Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 45

Thread: I'm gonna cry. I'm a victim!

  1. #21
    if you goto my website. (link posted above) i have some logs on there. If anyone wants to look them over, I am still pasting some things, only downside when putting them in notepad it made them messy, so it's kind of hard to read.


    -Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

  2. #22
    Originally posted by ammo
    That's why I went the OpenBSD way instead of linux.. I'm still learning, and OpenBSD is MUCH more secure out-of-the-box...

    Ammo
    SO TRUE!!!!!!!!!!!!!!!!
    -=SolarisMKA=-

  3. #23
    I know your frustration. I became sooo paranid that I started shuttion off services right left and center, the next thing I knew was that I mest up my boot configuration.

    When I try to reinstall my distro the cd was all scratched! damn. I only have a 2.2.0 linux kernal now, not a 2.4 ugh more work............. So I've been down for 9 days now. Thats why I ordered OpenBSD.

    And I feel that it would be easier for administarting as well (I've been reading up on it ) because it is soo well built
    -=SolarisMKA=-

  4. #24
    Senior Member
    Join Date
    Nov 2001
    Posts
    185
    A couple of things jason-mis, first I can't help but notice that your attacker knows your first name, this is a big clue all by itself.

    next, your secure log suggests that ssh is not properly configured. We have multiple warning lines at the beginning.

    Looking here -->
    Did not receive identification string from 140.186.76.196. ip from domain aasp.net probably rohode island area.
    Jan 2 22:06:35 localhost sshd[23230]: Did not receive identification string from 127.0.0.1.
    Jan 2 22:07:03 localhost sshd[578]: Received signal 15; terminating.
    <snip>
    Jan 3 07:52:36 localhost sshd[31117]: Did not receive identification string from 212.64.115.215. ip from domain casema.net, an ISP from the Netherlands
    Jan 3 07:53:36 localhost sshd[31119]: Did not receive identification string from 127.0.0.1.
    Jan 3 08:52:36 localhost sshd[23253]: Generating new 768 bit RSA key.
    Jan 3 08:52:36 localhost sshd[23253]: RSA key generation complete.
    Jan 3 13:28:43 localhost sshd[31254]: Did not receive identification string from 127.0.0.1.
    Jan 3 13:33:14 localhost sshd[31337]: Did not receive identification string from 212.64.115.215. ditto
    Jan 3 13:51:13 localhost sshd[31389]: Could not reverse map address 150.176.129.161. This ip is either spoofed, or is an internal network IP address. this is probably the IP of the attacker, probably.
    Jan 3 13:51:17 localhost sshd[31389]: Accepted password for Admin from 150.176.129.161 port 1025 ditto, suspicious IP
    Jan 3 14:10:20 localhost sshd[31469]: Accepted password for Admin from 216.77.74.2 port 64214 resolves to an IP from putnam-fl, a.k.a. bellsouth.net. you perhaps?
    Jan 3 14:28:43 localhost sshd[23253]: Generating new 768 bit RSA key.
    Jan 3 14:28:43 localhost sshd[23253]: RSA key generation complete.
    Jan 3 14:33:16 localhost sshd[31553]: Bad protocol version identification '^F ' from 216.77.74.2 post attack connection attempt from the ip above.

    The other question is where are all of the entries in wtmp. that log should have quite a bit in it, the fact that it does not is suspicious and leads me to believe that the entries were deleted, which is a common thing to do during an exploit.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.


  5. #25
    Junior Member
    Join Date
    Nov 2001
    Posts
    8

    Thumbs up ahhh : ) fresh air

    I would like to give my condolences to UberC0der for being the "poster child" for the REAL hacker comunity. those replys you posted brought a tear to my eye. oh and cool desktop.





    p.s. yeah, m' kay what is this...

    is a signature that important?

  6. #26
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    the casema.net was mine..
    the nmap I posted to jason-mis

    I'm thinking alot about upgrading securty on my server too
    i'm dl-ing openbsd..

    Let's all learn from Jason's bad xperience..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  7. #27
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Per UberC0der's reply (which was pretty damned good), here's a few more things to check:

    1: run 'last' and see who was on your machine. If it comes up empty (which it shouldn't), then either they've never been created (not likely because once successfully logged in, wtmp is updated, with bad connections going to btmp). Last will show you connect times, how long, and where from.

    2: get the last, oh, 200 lines of your syslog by doing the following: tail -100 /var/log/messages >> /tmp/100lines and PM me with it, as that will give more information. Hell, post the whole damned thing if you'd like. As much info as possible is good but just like UberC0der said, the guy knew your name which is a big hint (still think I'm overly paranoid Chemical?).

    3: since this happened a few days ago, let's try to find out if anything was added to the machine or changed that shouldn't be. Run 'find / -mtime -2 -exec ls -l {} \; >> /tmp/changed_files' . Notice: this isn't as good as tripwire but a start. There's some that should change every day and others that should never change. Binaries that are a day old by -mtime definitely aren't a sign of friendship, hehe. If you see things like telnet or other known binaries having changed over the last few days, chances are it's trojaned somehow.

    4: Check /etc/passwd! Make sure the whole file is like you remember it with no unknowns. Check EVERY line (post it if you'd like, as RH uses shadow passwords by default with MD5). My main goal with this is to make sure executable shells aren't out of the ordinary (like the account sync using /usr/bin/symc instead of /usr/bin/sync). If you find an account that you know you didn't add, do this: userdel <name_of_user> (this will get rid of the account but leave the home dir so that if they put **** in there, we can look at it with an editor or run binaries through strings)

    5: As root, make sure that there's no .rhosts file left behind (like one with a + in the first line, hehe). Also, make sure there's no /etc/hosts.allow or /etc/hosts.equiv (cat /dev/null > /etc/hosts.equiv && cat /dev/null > /etc/hosts.allow to zero length them). This will ensure that nobody can get to your machine remotely without a password, especially through .rhosts. Your .rhosts for root would generally be available in /root (as /root is the $HOME for root's account).

    Run this to find all .rhosts and remove them (we're paranoid right now):

    find / -name .rhosts -exec rm {} \;

    6: Make sure nothing's running on ports you're not aware of. Not much should be running above 1023 and if it is (like X runs on 6000-6010), make sure you know what that is.

    Run this to find out what you have for open connections to your machine: netstat -a (this will show the state of all sockets including passive along with their service name if possible)

    7: run through linuxconf and find the services. Turn off telnet, turn off ftp, both anonymous and wu-ftp, and turn off sendmail. This way, you'll only have two ways in, through the console or through ssh.

    8: it might be worth the 20 bucks to buy into Redhat's Network so you can run rhn_register (registers your system) and then up2date -u to update your rpm packages. Bug fixes galore, and all that...

    Hope this helps some. Feel free to aim me on Blargho or send an email to kellert@tampabay.rr.com or PM me on here if you need more help.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  8. #28
    wtmp wouldn't copy paste right into wordpad when I was writing the page. When I get home I will try again. The IP that resolved to putnam-fl.com was me. and the post attack connection was me also, I was trying to get back in.
    UberC0der, if there is anything else you would like me to post I will on my website.
    Where did the Hacker edit whatever file he/she did for me to get the output of the screenshot.
    I don't know alot about linux commands but doesn't 'grep' search for things by their content. Could I 'grep' for "h4v1ng fun j45on?"

    Any feedback appreciated.
    -Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

  9. #29
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    On a note to your reply to UberC0der, I can answer the question of how they wrote to you. 10 to 1 it was an echo to your pty which, unless your login is the same as your name (hence jason), points more and more to someone who knows you (or did a lot of homework). Doesn't make sense because of already stated points of the box being up only a few hours, nothing's on the box really worthwhile, etc...

    If it were a write to your account, you would have seen something like this:

    Message from root (ttyp1) [ Fri Jan 04 08:34:15 ] ...
    This is root, sending you a message...
    <EOT>

    Also, wtmp is a binary file, so just 'cat'ing it won't work (you'll get tons of garbage. Same thing for utmp and btmp. The way to find out what kind of format a file is in is to use 'file <filename here'. It'll tell you if it's data, if it's an executable, what kind, ascii, etc...
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #30
    I don't have telnet,ftp, sendmail, or portmap running. When I nmap myself (while offline) I only saw two things, x11 and ssh, my ssh is configured to an unknown port. I had The_JinX nmap me and all sorts of services were there, ftp, chargen, x11, unknown, and a few others. Once I make sure my linux box is secure I am going to get back online and get someone to nmap me (if JinX is up to it, I trust him) and post here. I am not going to get back online until I run some of the commands Vorlin and Uberc0der suggested.

    Thanks Everyone.
    -Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •