We were hacked recently...

We were hacked recently...
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
We were hacked recently... Tam 07-05-2005
Posted by Tam on July 5, 2005, 7:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
.... and I just had a couple of questions to help prevent it again.

This is an excerpt from the log

Jun 27 09:37:09 mail sshd[14307]: Accepted password for gerry from
202.157.176.102 port 2352 ssh2
Jun 27 09:41:44 mail adduser[14366]: new user: name=arnildo, uid=0,
gid=0, home=/home/arnildo, shell=/bin/bash
Jun 27 09:42:46 mail sshd[14307]: syslogin_perform_logout: logout()
returned an error
Jun 27 09:42:51 mail sshd[14372]: Accepted password for arnildo from
202.157.176.102 port 2354 ssh2
Jun 27 12:06:36 mail sshd[16636]: Accepted password for arnildo from
193.151.75.22 port 2153 ssh2

So they got in with a standard user account "gerry". But how did he
subsequently run the 'adduser' command?

And why did he bother adding another user at all?

He created some hidden directories with the ... notation and used the
machine to send out, of all things, an ebay seller account spam.

I have switched off password login and use the key based authentication
only now and further restricted access to port 22 at the firewall.

Kernel version is 2.4.20-19.8.um.1 so is probably a little dated...
could this be the root problem?

Any help or assistance in this matter would be appreciated ;-)

Tam



Posted by Juergen Nieveler on July 6, 2005, 7:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> So they got in with a standard user account "gerry". But how did he
> subsequently run the 'adduser' command?

Some local exploit that allowed him to gain root?

> And why did he bother adding another user at all?

To cover his tracks. "Gerry" might log in and note that the last login
time wasn't when HE logged in. He might ignore it once, but if he sees
it several times he might call the helpdesk...

> He created some hidden directories with the ... notation and used the
> machine to send out, of all things, an ebay seller account spam.

Not surprising. A lot of crackers nowadays sell their skill to the spam
mafia.

> Kernel version is 2.4.20-19.8.um.1 so is probably a little dated...
> could this be the root problem?

If the kernel is outdated, chances are some other software on the
machine is outdated as well...

BTW, you'll want to consider reinstalling the machine, perhaps the
cracker did drop a well-hidden rootkit.

Juergen Nieveler
--
What's the difference between "perl" and "Perl"? - One bit. Oh, you
weren't talking ASCII?


Posted by Unruh on July 6, 2005, 7:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>... and I just had a couple of questions to help prevent it again.

>This is an excerpt from the log

>Jun 27 09:37:09 mail sshd[14307]: Accepted password for gerry from
>202.157.176.102 port 2352 ssh2

You had a user gerry? Did he have a trivial password, or did they sniff his
password?

>Jun 27 09:41:44 mail adduser[14366]: new user: name=arnildo, uid=0,
>gid=0, home=/home/arnildo, shell=/bin/bash
>Jun 27 09:42:46 mail sshd[14307]: syslogin_perform_logout: logout()
>returned an error
>Jun 27 09:42:51 mail sshd[14372]: Accepted password for arnildo from
>202.157.176.102 port 2354 ssh2
>Jun 27 12:06:36 mail sshd[16636]: Accepted password for arnildo from
>193.151.75.22 port 2153 ssh2

>So they got in with a standard user account "gerry". But how did he
>subsequently run the 'adduser' command?

Once they are on the machine the rule of thumb is that they will then be
able to get root-- there are so many more possible cracks from inside than
outside.
Or parhaps gerry has root priviledges.


>And why did he bother adding another user at all?

So when gerry changes his password they are not suddenly locked out.


>He created some hidden directories with the ... notation and used the
>machine to send out, of all things, an ebay seller account spam.

Of course. That is how they send out that spam.


>I have switched off password login and use the key based authentication
>only now and further restricted access to port 22 at the firewall.

Well, that may or may not be a good idea. If your users need outside access
it is a bad idea. But it sounds like you need some discussions with your
users.



>Kernel version is 2.4.20-19.8.um.1 so is probably a little dated...
>could this be the root problem?

Sounds like you have not upgraded anything for far too long. If so, then
yes, that is the problem. (2.4.20 sounds like it is part of a system whose
upgrade date has long since passed. Ie, even if you wanted to keep it up to
date you could not. )




>Any help or assistance in this matter would be appreciated ;-)

>Tam



Similar ThreadsPosted
I am getting hacked!!! May 3, 2004, 6:28 pm
Am I Being Hacked ? December 27, 2004, 4:50 am
Am I Being Hacked - Follow Up December 28, 2004, 4:45 am
hacked?weird!!! March 6, 2007, 12:02 am
server is being hacked February 5, 2008, 9:53 am
Windows 2000 hacked? June 25, 2005, 3:20 pm
Hacked By Yusuf KARA November 21, 2005, 7:51 am
Gmail chat hacked? November 5, 2008, 11:34 pm
Got hacked... need legal advise on action that I may take November 21, 2005, 7:13 am
Thought on disconnecting hacked computers December 5, 2005, 2:32 pm

The site map in XML format XML site map

Contact Us | Privacy Policy