-
August 13th, 2004, 02:58 AM
#1
Cousin's box trying to get owned?
Some history:
Heh, I've been watching this for the last few days now. I set up my cousin's box with Fedora Core 2, and it has been updated completly. I have SSH running on there because he has like NO computer knowledge. Windows is out of his league, so I gave him Linux, as it would be easier for me to lock down for him than Linux.
What I mean by that is, I don't have to update AntiVirii software, and I can take over the machine from here if needed.
Many of you may remember my cousin, the one who never updates, doesn't update anything, opens mail from anyone who sends it, and so does his Mom, who also uses the machine.
The box is, as I said, fully updated. He does do some STUPID things though.
Like when his Parents bought a computer about 5 years ago, way before I had my first, they got a Gateway, Windows 98 box, and it came with antivirus. Well, they figured that since it updates itself, no problems.
My cousin downloaded things of Kazaa a lot, would turn it off rather than shutting down, and then not let scan disk run, (He'd just skip it) NEVER ran Windows update, and when I told him his machine was probably screwed pretty bad, he said "I don't care, it's just a virus".
I explained to him how Zombies work, with which he replied "Oh, well, I'm hungry see ya.".
..... That's my blood, guys...
In a later argument he said "You dumb ass, the Anti Virus updates automatically, so you're stupid."
I snapped:
I explained in oh so calm terms how you only get 6 months free, and after that you have to actually pay for a subscription and that his machine hadn't been updated in about 5 years. Which took an hour to hammer into him, as he was sure he was right and I was wrong.
So this is the kind of crap I deal with. Of course when his Dad found out the HD had errors on it, it was MY fault.
I put in a NIC in that box and it must have screwed up the HD...
And you people wonder why I'm a damn drug addict.
When my Cousin decided to buy his own computer, it of course had WIndows XP on it.
It started messing up, and this was 2 months after he bought it. I scanned it after hooking it up to my network, and found 12 Trojans on it, and a few other things.
A shocker for us all, I know.
So I put Linux on and didn't give him the Root password so he couldn't screw it up.
Well, he didn't want to pay me for any of this and he already owed me money, so as many of you know from IRC, I started rebooting it form my house, and killing Gaim so he couldn't talk to the friends he hangs out with. Well, he started actually talking to me then, and I told him he probabnly screwed it up.
When he wouldn't pay me, I decided it was time for some BOFH love:
rm -rf /usr
rm -rf /bin
cfdisk
delete all partitions
reboot/ init 6
So yea I got my money.
After I got paid, I put Fedora Core 2 on, and made sure to update.
I've been getting this in the logs:
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Thu Aug 12 04:02:05 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: pcp******pcs.**********
################################################################
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (216.244.96.212): 3 Time(s)
Invalid Users:
Unknown Account: 10 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=216.244.96.212 : 6 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=64-219-10-201.ded.swbell.net : 4 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin
------------------------
**Unmatched Entries**
userhelper[5363]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[5366]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
userhelper[5372]: pam_timestamp: timestamp file
`/var/run/sudo/vile/unknown:root' is only 202 seconds old, allowing access to up2date for UID
500
userhelper[5372]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[5375]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
userhelper[5378]: pam_timestamp: timestamp file
`/var/run/sudo/vile/unknown:root' is only 110 seconds old, allowing access to up2date for UID
500
userhelper[5378]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[5381]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
---------------------- Connections (secure-log) End
-------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 7188
Messages Sent: 2
Total recipients: 2
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from ::ffff:216.244.96.212: 2 Time(s)
admin/password from ::ffff:64.219.10.201: 2 Time(s)
guest/password from ::ffff:216.244.96.212: 1 Time(s)
guest/password from ::ffff:64.219.10.201: 1 Time(s)
root/password from ::ffff:216.244.96.212: 3 Time(s)
test/password from ::ffff:216.244.96.212: 2 Time(s)
test/password from ::ffff:64.219.10.201: 1 Time(s)
user/password from ::ffff:216.244.96.212: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:216.244.96.212: 2 Time(s)
admin/none from ::ffff:64.219.10.201: 2 Time(s)
admin/password from ::ffff:216.244.96.212: 2 Time(s)
admin/password from ::ffff:64.219.10.201: 2 Time(s)
guest/none from ::ffff:216.244.96.212: 1 Time(s)
guest/none from ::ffff:64.219.10.201: 1 Time(s)
guest/password from ::ffff:216.244.96.212: 1 Time(s)
guest/password from ::ffff:64.219.10.201: 1 Time(s)
test/none from ::ffff:216.244.96.212: 2 Time(s)
test/none from ::ffff:64.219.10.201: 1 Time(s)
test/password from ::ffff:216.244.96.212: 2 Time(s)
test/password from ::ffff:64.219.10.201: 1 Time(s)
user/none from ::ffff:216.244.96.212: 1 Time(s)
user/password from ::ffff:216.244.96.212: 1 Time(s)
Users logging in through sshd:
root:
******************* (********): 1 time
^ The above was me.
---------------------- SSHD End -------------------------
--------------------- up2date Begin ------------------------
Package Installed:
['system-config-date-1.7.3.1-0.fc2.1']
---------------------- up2date End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.1G 31G 12% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
Next :
----- Forwarded message from root
<root@pc***********.****************> -----
Date: Wed, 11 Aug 2004 04:02:06 -0400
From: root <root@************************8>
To: root@**************************8t.net
Subject: LogWatch for ***
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Wed Aug 11 04:02:03 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: ****
################################################################
--------------------- Init Begin ------------------------
**Unmatched Entries**
open(/dev/pts/0): No such file or directory
open(/dev/pts/0): No such file or directory
---------------------- Init End -------------------------
--------------------- ModProbe Begin ------------------------
Errors running install command:
sound_slot_1 : 2 Time(s)
---------------------- ModProbe End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (211.173.81.252): 3 Time(s)
Invalid Users:
Unknown Account: 6 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211.173.81.252 : 6 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin
------------------------
Connections:
Service sgi_fam:
<no address>: 1 Time(s)
**Unmatched Entries**
gdm[2391]: pam_succeed_if: requirement "uid < 100" not met by user
"vile"
---------------------- Connections (secure-log) End
-------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 16422
Messages Sent: 4
Total recipients: 4
**Unmatched Entries**
STARTTLS=server: file /etc/mail/certs/cert.pem unsafe: No such file
or directory: 1 Time(s)
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 1 Time(s)
Failed to bind:
0.0.0.0 port 22 (Address already in use) : 1 Time(s)
Failed logins from these:
admin/password from ::ffff:211.173.81.252: 2 Time(s)
guest/password from ::ffff:211.173.81.252: 1 Time(s)
root/password from ::ffff:211.173.81.252: 3 Time(s)
test/password from ::ffff:211.173.81.252: 2 Time(s)
user/password from ::ffff:211.173.81.252: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:211.173.81.252: 2 Time(s)
admin/password from ::ffff:211.173.81.252: 2 Time(s)
guest/none from ::ffff:211.173.81.252: 1 Time(s)
guest/password from ::ffff:211.173.81.252: 1 Time(s)
test/none from ::ffff:211.173.81.252: 2 Time(s)
test/password from ::ffff:211.173.81.252: 2 Time(s)
user/none from ::ffff:211.173.81.252: 1 Time(s)
user/password from ::ffff:211.173.81.252: 1 Time(s)
Users logging in through sshd:
root:
Me
---------------------- SSHD End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.1G 31G 12% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Tue Aug 10 12:02:36 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host:*********
################################################################
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (209.0.206.183): 3 Time(s)
root (80.64.104.66): 3 Time(s)
Invalid Users:
Unknown Account: 12 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=209.0.206.183 : 6 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=80.64.104.66 : 6 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin
------------------------
**Unmatched Entries**
userhelper[26015]: pam_timestamp: timestamp file
`/var/run/sudo/vile/unknown:root' has unacceptable age (137880 seconds), disallowing access
to up2date for UID 500
userhelper[26015]: pam_timestamp: updated timestamp file
`/var/run/sudo/vile/unknown:root'
userhelper[26018]: running '/usr/sbin/up2date' with root privileges on
behalf of 'vile'
---------------------- Connections (secure-log) End
-------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 13037
Messages Sent: 6
Total recipients: 6
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from ::ffff:209.0.206.183: 2 Time(s)
admin/password from ::ffff:80.64.104.66: 2 Time(s)
guest/password from ::ffff:209.0.206.183: 1 Time(s)
guest/password from ::ffff:80.64.104.66: 1 Time(s)
root/password from ::ffff:209.0.206.183: 3 Time(s)
root/password from ::ffff:80.64.104.66: 3 Time(s)
test/password from ::ffff:209.0.206.183: 2 Time(s)
test/password from ::ffff:80.64.104.66: 2 Time(s)
user/password from ::ffff:209.0.206.183: 1 Time(s)
user/password from ::ffff:80.64.104.66: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:209.0.206.183: 2 Time(s)
admin/none from ::ffff:80.64.104.66: 2 Time(s)
admin/password from ::ffff:209.0.206.183: 2 Time(s)
admin/password from ::ffff:80.64.104.66: 2 Time(s)
guest/none from ::ffff:209.0.206.183: 1 Time(s)
guest/none from ::ffff:80.64.104.66: 1 Time(s)
guest/password from ::ffff:209.0.206.183: 1 Time(s)
guest/password from ::ffff:80.64.104.66: 1 Time(s)
test/none from ::ffff:209.0.206.183: 2 Time(s)
test/none from ::ffff:80.64.104.66: 2 Time(s)
test/password from ::ffff:209.0.206.183: 2 Time(s)
test/password from ::ffff:80.64.104.66: 2 Time(s)
user/none from ::ffff:209.0.206.183: 1 Time(s)
user/none from ::ffff:80.64.104.66: 1 Time(s)
user/password from ::ffff:209.0.206.183: 1 Time(s)
user/password from ::ffff:80.64.104.66: 1 Time(s)
---------------------- SSHD End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.1G 31G 12% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
################### LogWatch 5.1 (02/03/04) ####################
Processing Initiated: Sun Aug 8 04:02:04 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: ************
################################################################
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (mail.ok-bau.at): 9 Time(s)
root (ev1s-64-246-20-43.ev1servers.net): 3 Time(s)
Invalid Users:
Unknown Account: 9 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-64-246-20-43.ev1servers.net : 6 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=210.187.2.50 : 3 Time(s)
---------------------- pam_unix End -------------------------
--------------------- sendmail Begin ------------------------
Bytes Transferred: 3592
Messages Sent: 2
Total recipients: 2
---------------------- sendmail End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from ::ffff:210.187.2.50: 1 Time(s)
admin/password from ::ffff:64.246.20.43: 2 Time(s)
guest/password from ::ffff:210.187.2.50: 1 Time(s)
guest/password from ::ffff:64.246.20.43: 1 Time(s)
root/password from ::ffff:212.152.182.100: 9 Time(s)
root/password from ::ffff:64.246.20.43: 3 Time(s)
test/password from ::ffff:210.187.2.50: 1 Time(s)
test/password from ::ffff:64.246.20.43: 2 Time(s)
user/password from ::ffff:64.246.20.43: 1 Time(s)
Illegal users from these:
admin/none from ::ffff:210.187.2.50: 1 Time(s)
admin/none from ::ffff:64.246.20.43: 2 Time(s)
admin/password from ::ffff:210.187.2.50: 1 Time(s)
admin/password from ::ffff:64.246.20.43: 2 Time(s)
guest/none from ::ffff:210.187.2.50: 1 Time(s)
guest/none from ::ffff:64.246.20.43: 1 Time(s)
guest/password from ::ffff:210.187.2.50: 1 Time(s)
guest/password from ::ffff:64.246.20.43: 1 Time(s)
test/none from ::ffff:210.187.2.50: 1 Time(s)
test/none from ::ffff:64.246.20.43: 2 Time(s)
test/password from ::ffff:210.187.2.50: 1 Time(s)
test/password from ::ffff:64.246.20.43: 2 Time(s)
user/none from ::ffff:64.246.20.43: 1 Time(s)
user/password from ::ffff:64.246.20.43: 1 Time(s)
---------------------- SSHD End -------------------------
------------------ Disk Space --------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 4.2G 31G 13% /
/dev/hda1 97M 7.6M 85M 9% /boot
none 122M 0 122M 0% /dev/shm
###################### LogWatch End #########################
So, what do you guys think? Is someone trying for OWNAGE?
-
August 13th, 2004, 03:08 AM
#2
Dear god it looks they have tried everthing. Really not a joke? Sheesh
-
August 13th, 2004, 03:16 AM
#3
Heh, yea. I've been watching for a while now waiting for one to try and get in.
-
August 13th, 2004, 03:26 AM
#4
-
August 13th, 2004, 04:20 AM
#5
Gore,
Just to chime in here. The SSH attempts you are seeing are from an automated scan that has been going around the net. It's a weak ssh bruteforce attempt that attempts to exploit the do_brk() vuln in the 2.4 kernel. As long as you have a good root password, and don't have test,guest, or adminaccounts you should be fine. It's a pretty lame attempt. As a tip, you could always just add an AllowUsers line to your sshd_config file(and add only the users you want to allow ssh logins as), and not have to worry about it, and for that fact...disallow root ssh logins, and ssh1.
HTH
-hog
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
August 13th, 2004, 04:44 AM
#6
Guess he's OK. The Kernel is 2.6. Lamer bastards lol.
Shouldn't have anything to worry about then, other than when he doesn't pay me
-
August 13th, 2004, 04:56 AM
#7
Yeah the scans are lame as hell. But machines have been compromised by this..and a rootkit gets dropped on the system.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
August 13th, 2004, 10:58 AM
#8
Hmm, just a few thoughts here. In the sshd config, make sure that root logins are NOT allowed. Its better to login as a normal user, then su to root. Also, maybe define a static source IP for access to the sshd. That would limit you to the IP set, but its an improvement in the security ingeneral.
In addition, which ports are open to the outside world? If the 'sendmail' ports are open, then havoc is bound to happen. If the mail server can be reached from the outside, then i propose postfix,or even better: qmail.
/offtopic/
In addition to your restrictions you have set for your cousin, make sure that he only has GUI access, no shell access. That can be accomplished by setting his default shell=true.
'true' means he has only gui access, and cannot use a shell with his username.
/back to topic
Those scans (although out of date for the kernel exploit) should not be taken lightly. Those scans prove that its an attempt to w00t the box. Maybe the attacker will move on to other techniques.
Oh well, good luck man
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
August 13th, 2004, 11:21 AM
#9
gore I’m not running FC2, but a couple of things came to mind here ...
You did not say how you set up ssh ( hopefully only ssh2 is enabled ) but I noticed the rhosts attempts. Many people say not to allow any rhosts files on a system. I am not one of those people. I use .rhosts on every linux system; empty .rhosts files, all permissions removed, remove the sticky bit, and then check them with Tripwire daily. Just a thought.
I don’t know if you have a static or dynamic address, but if it is static you might try allowing connections to port 22 only from your address ( or if dynamic from your range ) at the firewall. That should help things a little.
And just a question? Vile is running as UID 500 ? Why is vile running sudo and running programs ( up2date)? I thought vile was a vi type program, but FC2 uses vim?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
August 13th, 2004, 12:44 PM
#10
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|