|
-
August 13th, 2004, 02:58 AM
#1
Cousin's box trying to get owned?
Some history:
Heh, I've been watching this for the last few days now. I set up my cousin's box with Fedora Core 2, and it has been updated completly. I have SSH running on there because he has like NO computer knowledge. Windows is out of his league, so I gave him Linux, as it would be easier for me to lock down for him than Linux.
What I mean by that is, I don't have to update AntiVirii software, and I can take over the machine from here if needed.
Many of you may remember my cousin, the one who never updates, doesn't update anything, opens mail from anyone who sends it, and so does his Mom, who also uses the machine.
The box is, as I said, fully updated. He does do some STUPID things though.
Like when his Parents bought a computer about 5 years ago, way before I had my first, they got a Gateway, Windows 98 box, and it came with antivirus. Well, they figured that since it updates itself, no problems.
My cousin downloaded things of Kazaa a lot, would turn it off rather than shutting down, and then not let scan disk run, (He'd just skip it) NEVER ran Windows update, and when I told him his machine was probably screwed pretty bad, he said "I don't care, it's just a virus".
I explained to him how Zombies work, with which he replied "Oh, well, I'm hungry see ya.".
..... That's my blood, guys... 
In a later argument he said "You dumb ass, the Anti Virus updates automatically, so you're stupid."
I snapped:
I explained in oh so calm terms how you only get 6 months free, and after that you have to actually pay for a subscription and that his machine hadn't been updated in about 5 years. Which took an hour to hammer into him, as he was sure he was right and I was wrong.
So this is the kind of crap I deal with. Of course when his Dad found out the HD had errors on it, it was MY fault.
I put in a NIC in that box and it must have screwed up the HD...
And you people wonder why I'm a damn drug addict.
When my Cousin decided to buy his own computer, it of course had WIndows XP on it.
It started messing up, and this was 2 months after he bought it. I scanned it after hooking it up to my network, and found 12 Trojans on it, and a few other things.
A shocker for us all, I know.
So I put Linux on and didn't give him the Root password so he couldn't screw it up.
Well, he didn't want to pay me for any of this and he already owed me money, so as many of you know from IRC, I started rebooting it form my house, and killing Gaim so he couldn't talk to the friends he hangs out with. Well, he started actually talking to me then, and I told him he probabnly screwed it up.
When he wouldn't pay me, I decided it was time for some BOFH love:
rm -rf /usr
rm -rf /bin
cfdisk
delete all partitions
reboot/ init 6
So yea I got my money.
After I got paid, I put Fedora Core 2 on, and made sure to update.
I've been getting this in the logs:
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Thu Aug 12 04:02:05 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: pcp******pcs.**********
################################################################
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (216.244.96.212): 3 Time(s)
Invalid Users:
Unknown Account: 10 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=216.244.96.212 : 6 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=64-219-10-201.ded.swbell.net : 4 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin
------------------------
**Unmatched Entries**
userhelper[5363]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[5366]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
userhelper[5372]: pam_timestamp: timestamp file
`/var/run/sudo/vile/unknown:root' is only 202 seconds old, allowing access to up2date for UID
500
userhelper[5372]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[5375]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
userhelper[5378]: pam_timestamp: timestamp file
`/var/run/sudo/vile/unknown:root' is only 110 seconds old, allowing access to up2date for UID
500
userhelper[5378]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[5381]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
---------------------- Connections (secure-log) End
-------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 7188
Messages Sent: 2
Total recipients: 2
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from ::ffff:216.244.96.212: 2 Time(s)
admin/password from ::ffff:64.219.10.201: 2 Time(s)
guest/password from ::ffff:216.244.96.212: 1 Time(s)
guest/password from ::ffff:64.219.10.201: 1 Time(s)
root/password from ::ffff:216.244.96.212: 3 Time(s)
test/password from ::ffff:216.244.96.212: 2 Time(s)
test/password from ::ffff:64.219.10.201: 1 Time(s)
user/password from ::ffff:216.244.96.212: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:216.244.96.212: 2 Time(s)
admin/none from ::ffff:64.219.10.201: 2 Time(s)
admin/password from ::ffff:216.244.96.212: 2 Time(s)
admin/password from ::ffff:64.219.10.201: 2 Time(s)
guest/none from ::ffff:216.244.96.212: 1 Time(s)
guest/none from ::ffff:64.219.10.201: 1 Time(s)
guest/password from ::ffff:216.244.96.212: 1 Time(s)
guest/password from ::ffff:64.219.10.201: 1 Time(s)
test/none from ::ffff:216.244.96.212: 2 Time(s)
test/none from ::ffff:64.219.10.201: 1 Time(s)
test/password from ::ffff:216.244.96.212: 2 Time(s)
test/password from ::ffff:64.219.10.201: 1 Time(s)
user/none from ::ffff:216.244.96.212: 1 Time(s)
user/password from ::ffff:216.244.96.212: 1 Time(s)
Users logging in through sshd:
root:
******************* (********): 1 time
^ The above was me.
---------------------- SSHD End -------------------------
--------------------- up2date Begin ------------------------
Package Installed:
['system-config-date-1.7.3.1-0.fc2.1']
---------------------- up2date End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.1G 31G 12% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
Next :
----- Forwarded message from root
<root@pc***********.****************> -----
Date: Wed, 11 Aug 2004 04:02:06 -0400
From: root <root@************************8>
To: root@**************************8t.net
Subject: LogWatch for ***
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Wed Aug 11 04:02:03 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: ****
################################################################
--------------------- Init Begin ------------------------
**Unmatched Entries**
open(/dev/pts/0): No such file or directory
open(/dev/pts/0): No such file or directory
---------------------- Init End -------------------------
--------------------- ModProbe Begin ------------------------
Errors running install command:
sound_slot_1 : 2 Time(s)
---------------------- ModProbe End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (211.173.81.252): 3 Time(s)
Invalid Users:
Unknown Account: 6 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211.173.81.252 : 6 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin
------------------------
Connections:
Service sgi_fam:
<no address>: 1 Time(s)
**Unmatched Entries**
gdm[2391]: pam_succeed_if: requirement "uid < 100" not met by user
"vile"
---------------------- Connections (secure-log) End
-------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 16422
Messages Sent: 4
Total recipients: 4
**Unmatched Entries**
STARTTLS=server: file /etc/mail/certs/cert.pem unsafe: No such file
or directory: 1 Time(s)
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 1 Time(s)
Failed to bind:
0.0.0.0 port 22 (Address already in use) : 1 Time(s)
Failed logins from these:
admin/password from ::ffff:211.173.81.252: 2 Time(s)
guest/password from ::ffff:211.173.81.252: 1 Time(s)
root/password from ::ffff:211.173.81.252: 3 Time(s)
test/password from ::ffff:211.173.81.252: 2 Time(s)
user/password from ::ffff:211.173.81.252: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:211.173.81.252: 2 Time(s)
admin/password from ::ffff:211.173.81.252: 2 Time(s)
guest/none from ::ffff:211.173.81.252: 1 Time(s)
guest/password from ::ffff:211.173.81.252: 1 Time(s)
test/none from ::ffff:211.173.81.252: 2 Time(s)
test/password from ::ffff:211.173.81.252: 2 Time(s)
user/none from ::ffff:211.173.81.252: 1 Time(s)
user/password from ::ffff:211.173.81.252: 1 Time(s)
Users logging in through sshd:
root:
Me
---------------------- SSHD End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.1G 31G 12% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Tue Aug 10 12:02:36 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host:*********
################################################################
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (209.0.206.183): 3 Time(s)
root (80.64.104.66): 3 Time(s)
Invalid Users:
Unknown Account: 12 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=209.0.206.183 : 6 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=80.64.104.66 : 6 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin
------------------------
**Unmatched Entries**
userhelper[26015]: pam_timestamp: timestamp file
`/var/run/sudo/vile/unknown:root' has unacceptable age (137880 seconds), disallowing access
to up2date for UID 500
userhelper[26015]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[26018]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
---------------------- Connections (secure-log) End
-------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 13037
Messages Sent: 6
Total recipients: 6
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from ::ffff:209.0.206.183: 2 Time(s)
admin/password from ::ffff:80.64.104.66: 2 Time(s)
guest/password from ::ffff:209.0.206.183: 1 Time(s)
guest/password from ::ffff:80.64.104.66: 1 Time(s)
root/password from ::ffff:209.0.206.183: 3 Time(s)
root/password from ::ffff:80.64.104.66: 3 Time(s)
test/password from ::ffff:209.0.206.183: 2 Time(s)
test/password from ::ffff:80.64.104.66: 2 Time(s)
user/password from ::ffff:209.0.206.183: 1 Time(s)
user/password from ::ffff:80.64.104.66: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:209.0.206.183: 2 Time(s)
admin/none from ::ffff:80.64.104.66: 2 Time(s)
admin/password from ::ffff:209.0.206.183: 2 Time(s)
admin/password from ::ffff:80.64.104.66: 2 Time(s)
guest/none from ::ffff:209.0.206.183: 1 Time(s)
guest/none from ::ffff:80.64.104.66: 1 Time(s)
guest/password from ::ffff:209.0.206.183: 1 Time(s)
guest/password from ::ffff:80.64.104.66: 1 Time(s)
test/none from ::ffff:209.0.206.183: 2 Time(s)
test/none from ::ffff:80.64.104.66: 2 Time(s)
test/password from ::ffff:209.0.206.183: 2 Time(s)
test/password from ::ffff:80.64.104.66: 2 Time(s)
user/none from ::ffff:209.0.206.183: 1 Time(s)
user/none from ::ffff:80.64.104.66: 1 Time(s)
user/password from ::ffff:209.0.206.183: 1 Time(s)
user/password from ::ffff:80.64.104.66: 1 Time(s)
---------------------- SSHD End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.1G 31G 12% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Sun Aug 8 04:02:04 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: ************
################################################################
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (mail.ok-bau.at): 9 Time(s)
root (ev1s-64-246-20-43.ev1servers.net): 3 Time(s)
Invalid Users:
Unknown Account: 9 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-64-246-20-43.ev1servers.net : 6 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=210.187.2.50 : 3 Time(s)
---------------------- pam_unix End -------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 3592
Messages Sent: 2
Total recipients: 2
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from ::ffff:210.187.2.50: 1 Time(s)
admin/password from ::ffff:64.246.20.43: 2 Time(s)
guest/password from ::ffff:210.187.2.50: 1 Time(s)
guest/password from ::ffff:64.246.20.43: 1 Time(s)
root/password from ::ffff:212.152.182.100: 9 Time(s)
root/password from ::ffff:64.246.20.43: 3 Time(s)
test/password from ::ffff:210.187.2.50: 1 Time(s)
test/password from ::ffff:64.246.20.43: 2 Time(s)
user/password from ::ffff:64.246.20.43: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:210.187.2.50: 1 Time(s)
admin/none from ::ffff:64.246.20.43: 2 Time(s)
admin/password from ::ffff:210.187.2.50: 1 Time(s)
admin/password from ::ffff:64.246.20.43: 2 Time(s)
guest/none from ::ffff:210.187.2.50: 1 Time(s)
guest/none from ::ffff:64.246.20.43: 1 Time(s)
guest/password from ::ffff:210.187.2.50: 1 Time(s)
guest/password from ::ffff:64.246.20.43: 1 Time(s)
test/none from ::ffff:210.187.2.50: 1 Time(s)
test/none from ::ffff:64.246.20.43: 2 Time(s)
test/password from ::ffff:210.187.2.50: 1 Time(s)
test/password from ::ffff:64.246.20.43: 2 Time(s)
user/none from ::ffff:64.246.20.43: 1 Time(s)
user/password from ::ffff:64.246.20.43: 1 Time(s)
---------------------- SSHD End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.2G 31G 13% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
So, what do you guys think? Is someone trying for OWNAGE? 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote