Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

To: debian-security@lists.debian.org
Subject: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
From: Christian Vanguers <christian.vanguers@opsyx.com>
Date: Fri, 22 Jul 2005 11:21:10 +0200
Message-id: <[🔎] 42E0BA86.4060209@opsyx.com>
In-reply-to: <[🔎] 200507212017.39013.Karsten@k-fish.de>
References: <[🔎] 200507212017.39013.Karsten@k-fish.de>

Karsten Dambekalns wrote:
<SNIP>

Jul 19 03:07:30 ds217-115-141-24 sshd[27011]: Illegal user anton from 217.115.205.101

# whois 217.115.205.101
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '217.115.205.0 - 217.115.205.255'

inetnum:      217.115.205.0 - 217.115.205.255
netname:      YELLOWBOX
descr:        NL-NXS-CUST-YELLOWBOX
country:      NL
admin-c:      HA641-RIPE
tech-c:       HA641-RIPE
status:       ASSIGNED PA
mnt-by:       NXS-MNT
source:       RIPE # Filtered

person:       Harland Adelaars
address:      Yellowbox Nederland
address:      Jupiter 6
address:      5482XD Schijndel
phone:        +31 73 5430400
fax-no:       +31 73 5430729
e-mail:       info@yellowbox.nl
nic-hdl:      HA641-RIPE
source:       RIPE # Filtered

% Information related to 'HA641-RIPE'

route:        217.115.192.0/20
descr:        Nxs Internet
origin:       AS16237
mnt-by:       NXS-MNT
source:       RIPE # Filtered

</SNIP>

First, you'd better to complain to Yellowbox Nederland. They might behacked also. If not, they can push your complain to brasiltelecom,because their IP addresses were used to hack you.


<SNIP>

Jul 19 03:39:18 ds217-115-141-24 sshd[27228]: reverse mapping checking getaddrinfo for 201-002-151-194.erece203.dial.brasiltelecom.net.br failed - POSSIBLE BREAKIN ATTEMPT!
Jul 19 03:39:22 ds217-115-141-24 sshd[27228]: Accepted keyboard-interactive/pam for morris from 201.2.151.194 port 1312 ssh2

# whois 201.2.151.194

% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2005-07-22 06:10:28 (BRT -03:00)

inetnum:     201.0/12
status:      allocated
owner:       Comite Gestor da Internet no Brasil
ownerid:     BR-CGIN-LACNIC
responsible: Frederico A C Neves
address:     Av. das Nações Unidas, 11541, 7° andar
address:     04578-000 - São Paulo - SP
country:     BR
phone:       +55 11 9119-0304 []
owner-c:     CGB
tech-c:      CGB
inetrev:     201.0/12
nserver:     A.DNS.BR
nsstat:      20050721 AA
nslastaa:    20050721
nserver:     B.DNS.BR
nsstat:      20050721 AA
nslastaa:    20050721
nserver:     C.DNS.BR
nsstat:      20050721 AA
nslastaa:    20050721
nserver:     D.DNS.BR
nsstat:      20050721 AA
nslastaa:    20050721
nserver:     E.DNS.BR
nsstat:      20050721 AA
nslastaa:    20050721
remarks:     These addresses have been further assigned to Brazilian users.
remarks:     Contact information can be found at the WHOIS server located
remarks:     at whois.registro.br or at http://whois.registro.br
created:     20030618
changed:     20030618

nic-hdl:     CGB
person:      Comite Gestor da Internet no Brasil
e-mail:      blkadm@NIC.BR
address:     Av. das Nações Unidas, 11541, 7° andar
address:     04578-000 - São Paulo - SP
country:     BR
phone:       +55 19 9119-0304 []
created:     20020902
changed:     20050621

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

</SNIP>

The block 201.0/12 and especially the address 201.2.151.194 is owned by"Comite Gestor da Internet no Brasil". Complain to them also. Theymight push your complain to brasiltelecom also.


<SNIP>

cat /etc/passwd | less
passwd daemon

wc -l passwd /etc/passwd
wc -l shadow /etc/shadow
cat /etc/shadow >./shadow
cat /etc/passwd >./passwd
wc -l passwd /etc/passwd
til /etc/passwd
tail /etc/passwd
cat /etc/passwd
passwd daemon
cat /etc/shadow >./shadow
cat ./shadow

</SNIP>

The hacker played with passwd and shadow files. Give the hackerdifficulties, andconsider using LDAP Authentication and forget passwd and shadow files(if possible).Then, consider using iptables to drop ssh and/or mysql connectionsattempt from outside.Then make use of ssh keys (with passphrase) for your users.


That's what i recommend you to do first.

Hope it helps,

Chris

Reply to:

References:
- Help needed - server hacked twice in three days (and I don't think I'm a newbie)
  - From: Karsten Dambekalns <Karsten@k-fish.de>

Prev by Date: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Next by Date: RE: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Previous by thread: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Next by thread: last -t lists all entries in wtmp
Index(es):
- Date
- Thread