# Suspicious log

Show 40 post(s) from this thread on one page
Page 3 of 3 First 123
• November 19th, 2004, 03:34 PM
sec_ware
Hi

littlenick, thanks for your nice explanation of a brute force attack on a server with
to discuss how to gain information about what damage has been done to the
compromised system. Another unknown/topic is, how a "simple" ftp-user gains
root-access to the box (edit: well, and whether it really was a brute-force attack
or rather an exploit, but the log-files points to a brute-force attack using a dictionary,
hence the password of rootbeer was rather weak).

As per your question how long it would take to brute force a password.
Assume an "alphabet" consisting of approximatively 25 character (a-z) :D
and a password of length l, e.g. 8

Then, you have 25^l possibilities to brute force.

A 100% succesfull brute force attack using n nodes (e.g. 100)

duration = 25^8 / 100 * 10 ms = 175 days...

Cheers
• November 19th, 2004, 03:41 PM
littlenick
i don't think u got me correctly i was not asking a question there dude.i am pretty much sure that it was a distributed brute force attack i was saying that such kinda attacks can be completed in a day or two provided that you have right kinda information and good programming skills i have my own backgorund brute forcer i have used it a lot and was even able to brute force a friends ftp account in 8 hours(i knew his user name and starting character)
as far ur calculation of how long would it take i don't agree read my post carefully first.
i don't want to sound rude but i think u posted that in a hurry.

phishphreek80::thanks for updating me.
• November 19th, 2004, 10:23 PM
utahlanman
Both of you are still missing a basic point in the security of this server..

Just by brute-forcing an FTP password does not provide 'root' equivalency. What was the transition from FTP to root/shell access? Just uploading a file to a compromised FTP account wont provide 'root' access. There had to be some other situation that lent itself to compromising root.

At any rate, the point is moot. Penguin really needs to isolate the system, understand what went wrong and start over - following the suggestions provided thus far.
• November 19th, 2004, 10:54 PM
Tiger Shark
littlenick:

Nope, it wasn't distributed.... Why? The IP address doesn't change in the early part of the log. A distributed attack would show a cycling of attempts from a series of addresses in a very short time. The fact that the IP address changed between the early and the late part of the log, (more than an hour apart), does not indicate distributed. It was brute forced though.... I think the logs shows that..... I also think that the brute forcer knew that their was an account called rootbeer unless pure-ftpd is dumb enough to generate a different error message for a failed username than a failed password, (ie: bad username = "user not found", bad password = "Access Denied"). There's some speculation here 'cos I can't see the entire log.... But I have money to bet.... ;)

Utah: Not being familiar with *nix, is it possible for pure-ftpd to allow the root user as an automatic user of the FTP daemon and thus a login might give root rights? Also, could a user of the FTP site be given rights to the root of the drive? I like the second for a _huge_ mistake on the part of the user.... :D

Penguin: Utah, is right, (not to mention myself, Phish and some others). Get the box offline before they do something you can't control and they do something to someone else with your box.....

First Rule of Computer Security: When you know you are hacked and you don't understand why, how or what prevent the box from harming others......

Seriously mate, Get it offline and people like Phish and Utah can help you learn.
• November 19th, 2004, 11:42 PM
utahlanman
Tiger..

To respond to the FTP questions:

Yes, the FTP account(s) can be defined with rights to any portion of the filesystem (mount points).

As to the level of access, there is no "admin" equivalency (as in Windows) in Unix/Solaris/Linux. While an FTP account could have been created with full filesystem access, its doubtful that the account would have been able to have sufficient rights to modify the filesystem enough to own it (
'root' it).

Its more likely that this scenario played out (unless a buffer-overflow or weakness in the FTP deamon was exploited):

- rootbeer account broken / password guessed
- FTP is defined such that the root '/' fileystem is exposed
- rootbeer ftp user pulls down the /etc/passwd and /etc/shadow files and generates a crack
against 'root'

Another scenario is that user rootbeer is broken, then the system accessed via telnet/ssh/whatever and rootbeer launches some binary that opens an new outbound port/service that provides for additional filesystem exposure.

At any rate, without audit logs, syslog, etc -- its all just speculation.

It is entertaining to perform these kinds of post-mortem reviews and if Penguin could put the logs (usually found in /var/log) online for us to review, it could allow us to be further educated.
• November 20th, 2004, 04:53 PM
Penguin
Hi all,
I'm sorry that i canot provide more info for this attack as it is not my server.. but what i can say is that is it a web hosting server and we cannot just plug it off from the net.. there's a few client hosting inside.. we will try to figure out asap and then re-install everything..
• November 20th, 2004, 04:57 PM
Penguin
btw what is this rootkit thingy? how is it been installed into the box? does the attacker gain root access then install it or thru some buffer overrun vul?
• November 20th, 2004, 06:02 PM
Tiger Shark
Penguin:

If there is a rootkit installed you are foxxed!!!!!

A good rootkit is very difficult to find for a start. Secondly, the only sure way to find it is to bring the box down for a forensic investigation.

You are between a rock and a hard place..... The advice of all still stands. bring down the box, reformat and reinstall, patch, patch and then patch again. Secure it, log everything, watch the logs, put a packet sniffer on it and hope you blocked the hole. Learning will have to be for another day.
• November 20th, 2004, 07:28 PM
littlenick
tiger i think u are right but there are chances of a distributed brute force attack we can never deny that.there are only two possibilities .........
1)password search space was too small that it ws possible for a conventional brute force attack to complete in a day(as penguin said)
2)choosen password was too weak.like 1234567 it was attackers luck that he got that password in a day(may be his password generation scheme was such )

information available is not enough
penguin i think u r making a mistake u should take ur server offline.btw can u tell us what was the password before attack?
this information may help us analyse the situation more i would really appriciate a bit more information.
• November 22nd, 2004, 04:58 PM
Penguin
it's one of the user.. i do not have the passwd..
Show 40 post(s) from this thread on one page
Page 3 of 3 First 123