Re: possible ssh hack

[Adam Bultman <adamb () glaven org>]

What version of SSH were you running? Were you following all the rules and
such?  What other daemons are you running?  You may wish to see if other
daemons are running that you didn't know were running, and some that may
have been added later.  Let me know what you find.  Run nmap on your
server from across the lan or whatever (see what holes are there, etc).

Regardless, take the box down off the net, and be sure to check all your
other boxes. If you have other boxes near it, you might check those, and
change all your passwords (of course, make sure therea aren't any trojans
on those, etc first).

Good luck...

On Tue, 10 Sep 2002, Ver Allan Sumabat wrote:


> Hi,
>
> We have just recently been hacked. I have no idea how
> he came in. Here are my preliminary investigations:
>
> 1. He was able to add a user without logging in.
>
> **Unmatched Entries**
> Sep  5 10:39:33 srv1 sshd[20514]: Could not reverse
> map address 10.13.41.4.
> Sep  5 10:39:35 srv1 sshd[20514]: Accepted password
> for root from 10.13.41.4
> port 4207
> Sep  5 17:30:36 srv1 sshd[23299]: Could not reverse
> map address 10.13.41.4.
> Sep  5 17:30:41 srv1 sshd[23299]: Accepted password
> for root from 10.13.41.4
> port 2491
> Sep  5 22:16:59 srv1 useradd[23532]: new group:
> name=war, gid=502
> Sep  5 22:16:59 srv1 useradd[23532]: new user:
> name=war, uid=502, gid=502,
> home=/home/war, shell=/bin/bash
> Sep  5 22:17:31 srv1 sshd[23534]: Accepted password
> for war from
> 212.179.207.211 port 2746
> Sep  5 22:19:17 srv1 sshd[23580]: fatal: Read from
> socket failed: Connection
> reset by peer
> Sep  5 22:21:48 srv1 sshd[928]: Received SIGHUP;
> restarting.
>
>
> 2. He installed a tarball w00tkit.tgz in /home/war
>
> 3. After running chkrootkit, the significant lines
> are:
>
> ...
> Checking `ifconfig'... INFECTED
> ...
> Searching for Showtee... Warning: Possible Showtee
> Rootkit installed
> ...
> Checking `lkm'... You have     1 process hidden for ps
> command
> Warning: Possible LKM Trojan installed
>
> 4. ssh won't run anymore
>
> Can anyone help me on how the intrusion was done?
>
> Thanks.
>
> Regards,
>
> Allan
>
> __________________________________________________
> Yahoo! - We Remember
> 9-11: A tribute to the more than 3,000 lives lost
> http://dir.remember.yahoo.com/tribute
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
Adam Bultman
adam () glaven org
[ http://www.glaven.org ]



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com