Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: linux root password changes

  1. #11
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by a morning chill
    If this is for a company, then DO NOT use FC3. FC series is purley beta testing, and is purposly filled with experimental drivers/programs/functonality. This is because it is a testing playground for their company based product: RedHat Enterprise. I can't imagine what the built in SELinux patches would do to his php server permissions.
    Well, at first I was going to disagree with chill's assessment of Fedora...but it got me thinking, and I did a little reading, and now I'm not so sure if I was wrong.

    I wanted to retort with 'Fedora is the open distro sponsored by Red Hat, but not supported or developed actively. It's a stable desktop or server OS if you use the stable versions, etc.' Turns out I may not be right...they say it's a community based initiative, and includes technologies that may make there way into Red Hat products eventually...but I didn't heard enough language or see enough commitment to making it secure, stable, and dependable. Time for Suse, I guess.

    Also, I can say that SELinux does indeed break some web application deployments with it's default settings. I tried to follow a HOWTO I found recently on "Snort, Apache, SSL, PHP, MySQL, and Fedora Core". I followed it to the 'T' with Fedora Core 3 with the exception of enabling SELinux, but this doco (older version...a new one now exists) was written for Fedora Core 2. SELinux made communiations between MySQL and PHP/Apache impossible without modifying their labels/groups/schemas etc. Good seed to get me working on learning SELinux, but time is a precious commodity, and it hasn't happened.

    So I'd say be very careful on choosing a new linux platform. I tend to recommend Fedora a lot for newbies trying to learn Linux (mostly because, while I'd like to start them on Slackware, I don't want to get the phone calls on "how do I do this?"...you get less of them with Fedora). But for a production server, keep looking and do your homework.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #12
    Junior Member
    Join Date
    Sep 2002
    Posts
    5

    Suspicious Log files

    i friends,

    I think I found some clues to think that my system is hacked. But I do not know for sure.
    I have copied some suspicous sections from my messages log file, apache access and error log files. Can you please check them and give me some hints. I know inspecting this content will be time consuming. So just check them if and when you guys have free time.



    messages.log
    ===============
    Feb 11 01:22:40 mail sshd[5384]: Could not reverse map address 80.96.93.222.
    Feb 11 01:22:40 mail sshd(pam_unix)[5384]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=80.96.93.222 user=test
    Feb 11 01:22:50 mail sshd[5384]: Failed password for test from 80.96.93.222 port 1178
    Feb 11 01:22:58 mail sshd[5384]: Failed password for test from 80.96.93.222 port 1178
    Feb 11 01:23:03 mail sshd[5384]: Accepted password for test from 80.96.93.222 port 1178
    Feb 11 01:23:06 mail sshd(pam_unix)[5391]: session opened for user test by (uid=594)

    Feb 14 10:58:33 mail modprobe: modprobe: Can't locate module char-major-10-134


    Feb 15 11:05:35 mail syslogd: Printing partial message
    Feb 15 11:05:35 mail 22>Feb 15 11:05:35 sendmail[2798]: j1F55ZTb002798: mail.w-advertise.com [81.255.114.13] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    Feb 15 11:05:35 mail


    Feb 17 10:42:53 mail 22>Feb 17 10:42:53 sendmail[7447]: j1H4grTb007447: mail.w-advertise.com [81.255.114.13] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    Feb 17 10:42:53 mail
    Feb 17 10:56:48 mail
    Feb 17 10:56:48 mail syslogd: Printing partial message
    Feb 17 10:56:48 mail

    //Plz note this. I could not login as root. My password wasn't accepted.
    //But how can the root users session get closed.
    //***********************************************

    Feb 17 11:03:01 mail sshd(pam_unix)[2905]: session closed for user root

    //****************************************************


    Feb 18 02:52:15 mail syslogd: Printing partial message
    Feb 18 02:52:15 mail 22>Feb 18 02:52:15 sendmail[15542]: j1HKqFTb015542: mail.w-advertise.com [81.255.114.49] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA




    Apache access.log
    ====================


    220.3.124.75 - - [10/Feb/2005:17:58:32 +0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1060 "-" "-"

    66.249.64.79 - - [10/Feb/2005:16:14:34 +0600] "GET /englishReports.php HTTP/1.0" 304 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

    66.249.71.61 - - [10/Feb/2005:17:41:01 +0600] "GET /allReports.php HTTP/1.0" 304 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

    193.109.122.59 - - [14/Feb/2005:09:34:44 +0600] "CONNECT 193.109.122.67:6668 HTTP/1.0" 405 982 "-" "pxyscand/2.0"

    203.94.95.111 - - [19/Feb/2005:18:17:33 +0600] "PROPFIND /reports/ HTTP/1.1" 405 990 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

    207.46.98.141 - - [20/Feb/2005:04:27:02 +0600] "GET /robots.txt HTTP/1.0" 404 1059 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
    207.46.98.141 - - [20/Feb/2005:04:27:02 +0600] "GET /circulars.htm HTTP/1.0" 404 1059 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
    193.109.122.44 - - [20/Feb/2005:07:41:39 +0600] "CONNECT 193.109.122.67:6668 HTTP/1.0" 405 982 "-" "pxyscand/2.0"

    220.247.246.9 - - [20/Feb/2005:08:44:56 +0600] "GET /smHeadOffice.jpg HTTP/1.1" 304 0 "http://cc.msnscache.com/cache.aspx?q=1039146196537&lang=en-US&FORM=CVRE" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    220.247.246.9 - - [20/Feb/2005:08:44:56 +0600] "GET /smBranches.jpg HTTP/1.1" 304 0 "http://cc.msnscache.com/cache.aspx?q=1039146196537&lang=en-US&FORM=CVRE" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

    220.247.246.9 - - [20/Feb/2005:08:47:10 +0600] "PROPFIND /reports HTTP/1.1" 301 325 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    220.247.246.9 - - [20/Feb/2005:08:47:10 +0600] "PROPFIND /reports/ HTTP/1.1" 405 990 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    220.247.246.9 - - [20/Feb/2005:08:47:11 +0600] "PROPFIND /reports HTTP/1.1" 301 325 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"




    Apache error.log
    ================

    [Fri Feb 11 10:25:45 2005] [error] [client 66.249.64.47] File does not exist: /var/www/html/robots.txt
    [Fri Feb 11 11:16:17 2005] [warn] child process 1264 still did not exit, sending a SIGTERM
    [Fri Feb 11 11:16:17 2005] [notice] caught SIGTERM, shutting down
    [Fri Feb 11 11:16:20 2005] [notice] Digest: generating secret for digest authentication ...
    [Fri Feb 11 11:16:20 2005] [notice] Digest: done
    [Fri Feb 11 11:16:21 2005] [notice] Apache/2.0.40 (Red Hat Linux) configured -- resuming normal operations
    [Fri Feb 11 11:16:27 2005] [notice] caught SIGTERM, shutting down
    [Fri Feb 11 11:16:29 2005] [notice] Digest: generating secret for digest authentication ...
    [Fri Feb 11 11:16:29 2005] [notice] Digest: done
    [Fri Feb 11 11:16:30 2005] [notice] Apache/2.0.40 (Red Hat Linux) configured -- resuming normal operations
    [Fri Feb 11 12:44:20 2005] [error] [client 66.249.66.38] File does not exist: /var/www/html/robots.txt
    [Fri Feb 11 12:53:51 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
    [Fri Feb 11 12:53:51 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
    [Fri Feb 11 12:53:51 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
    [Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
    [Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
    [Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
    [Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
    [Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
    [Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
    [Fri Feb 11 13:19:24 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
    [Fri Feb 11 13:19:24 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
    [Fri Feb 11 13:19:24 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
    [Fri Feb 11 13:23:00 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
    [Fri Feb 11 13:23:00 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
    [Fri Feb 11 13:23:00 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
    [Fri Feb 11 19:16:46 2005] [error] [client 195.92.95.61] File does not exist: /var/www/html/cobalt-images
    [Fri Feb 11 20:08:58 2005] [error] [client 66.249.66.38] File does not exist: /var/www/html/robots.txt
    [Sun Feb 13 04:02:09 2005] [notice] SIGHUP received. Attempting to restart

    [Sun Feb 13 22:39:42 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/Forum
    [Sun Feb 13 22:39:43 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/Forums
    [Sun Feb 13 22:39:45 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bb
    [Sun Feb 13 22:39:47 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/ugboard
    [Sun Feb 13 22:39:49 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/ugboards
    [Sun Feb 13 22:39:49 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/ugboards
    [Sun Feb 13 22:39:55 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/newboard
    [Sun Feb 13 22:39:57 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/newboards
    [Sun Feb 13 22:39:59 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/members
    [Sun Feb 13 22:40:00 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/members
    [Sun Feb 13 22:40:02 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/members
    [Sun Feb 13 22:40:03 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/portal
    [Sun Feb 13 22:40:05 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/portal
    [Sun Feb 13 22:40:07 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bbs
    [Sun Feb 13 22:40:08 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bulletinboard
    [Sun Feb 13 22:40:10 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bulletinboards
    [Mon Feb 14 00:42:57 2005] [error] [client 207.46.98.141] File does not exist: /var/www/html/robots.txt
    [Mon Feb 21 14:28:25 2005] [error] [client 220.247.240.88] File does not exist: /var/www/html/_vti_bin


    Best Regards,
    Chamal.

  3. #13
    Junior Member
    Join Date
    Feb 2005
    Posts
    9
    Chamal,

    OK, I am just replying off the cuff, with a bit of searching to refresh my memory. Without more context, I don't think that we can tell you for sure from what you provided, a lot more is needed, and this forum probably isn't the best place to post it. Besides, it might take a lot of time to really go through the system and analyze it, people who are good at that get paid for it. WE have some nice folks here apparently, but asking someone to do a forensic analysis of your box is a bit more than most of us can handle for free in a forum. I will just offer some quick items about what I see. I think the best evidence you have provided so far is the fact that your root password keeps getting changed.

    The obvious thing is someone logging in via ssh as user test. and failing, then succeeding. Did you create a user named test? Does this user have an easy password which might be guessed, like test, or 12345? Without knowing a more of your network info, this might be legit, though it does seem to originate in Romania based on output from www.ripe.net/whois. Do you have a legit user in Romania? Once someone knowledgeable has a foothold by way of a user login via ssh, getting root is fairly simple especially if your system is not patched.

    The "session closed for user root" message occurs when root logs out from a ssh session. So, whoever was connected, disconnected.

    the modprobe error is just some kernel module that isn't working, looks like some issue with power management. probably unrelated to your current problem.

    the items in maillog are probably nothing, looks like some standard error messages. One comment though, you might want to think about using a different MTA, sendmail has historically had "some issues" with security. Postfix is a decent alternative, I think it is included on the RH 8 cd's along with the command redhat-switch-mail, or redhat-switchmail which will make postfix your MTA, it basically just turns off sendmail, turns on postfix, and updates a bunch of symlinks so that your system knows how to send mail using postfix instead. qmail is a good alternative as well, but, that would require more work that using the builtin tools to swithc to postfix.

    The apache access log items are, search engines searching your site for content, and someone connecting to(or trying to) a WebDAV enabled directory on your site. Do you run webDAV for anything?

    Also, apache needs to be upgraded. There have been a number of vulnerabilities fixed since 2.0.40 was released, most of them are just denial of service, but some "MIGHT" enable running arbitrary code, which is a bad thing. See

    www.apacheweek.com/features/security-20

    The pxyscand/2.0 message might be someone looking for a vulerable proxy, based on a short(very short) google search about that message.

    The default.ida message you can ignore, it is just someone or something looking for vulnerable IIS installs.

    In the error log, It looks like your apache has a bit of an issue and is restarting. Also, do you run mod_frontpage? It looks like someone on your local lan(192.168.0.99) is trying to get to some files that might be associated with that. From the _vti_bin and _vti_inf.html messages. I must admit, after looking through some of my error logs, I have quite a few of these myself, probably unrelated to your hack. Most likely just some scanning for vulnerabilities, though, why do they come from your local lan, maybe someone has a virus? 192.168.0 is your local lan right as it couldnt be coming in off the internet?

    To those that disagree with the recommendation of Fedora Core 3:

    You may well be correct about not using it. I personally use RH Enterprise linux products when I need to run linux in a corporate environment. I merely mentioned it because, I infered that chamal and co, used RH8 just because they had it, since RH does not offer any updates for RH 8 via up2date anymore, I was really suggesting that chamal update to a newer distro, and Fedora Core seemed to be an "easy" upgrade path, especially for one who is used to the custom redhat tools.
    Of course, as I mentioned, it is possible to get security updates for RH8 through the fedora yum repository.

    Later,

    ptr

    EDIT:

    See IKnowNot below, I think this is the best course, as I stated above. Besides, if you are truly in Sri Lanka, like your location states, and the apparent(from what logs you did provide) attacker appears to be in Romania, or at least using romania as a jumping off point, this is a legal nightmare. Just forget about the legal stuff, if you do forensic analysis, it should only be to figure out how they got in, but, I am guessing a easy password on the test account did it, unless they added that themselves after the fact.

    If you want to do a forensic on the box, get a new drive(or drives if you use raid) throw that in the box, reinstall, and send the other disk out to someone who knows what they are doing.

  4. #14
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I don't know why this thread has gone on so long ... ptr said it ... wipe it
    I assume you don't care about legal aspects as [b] Maestr0 [/] was referring to.

    since you only included parts of the log files, AND a good hacker would have removed his/her footprints from there anyway we can not get a true picture.

    As far as RH 8 ... dump it too. Although it is in fedoralegacy, it is no longer being patched. If you are going to use RH, try RH 7.3 or RH 9.
    Fedora ( use only Fedora 3 ) may be ok if you know what you are doing and what to remove but would probably stay away from it in a production enviroment. Free is nice, but if the company depends on the server it may be cheaper in the long run to pay to have the support and “ tuned” OS like RH server.

    Just some things to start off when designing the new server:

    protect it with a firewall ( why is someone using port 1178 to connect ? This should not be )

    limit services on the server. ( Why is sshd running? do you need it ? Do you need it allowing connections from the Internet? )

    As for user “ test” ... looks like they used a script to connect and search for actual users and passwords. ( note the times on the failures .. can anyone type that fast? ) Also looks like there may have been an “easy” password as only a few attempts were made before success.

    what did the .bash_history file reveal? was it empty or really outdated? ( could be redirected )

    also try something like
    “ grep :x:0: /etc/passwd “
    old trick but can sometimes show unknown accounts ( there should be only ONE entry )
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #15
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    From the little I know about logs, I have gathered this:

    Feb 11 01:22:50 mail sshd[5384]: Failed password for test from 80.96.93.222 port 1178
    Feb 11 01:22:58 mail sshd[5384]: Failed password for test from 80.96.93.222 port 1178
    Feb 11 01:23:03 mail sshd[5384]: Accepted password for test from 80.96.93.222 port 1178
    Feb 11 01:23:06 mail sshd(pam_unix)[5391]: session opened for user test by (uid=594)
    Oddly enough, this seems to be a port for skk, A japanese translator or something. Didn't look into it too much but it is for encoding japanese characters. Although this seems to suggest that someone did indeed succeed in gaining access, using the account test.


    Feb 15 11:05:35 mail syslogd: Printing partial message
    Feb 15 11:05:35 mail 22>Feb 15 11:05:35 sendmail[2798]: j1F55ZTb002798: mail.w-advertise.com [81.255.114.13] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    Feb 15 11:05:35 mail

    Feb 17 10:42:53 mail 22>Feb 17 10:42:53 sendmail[7447]: j1H4grTb007447: mail.w-advertise.com [81.255.114.13] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    kinda looks like some spam is floating around in there. The mail.w-advertise.com is in french (well http://www.w-advertise.com is) The spammers love an unpatched box with sendmail still running
    I am going out on a limb here, but I think that your box may have been comprimised for sending spam. I could be wrong (and hope I am). Maybe I am just looking for something that is not there.

    These are just my thoughts based on what little knowledge I have. Hope I am heading in the right direction.

    /Edit : IKnowNot is right Wipe that sucker. Couldn't advise on a distro, though
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  6. #16
    Junior Member
    Join Date
    Sep 2002
    Posts
    5

    Thanks guys

    Hi guys,

    I want to thanks all of you for helping me. Your help was quite useful.

    I ll try to follow your advice.

    I also want to thanks this site. It is so useful.

    Best regards and see you soon,
    Chamal.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •