protected
from being viewed by anyone. So trying to log in is the attempt of a crime,
which is also a crime. IANAL though.)

> I have nothing in /etc/passwd, /etc/shadow or anywhere else...
> a grep test on passwd* or shadow* reveals nothing. So how is it possible 
> that this test user is able to login.

I think the first thing you should do is to check whether the binaries for
your ftpd, PAM modules, inetd, tcp wrappers and all the related stuff have
been modified. The correct, paranoid way to do this is to boot into, say,
Knoppix, from CD, download known good packages, and compare the md5sums.

It doesn't look like the attacker did anything once he was logged in (maybe
he was just scanning the net for open FTP servers), but if any doubt
remains, reinstall from scratch.

Maybe also consider using a different ftpd...

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer     |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯

Reply to:

References:
- Non-existent user able to log in??? hacked????
  - From: "A. Loonstra" <arnaud@sphaero.org>

Prev by Date: Re: Non-existent user able to log in??? hacked????
Next by Date: Re: Non-existent user able to log in??? hacked????
Previous by thread: Re: Non-existent user able to log in??? hacked????
Next by thread: Sorry to announce that we are closing
Index(es):
- Date
- Thread