Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45:
From last night's LogWatch:
--------------------------------------------------------------------------
sshd:
Invalid Users:
Unknown Account: 7 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=johnstongrain.com : 2 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211.117.191.70 : 1 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=216.97.110.1 : 1 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ccia-062-204-197-193.uned.es : 1 Time(s)
su:
Sessions Opened:
brian(uid=500) -> root: 1 Time(s)
------------------------------------------------------------------------
Ok, guys- what do we do with this? Should we be writing down the
addresses from which these attempts were made? They're probably all
'stooge' addresses, I know, but it might help authorities to know what
other machines have been compromised...
I'll go save the log somewhere...
------------------------------------------------------------------------
Just got these SSH login attempts from a machine which is obviously
hacked! I did a portscan immediately after the messages occured in my
log:
$ nmap -vvvv -sS -sV -P0 -O 64.86.78.209
Starting nmap 3.48 (
http://www.insecure.org/nmap/ ) at 2004-08-03 16:53
CEST
Host 64.86.78.209 appears to be up ... good.
Initiating SYN Stealth Scan against 64.86.78.209 at 16:53
Adding open port 5101/tcp
Adding open port 23/tcp
adjust_timeout: packet supposedly had rtt of 11522743 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 11516952 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 12503503 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25062938 microseconds.
Ignoring time.
Adding open port 818/tcp
adjust_timeout: packet supposedly had rtt of 25019107 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25985784 microseconds.
Ignoring time.
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 1984/tcp
Adding open port 3001/tcp
Adding open port 21/tcp
Adding open port 443/tcp
Adding open port 3000/tcp
adjust_timeout: packet supposedly had rtt of 11461759 microseconds.
Ignoring time.
Adding open port 5102/tcp
Adding open port 32770/tcp
Adding open port 5100/tcp
Adding open port 80/tcp
Adding open port 3306/tcp
adjust_timeout: packet supposedly had rtt of 11455679 microseconds.
Ignoring time.
The SYN Stealth Scan took 54 seconds to scan 1657 ports.
Initiating service scan against 15 services on 1 host at 16:54
The service scan took 27 seconds to scan 15 services on 1 host.
Initiating RPCGrind Scan against 64.86.78.209 at 16:54
The RPCGrind Scan took 7 seconds to scan 3 ports.
For OSScan assuming that port 21 is open and port 1 is closed and
neither are firewalled
Interesting ports on 64.86.78.209:
(The 1642 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp vsFTPd 1.1.0
22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99)
23/tcp open telnet Linux telnetd
Telnet is open!
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
111/tcp open rpcbind 2 (rpc #100000)
443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
818/tcp open rquotad 1-2 (rpc #100011)
1984/tcp open ssh
See below for port 1984!
3000/tcp open ppp?
3001/tcp open nessusd?
3306/tcp open mysql?
5100/tcp open http Apache httpd 1.3.27 ((Unix) Sun-ONE-ASP/4.0.0)
5101/tcp open admdog?
5102/tcp open admeng?
32770/tcp open mountd 1-3 (rpc #100005)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-FucKiT\x20R
SF:ootKit\x20by\x20Cyrax\n");
ON PORT 1984 THE ROOTKIT SSH IS LISTENING!
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No question
why a rootkit is on this box.
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2261355 (Good luck!)
TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 119.684
seconds
I mailed the responsible person according whois data. We'll see...
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp
Serendipity 17:31:12 up 2 days, 22:55, load average: 0.39, 0.27, 0.21