Security Incidents: Re: possible ssh hack

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: possible ssh hack

From: Alvin Oga <alvin.sec () Mail Linux-Consulting com>
Date: Tue, 10 Sep 2002 09:11:53 -0700 (PDT)


hi 

w/o knowing your setup, its hard to tell how they
got in ... 

stuff to do now, that they are in..

a.  take that disk offline
b.  get a new and install a fresh copy of linux from cdrom
    and apply all patches for that distro
c.  turn off all unused daemons, services
        - change your passwds locally on each console

d.  restore your user data from backup PRIOR to the hack
   -- do NOT restore binaries, libs

e.  get the forensics guyz to come and and review your
    disk and security policy as to how they got in
    and how to prevent it next time
        - probably attack the kernel
        - attack the dns, fw, sendmail, pop, etc

let the fun of chasing them down begin

http://www.Linux-Sec.net
        -- hardening your server

have fun
alvin


On Tue, 10 Sep 2002, Ver Allan Sumabat wrote:

Hi,

We have just recently been hacked. I have no idea how
he came in. Here are my preliminary investigations:

1. He was able to add a user without logging in.

**Unmatched Entries**
Sep  5 10:39:33 srv1 sshd[20514]: Could not reverse
map address 10.13.41.4.
Sep  5 10:39:35 srv1 sshd[20514]: Accepted password
for root from 10.13.41.4
port 4207
Sep  5 17:30:36 srv1 sshd[23299]: Could not reverse
map address 10.13.41.4.
Sep  5 17:30:41 srv1 sshd[23299]: Accepted password
for root from 10.13.41.4
port 2491
Sep  5 22:16:59 srv1 useradd[23532]: new group:
name=war, gid=502
Sep  5 22:16:59 srv1 useradd[23532]: new user:
name=war, uid=502, gid=502,
home=/home/war, shell=/bin/bash
Sep  5 22:17:31 srv1 sshd[23534]: Accepted password
for war from
212.179.207.211 port 2746
Sep  5 22:19:17 srv1 sshd[23580]: fatal: Read from
socket failed: Connection
reset by peer
Sep  5 22:21:48 srv1 sshd[928]: Received SIGHUP;
restarting.


2. He installed a tarball w00tkit.tgz in /home/war

3. After running chkrootkit, the significant lines
are:

...
Checking `ifconfig'... INFECTED
...
Searching for Showtee... Warning: Possible Showtee
Rootkit installed
...
Checking `lkm'... You have     1 process hidden for ps
command
Warning: Possible LKM Trojan installed

4. ssh won't run anymore

Can anyone help me on how the intrusion was done?

Thanks.

Regards,

Allan



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

possible ssh hack Ver Allan Sumabat (Sep 10)
- Re: possible ssh hack Alvin Oga (Sep 10)
- Re: possible ssh hack Adam Bultman (Sep 10)
- RE: possible ssh hack Loki (Sep 11)
- RE: possible ssh hack Loki (Sep 11)