Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: Suspicious log

  1. #11
    Junior Member
    Join Date
    Nov 2001
    Posts
    20
    I was at work while i did it just used wget to get the file and dumped it to my default rubbish share was at a windows machine at the time and just unpacked it with 7Zip
    not exactly rocket sience then just used my favorite editor to view the files
    that's all didn't have much time for anything else.
    if you want i can send you the contents
    \" I love fools and mistakes i\'m alway\'s making them \" (Charles Darwin)

  2. #12
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by recca
    I was at work while i did it just used wget to get the file and dumped it to my default rubbish share was at a windows machine at the time and just unpacked it with 7Zip
    not exactly rocket sience then just used my favorite editor to view the files
    that's all didn't have much time for anything else.
    if you want i can send you the contents
    the problem is that i canot even gunzip in the box after downloaded it..
    BlAcKiE
    GearBlitz

  3. #13
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by utahlanman
    I'm just curious how this person gained "root" level access via your FTP site. Was some form of buffer-overflow exploited in addition to the FTP account brute-forcing? Also.. I assume you HAD to have had an account named "rootbeer" to be cracked by password grinding.

    For knowledge sake, I'd suggest you determine if your FTP server (based on its revision) is succeptible to buffer overflow exploits, as I'm not aware of any native FTP based methods of gaining root.

    And finally - based on your .bash_history, looks like somebody's staging some great files to play with on your site and is definately looking at setting up some sort of server-based process (hence all the pinging to yahoo.com and reviewing of your network config (ifconfig).

    Good luck!
    I am using pure-ftp and i have a user called rootbeer..
    anyway i will go and check and get back to u..
    BlAcKiE
    GearBlitz

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Penguin:

    I will pre-empt this post by pointing out I know _nothing_ about *nix and it's inner workings... period....

    You are out of your depth son.... Way out of your depth.... I don't mean to be offensive but you don't seem to be getting the basics here.... That's very bloody dangerous....

    Take the box offline, reinstall, update to all the latest patches, firewall everything that is not _absolutely_ neccesary, and I mean _necessary_ and start logging stuff inbound so you can see what is really going on... If you don't you will be perpetually owned.....

    Sorry, but it's a fact!
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by Tiger Shark
    Penguin:

    I will pre-empt this post by pointing out I know _nothing_ about *nix and it's inner workings... period....

    You are out of your depth son.... Way out of your depth.... I don't mean to be offensive but you don't seem to be getting the basics here.... That's very bloody dangerous....

    Take the box offline, reinstall, update to all the latest patches, firewall everything that is not _absolutely_ neccesary, and I mean _necessary_ and start logging stuff inbound so you can see what is really going on... If you don't you will be perpetually owned.....

    Sorry, but it's a fact!
    ok.. but how do i learn what happened? is there a way? then suggest to me what do i do to track the culprit?
    BlAcKiE
    GearBlitz

  6. #16
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tracking the culprit isn't the issue really. Take the box offline so no harm can be done to others.

    If you want to learn how it was done then you will need to perform a forensic examination of the box and it's filesystem. The problem is I'm not sure that you will have the relevant logs to show you exactly and everything that happened.

    Get the box offline and see if some of the *nix guys here can help you to work it out.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #17
    Junior Member
    Join Date
    Nov 2004
    Posts
    13

    Exclamation

    As an InfoSec consultant, I would tend to agree that containing the incident now is probably the most prudent approach.

    However, with that being said - this individual obviously could use some hands-on education on the process. More specifically, this person should at the minimum understand the chain of events that led to the "root'ing of the server, including patch revisions, buffer-overflow and/or weak system setup and learn from it before staging another Internet accessible server.

    Penguin: I'd recommend taking the system offline (disconnect the ethernet cable at minimum) and begin a basic forensic analysis to understand what went wrong with your server config. Then, the most appropriate approach would be to blast the box and reinstall everything, ensuring you're patched and hardened according to the CIS standard for xxx (where xxx= your operating system). Ensure any public facing services (FTP, HTTP, etc) are secured and the hosting applications appropriately updated too.

    Good luck!

    Here are some references:

    http://www.sans.org/top20/

    http://www.sans.org/score/

  8. #18
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    As others have said, first take it offline.

    Then you should head over to security focus and get yourself some learning!
    http://securityfocus.com/infocus/incidents

    Don't forget sans.org!
    http://www.sans.org/rr/whitepapers/incident/

    There are plenty of great articles that deal with *nix 0wn3d boxes.

    Might I suggest the following tools to you:

    chkrootkit.
    http://www.chkrootkit.org/

    tiger
    http://savannah.nongnu.org/projects/tiger

    chkrootkit will search for evidence of a rootkit.

    tiger will audit your system to determine possible weak spots in your security.
    (then you might be able to get an idea of how your system was compromised)

    If you want to bring it back "online" in a lab environment, then you can run other vuln tests on it over the network with vuln scanners... *cough*nessus*cough*

    It is quite possible that whatever security hole that was used to get access was closed by the attacker. Sometimes attackers will close the hole and open another that only they can get access to it.

    But, go read first. So you don't mess up the "evidence" while playing around.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #19
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    do i see something that others can't?I believe it is a distributed brute force attack on user name rootbeer Penguin:do u have a user called rootbeer ?if u do it is some friend or employee of urs with good programming skills who did it to u.
    simply made a brute force application for username=rootbeer and set it up on different PC's with password options being different on each pc.say on one PC he used A as starting character and on other B as starting character and so on if u used to log in with this user id in front of some friend of urs he may have determined username to be rootbeer and some additional information about password too.

    Like password starts with a perticular character it is of 8 characters long its character set is a-z & 0-9 whether capital letters are used in password or not all this information can be gained over a period of time and it is pretty easy too.
    this info may be used to program ur own brute forcer(or modify an origional one)in vc++ u can even make a brute forcer that runs in back ground requires no user interection loads at startup and soes its job in background so if u install say 100 copies of that brute forcer on 100 different computers(simply if u r an asian cyber cafe is the safest place to install this type of things i dunno why pplz need t use proxy's)so here it is we have a perticular user name we know password length starting symbol so how long would it take?may be with a conventional brute forces 30-40 days but with password search space devided by 100 how much time would it take?
    o0o0o0o0o0o0o0o0o0o0o0o0o0o0o

    anyways i read thread carefully and i don't think u specified anywhere if u had a user rootbeer or not and the provided information can never be enough i am just saying what i think.
    NOT SURE ANYHOW.
    nobody is perfect i am nobody

  10. #20
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by Penguin
    i have a user called rootbeer..
    He does have a user called rootbeer. It may have been a dictionary or bruteforce attack or even a remote exploit. We don't have much info about that box. (version numbers, services, patch levels, etc) But we do know that they had access to both Pure-FTP (not sure which version) and a shell. AFAIK, Pure-FTP only has DoS vulnerabilities. (search the vuln database on www.securityfocus.com

    From knowing that, then we can guess that they guessed a correct user id and pwd for FTP which was also used for some terminal access program? (ssh, rlogin, etc)

    We just don't have nearly enough info to say for sure. All we can do is guess.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •