Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Cousin's box trying to get owned?

  1. #1
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Cousin's box trying to get owned?

    Some history:



    Heh, I've been watching this for the last few days now. I set up my cousin's box with Fedora Core 2, and it has been updated completly. I have SSH running on there because he has like NO computer knowledge. Windows is out of his league, so I gave him Linux, as it would be easier for me to lock down for him than Linux.

    What I mean by that is, I don't have to update AntiVirii software, and I can take over the machine from here if needed.

    Many of you may remember my cousin, the one who never updates, doesn't update anything, opens mail from anyone who sends it, and so does his Mom, who also uses the machine.

    The box is, as I said, fully updated. He does do some STUPID things though.

    Like when his Parents bought a computer about 5 years ago, way before I had my first, they got a Gateway, Windows 98 box, and it came with antivirus. Well, they figured that since it updates itself, no problems.

    My cousin downloaded things of Kazaa a lot, would turn it off rather than shutting down, and then not let scan disk run, (He'd just skip it) NEVER ran Windows update, and when I told him his machine was probably screwed pretty bad, he said "I don't care, it's just a virus".

    I explained to him how Zombies work, with which he replied "Oh, well, I'm hungry see ya.".

    ..... That's my blood, guys...

    In a later argument he said "You dumb ass, the Anti Virus updates automatically, so you're stupid."

    I snapped:

    I explained in oh so calm terms how you only get 6 months free, and after that you have to actually pay for a subscription and that his machine hadn't been updated in about 5 years. Which took an hour to hammer into him, as he was sure he was right and I was wrong.

    So this is the kind of crap I deal with. Of course when his Dad found out the HD had errors on it, it was MY fault.

    I put in a NIC in that box and it must have screwed up the HD...

    And you people wonder why I'm a damn drug addict.

    When my Cousin decided to buy his own computer, it of course had WIndows XP on it.

    It started messing up, and this was 2 months after he bought it. I scanned it after hooking it up to my network, and found 12 Trojans on it, and a few other things.


    A shocker for us all, I know.

    So I put Linux on and didn't give him the Root password so he couldn't screw it up.

    Well, he didn't want to pay me for any of this and he already owed me money, so as many of you know from IRC, I started rebooting it form my house, and killing Gaim so he couldn't talk to the friends he hangs out with. Well, he started actually talking to me then, and I told him he probabnly screwed it up.

    When he wouldn't pay me, I decided it was time for some BOFH love:

    rm -rf /usr
    rm -rf /bin
    cfdisk
    delete all partitions
    reboot/ init 6

    So yea I got my money.





    After I got paid, I put Fedora Core 2 on, and made sure to update.

    I've been getting this in the logs:




    ################### LogWatch 5.1 (02/03/04) ####################
    Processing Initiated: Thu Aug 12 04:02:05 2004
    Date Range Processed: yesterday
    Detail Level of Output: 0
    Logfiles for Host: pcp******pcs.**********
    ################################################################

    --------------------- pam_unix Begin ------------------------

    sshd:
    Authentication Failures:
    root (216.244.96.212): 3 Time(s)
    Invalid Users:
    Unknown Account: 10 Time(s)
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=216.244.96.212 : 6 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=64-219-10-201.ded.swbell.net : 4 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- Connections (secure-log) Begin
    ------------------------


    **Unmatched Entries**
    userhelper[5363]: pam_timestamp: updated timestamp file
    `/var/run/sudo/vile/unknown:root'
    userhelper[5366]: running '/usr/sbin/up2date' with root privileges on
    behalf of 'vile'
    userhelper[5372]: pam_timestamp: timestamp file
    `/var/run/sudo/vile/unknown:root' is only 202 seconds old, allowing access to up2date for UID
    500
    userhelper[5372]: pam_timestamp: updated timestamp file
    `/var/run/sudo/vile/unknown:root'
    userhelper[5375]: running '/usr/sbin/up2date' with root privileges on
    behalf of 'vile'
    userhelper[5378]: pam_timestamp: timestamp file
    `/var/run/sudo/vile/unknown:root' is only 110 seconds old, allowing access to up2date for UID
    500
    userhelper[5378]: pam_timestamp: updated timestamp file
    `/var/run/sudo/vile/unknown:root'
    userhelper[5381]: running '/usr/sbin/up2date' with root privileges on
    behalf of 'vile'

    ---------------------- Connections (secure-log) End
    -------------------------


    --------------------- sendmail Begin ------------------------



    Bytes Transferred: 7188
    Messages Sent: 2
    Total recipients: 2
    ---------------------- sendmail End -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from these:
    admin/password from ::ffff:216.244.96.212: 2 Time(s)
    admin/password from ::ffff:64.219.10.201: 2 Time(s)
    guest/password from ::ffff:216.244.96.212: 1 Time(s)
    guest/password from ::ffff:64.219.10.201: 1 Time(s)
    root/password from ::ffff:216.244.96.212: 3 Time(s)
    test/password from ::ffff:216.244.96.212: 2 Time(s)
    test/password from ::ffff:64.219.10.201: 1 Time(s)
    user/password from ::ffff:216.244.96.212: 1 Time(s)

    Illegal users from these:
    admin/none from ::ffff:216.244.96.212: 2 Time(s)
    admin/none from ::ffff:64.219.10.201: 2 Time(s)
    admin/password from ::ffff:216.244.96.212: 2 Time(s)
    admin/password from ::ffff:64.219.10.201: 2 Time(s)
    guest/none from ::ffff:216.244.96.212: 1 Time(s)
    guest/none from ::ffff:64.219.10.201: 1 Time(s)
    guest/password from ::ffff:216.244.96.212: 1 Time(s)
    guest/password from ::ffff:64.219.10.201: 1 Time(s)
    test/none from ::ffff:216.244.96.212: 2 Time(s)
    test/none from ::ffff:64.219.10.201: 1 Time(s)
    test/password from ::ffff:216.244.96.212: 2 Time(s)
    test/password from ::ffff:64.219.10.201: 1 Time(s)
    user/none from ::ffff:216.244.96.212: 1 Time(s)
    user/password from ::ffff:216.244.96.212: 1 Time(s)

    Users logging in through sshd:
    root:
    ******************* (********): 1 time
    ^ The above was me.
    ---------------------- SSHD End -------------------------


    --------------------- up2date Begin ------------------------


    Package Installed:
    ['system-config-date-1.7.3.1-0.fc2.1']

    ---------------------- up2date End -------------------------



    ------------------ Disk Space --------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/hda2 37G 4.1G 31G 12% /
    /dev/hda1 97M 7.6M 85M 9% /boot
    none 122M 0 122M 0% /dev/shm


    ###################### LogWatch End #########################



    Next :

    ----- Forwarded message from root
    <root@pc***********.****************> -----

    Date: Wed, 11 Aug 2004 04:02:06 -0400
    From: root <root@************************8>
    To: root@**************************8t.net
    Subject: LogWatch for ***

    ################### LogWatch 5.1 (02/03/04) ####################
    Processing Initiated: Wed Aug 11 04:02:03 2004
    Date Range Processed: yesterday
    Detail Level of Output: 0
    Logfiles for Host: ****
    ################################################################

    --------------------- Init Begin ------------------------

    **Unmatched Entries**
    open(/dev/pts/0): No such file or directory
    open(/dev/pts/0): No such file or directory

    ---------------------- Init End -------------------------


    --------------------- ModProbe Begin ------------------------


    Errors running install command:
    sound_slot_1 : 2 Time(s)

    ---------------------- ModProbe End -------------------------


    --------------------- pam_unix Begin ------------------------

    sshd:
    Authentication Failures:
    root (211.173.81.252): 3 Time(s)
    Invalid Users:
    Unknown Account: 6 Time(s)
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=211.173.81.252 : 6 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- Connections (secure-log) Begin
    ------------------------


    Connections:
    Service sgi_fam:
    <no address>: 1 Time(s)

    **Unmatched Entries**
    gdm[2391]: pam_succeed_if: requirement "uid < 100" not met by user
    "vile"

    ---------------------- Connections (secure-log) End
    -------------------------


    --------------------- sendmail Begin ------------------------



    Bytes Transferred: 16422
    Messages Sent: 4
    Total recipients: 4
    **Unmatched Entries**
    STARTTLS=server: file /etc/mail/certs/cert.pem unsafe: No such file
    or directory: 1 Time(s)

    ---------------------- sendmail End -------------------------


    --------------------- SSHD Begin ------------------------


    SSHD Killed: 1 Time(s)

    SSHD Started: 1 Time(s)

    Failed to bind:
    0.0.0.0 port 22 (Address already in use) : 1 Time(s)

    Failed logins from these:
    admin/password from ::ffff:211.173.81.252: 2 Time(s)
    guest/password from ::ffff:211.173.81.252: 1 Time(s)
    root/password from ::ffff:211.173.81.252: 3 Time(s)
    test/password from ::ffff:211.173.81.252: 2 Time(s)
    user/password from ::ffff:211.173.81.252: 1 Time(s)

    Illegal users from these:
    admin/none from ::ffff:211.173.81.252: 2 Time(s)
    admin/password from ::ffff:211.173.81.252: 2 Time(s)
    guest/none from ::ffff:211.173.81.252: 1 Time(s)
    guest/password from ::ffff:211.173.81.252: 1 Time(s)
    test/none from ::ffff:211.173.81.252: 2 Time(s)
    test/password from ::ffff:211.173.81.252: 2 Time(s)
    user/none from ::ffff:211.173.81.252: 1 Time(s)
    user/password from ::ffff:211.173.81.252: 1 Time(s)

    Users logging in through sshd:
    root:
    Me

    ---------------------- SSHD End -------------------------



    ------------------ Disk Space --------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/hda2 37G 4.1G 31G 12% /
    /dev/hda1 97M 7.6M 85M 9% /boot
    none 122M 0 122M 0% /dev/shm


    ###################### LogWatch End #########################
















    ################### LogWatch 5.1 (02/03/04) ####################
    Processing Initiated: Tue Aug 10 12:02:36 2004
    Date Range Processed: yesterday
    Detail Level of Output: 0
    Logfiles for Host:*********
    ################################################################

    --------------------- pam_unix Begin ------------------------

    sshd:
    Authentication Failures:
    root (209.0.206.183): 3 Time(s)
    root (80.64.104.66): 3 Time(s)
    Invalid Users:
    Unknown Account: 12 Time(s)
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=209.0.206.183 : 6 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=80.64.104.66 : 6 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- Connections (secure-log) Begin
    ------------------------


    **Unmatched Entries**
    userhelper[26015]: pam_timestamp: timestamp file
    `/var/run/sudo/vile/unknown:root' has unacceptable age (137880 seconds), disallowing access
    to up2date for UID 500
    userhelper[26015]: pam_timestamp: updated timestamp file
    `/var/run/sudo/vile/unknown:root'
    userhelper[26018]: running '/usr/sbin/up2date' with root privileges on
    behalf of 'vile'

    ---------------------- Connections (secure-log) End
    -------------------------


    --------------------- sendmail Begin ------------------------



    Bytes Transferred: 13037
    Messages Sent: 6
    Total recipients: 6
    ---------------------- sendmail End -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from these:
    admin/password from ::ffff:209.0.206.183: 2 Time(s)
    admin/password from ::ffff:80.64.104.66: 2 Time(s)
    guest/password from ::ffff:209.0.206.183: 1 Time(s)
    guest/password from ::ffff:80.64.104.66: 1 Time(s)
    root/password from ::ffff:209.0.206.183: 3 Time(s)
    root/password from ::ffff:80.64.104.66: 3 Time(s)
    test/password from ::ffff:209.0.206.183: 2 Time(s)
    test/password from ::ffff:80.64.104.66: 2 Time(s)
    user/password from ::ffff:209.0.206.183: 1 Time(s)
    user/password from ::ffff:80.64.104.66: 1 Time(s)

    Illegal users from these:
    admin/none from ::ffff:209.0.206.183: 2 Time(s)
    admin/none from ::ffff:80.64.104.66: 2 Time(s)
    admin/password from ::ffff:209.0.206.183: 2 Time(s)
    admin/password from ::ffff:80.64.104.66: 2 Time(s)
    guest/none from ::ffff:209.0.206.183: 1 Time(s)
    guest/none from ::ffff:80.64.104.66: 1 Time(s)
    guest/password from ::ffff:209.0.206.183: 1 Time(s)
    guest/password from ::ffff:80.64.104.66: 1 Time(s)
    test/none from ::ffff:209.0.206.183: 2 Time(s)
    test/none from ::ffff:80.64.104.66: 2 Time(s)
    test/password from ::ffff:209.0.206.183: 2 Time(s)
    test/password from ::ffff:80.64.104.66: 2 Time(s)
    user/none from ::ffff:209.0.206.183: 1 Time(s)
    user/none from ::ffff:80.64.104.66: 1 Time(s)
    user/password from ::ffff:209.0.206.183: 1 Time(s)
    user/password from ::ffff:80.64.104.66: 1 Time(s)


    ---------------------- SSHD End -------------------------



    ------------------ Disk Space --------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/hda2 37G 4.1G 31G 12% /
    /dev/hda1 97M 7.6M 85M 9% /boot
    none 122M 0 122M 0% /dev/shm


    ###################### LogWatch End #########################


















    ################### LogWatch 5.1 (02/03/04) ####################
    Processing Initiated: Sun Aug 8 04:02:04 2004
    Date Range Processed: yesterday
    Detail Level of Output: 0
    Logfiles for Host: ************
    ################################################################

    --------------------- pam_unix Begin ------------------------

    sshd:
    Authentication Failures:
    root (mail.ok-bau.at): 9 Time(s)
    root (ev1s-64-246-20-43.ev1servers.net): 3 Time(s)
    Invalid Users:
    Unknown Account: 9 Time(s)
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=ev1s-64-246-20-43.ev1servers.net : 6 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
    rhost=210.187.2.50 : 3 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- sendmail Begin ------------------------



    Bytes Transferred: 3592
    Messages Sent: 2
    Total recipients: 2
    ---------------------- sendmail End -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from these:
    admin/password from ::ffff:210.187.2.50: 1 Time(s)
    admin/password from ::ffff:64.246.20.43: 2 Time(s)
    guest/password from ::ffff:210.187.2.50: 1 Time(s)
    guest/password from ::ffff:64.246.20.43: 1 Time(s)
    root/password from ::ffff:212.152.182.100: 9 Time(s)
    root/password from ::ffff:64.246.20.43: 3 Time(s)
    test/password from ::ffff:210.187.2.50: 1 Time(s)
    test/password from ::ffff:64.246.20.43: 2 Time(s)
    user/password from ::ffff:64.246.20.43: 1 Time(s)

    Illegal users from these:
    admin/none from ::ffff:210.187.2.50: 1 Time(s)
    admin/none from ::ffff:64.246.20.43: 2 Time(s)
    admin/password from ::ffff:210.187.2.50: 1 Time(s)
    admin/password from ::ffff:64.246.20.43: 2 Time(s)
    guest/none from ::ffff:210.187.2.50: 1 Time(s)
    guest/none from ::ffff:64.246.20.43: 1 Time(s)
    guest/password from ::ffff:210.187.2.50: 1 Time(s)
    guest/password from ::ffff:64.246.20.43: 1 Time(s)
    test/none from ::ffff:210.187.2.50: 1 Time(s)
    test/none from ::ffff:64.246.20.43: 2 Time(s)
    test/password from ::ffff:210.187.2.50: 1 Time(s)
    test/password from ::ffff:64.246.20.43: 2 Time(s)
    user/none from ::ffff:64.246.20.43: 1 Time(s)
    user/password from ::ffff:64.246.20.43: 1 Time(s)

    ---------------------- SSHD End -------------------------



    ------------------ Disk Space --------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/hda2 37G 4.2G 31G 13% /
    /dev/hda1 97M 7.6M 85M 9% /boot
    none 122M 0 122M 0% /dev/shm


    ###################### LogWatch End #########################




    So, what do you guys think? Is someone trying for OWNAGE?

  2. #2
    Senior Member
    Join Date
    Jun 2004
    Posts
    112
    Dear god it looks they have tried everthing. Really not a joke? Sheesh

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Heh, yea. I've been watching for a while now waiting for one to try and get in.

  4. #4
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    can I try?

    Take a baseball bat, and head towards your cousin, make him sit down and "calmly" explain to him how computers and security work, while tapping the bat againts the wall every once in a while. If he fails to understand, use the same baseball bat on the computer, smash it to pieces and explain to him that he doesn't deserve a computer then scare the living **** out of him.

    On a serious note, holy crap...you think at least one of them could please use a brute force or something...LOL

  5. #5
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Gore,
    Just to chime in here. The SSH attempts you are seeing are from an automated scan that has been going around the net. It's a weak ssh bruteforce attempt that attempts to exploit the do_brk() vuln in the 2.4 kernel. As long as you have a good root password, and don't have test,guest, or adminaccounts you should be fine. It's a pretty lame attempt. As a tip, you could always just add an AllowUsers line to your sshd_config file(and add only the users you want to allow ssh logins as), and not have to worry about it, and for that fact...disallow root ssh logins, and ssh1.

    HTH
    -hog
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  6. #6
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Guess he's OK. The Kernel is 2.6. Lamer bastards lol.

    Shouldn't have anything to worry about then, other than when he doesn't pay me

  7. #7
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Yeah the scans are lame as hell. But machines have been compromised by this..and a rootkit gets dropped on the system.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #8
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hmm, just a few thoughts here. In the sshd config, make sure that root logins are NOT allowed. Its better to login as a normal user, then su to root. Also, maybe define a static source IP for access to the sshd. That would limit you to the IP set, but its an improvement in the security ingeneral.
    In addition, which ports are open to the outside world? If the 'sendmail' ports are open, then havoc is bound to happen. If the mail server can be reached from the outside, then i propose postfix,or even better: qmail.

    /offtopic/
    In addition to your restrictions you have set for your cousin, make sure that he only has GUI access, no shell access. That can be accomplished by setting his default shell=true.

    'true' means he has only gui access, and cannot use a shell with his username.

    /back to topic
    Those scans (although out of date for the kernel exploit) should not be taken lightly. Those scans prove that its an attempt to w00t the box. Maybe the attacker will move on to other techniques.

    Oh well, good luck man

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    gore I’m not running FC2, but a couple of things came to mind here ...

    You did not say how you set up ssh ( hopefully only ssh2 is enabled ) but I noticed the rhosts attempts. Many people say not to allow any rhosts files on a system. I am not one of those people. I use .rhosts on every linux system; empty .rhosts files, all permissions removed, remove the sticky bit, and then check them with Tripwire daily. Just a thought.

    I don’t know if you have a static or dynamic address, but if it is static you might try allowing connections to port 22 only from your address ( or if dynamic from your range ) at the firewall. That should help things a little.

    And just a question? Vile is running as UID 500 ? Why is vile running sudo and running programs ( up2date)? I thought vile was a vi type program, but FC2 uses vim?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •