In several suse 7.2 prof ( 4 machines), i have the same problem ----- Original Message ----- From: "Eric Whiting" To: "Praise" Cc: Sent: Thursday, October 11, 2001 4:00 PM Subject: Re: [suse-security] Am I hacked???

I saw a similar thing in my log yesterday.

ewhiting pts/0 laptop Tue Oct 9 19:22 - down (00:04) xL ****@******* Wed Dec 31 17:00 - down (11605+01:26

I checked messages, /usr/sbin, /sbin, netstat. I did a 12 hr tcpdump to watch for unexpected traffic. I did not find anything that looked bad. I'm still a little uncertain about it.

My box is a suse 7.2. It sits behind a simple HW firewall. Only open ports on the FW are 22, 25, and 80.

Could this be a case of reiserfs corruption of the wtmp file?

eric

Praise wrote:

...

When I run the "last" command I find out this output:

dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged

in

...

fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)

Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.

The /var/log/messages is regular, except for:

Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)

rg is not an user in my system! Just checked

Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)

and root cant connect to ftp when I try it. What does these entries could mean?

I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.

My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.

Anybody can tell me that I am not hacked and there are only common bugs???

Praise

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked. Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled. HTH Stefan

Yup...

On 11-Oct-01 Praise wrote:

...

When I run the "last" command I find out this output:

dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged in fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)

Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.

Hmm... Doesn't look too good. First of all, is this a home system or some kind of productively used host? Does it reside in a LAN, and if so, how's the LAN connected to the internet? What types of OSs do you run on your boxes (Win, Linux...)?

The "pB" and "5" lastlog entries may point to a partly unsuccessful attempt to phog (hide) the (would-be-)intruder's traces.

...

The /var/log/messages is regular, except for:

Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)

rg is not an user in my system! Just checked

Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)

and root cant connect to ftp when I try it. What does these entries could mean?

Uhm... "rg" brakes weak security of your box...rg uploads root kits and logs in...rg (locally) overflows some vulnerable demons, or setuid apps, or rg installed a sniffer...rg got root pass...rg installs root kit...rg installs bots...etc...

That's *not* an analysis of your log entries above, it's just the way it goes quite often. It may be different in your case.

...

I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.

How did you check it?

...

My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.

Anybody can tell me that I am not hacked and there are only common bugs???

From the sparse data you provided, it's not easy to tell wether you've been visited by system crackers.

If this is not a production box, take it offline (you did that already - good), save some files you'll need later and *wipe* the box. Install a fresh new Linux and step forth by securing your system. Start from the SuSE Security FAQ ( http://www.susesecurity.com/faq ).

The same goes for other boxes in your net. Prolly some of your boxes (Win?!) is inherently insecure and gave way after being hit by CodeRed(II) and relatives.

However, all that are just guesses. It's hard to tell without the proper data.

...

Praise

Boris Lorenz ---

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

* Boris Lorenz; on 11 Oct, 2001 wrote:

A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more complicated process than ANY secure installation of a Linux system could ever be. It takes YEARS for professional analysts before they're able to do their work properly, so personally I would not recommend that to a newbieish-to-security lifeform ;) (NO puns intended!)...

Well I think that was one of the reasons for the http://project.honeynet.org by going over the scans of the previous months I think you can learn a lot information which one day may be helpfull. Do not misunderstand me. It is also dangerous when the person is not ready to learn knowledgewise yet new information is provided, that person may mistakenly believe that he has acquired the knowledge and the skills while the reality he has not. This is also something not wanted. At least the above mentioned site by giving examples helps the novice or the experienced to practice and see his limitations. First of all the site says a default install Redhat 6.2 has maximum 72 hrs. before it is rooted and it is more often it takes only 8 . Good that I started with SuSE :-) -- Togan Muftuoglu

* Eric Whiting; on 11 Oct, 2001 wrote:

I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings. ^^^^^^^^^^^^^^^^

These would be the first to be replaced by an attacker AFAIK inorder to hide the files/directories he has installed. So unless you are using these utilities from a safe source I would not have trusted them. -- Togan Muftuoglu

Is there a chance that this wtmp entry:

xL ****@******* Wed Dec 31 17:00 - down (11605+01:26

1) Is caused by a 2.4.x kernel or system issue? or

It could very well be a hardware flaw. I think an acquaintance of mine had something pretty similar once and it turned out his cpu fan was defective and the cpu overheated. System crash on OS issues is possible as well. Without further inspection you can't be sure of what it is.

2) Is a half-failed login attempt? 3) An artifact of hitting the OOM wall and my kernel and killing the box?

I know it certainly looks like a hacker is logged in and trying to patch up wtmp, but I can't find other signs of trouble.

I have several suse 7.0 and 6.x boxes (various place in networks) that don't have this sign of problems. The person who first pointed this symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2.

I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings.

I did a tcpdump for 12hrs and checked all the packets. I don't see odd stuff. I'll start another tcpdump.

This box is behind a firewall set to deny all but 22,25,80.

It is a farily new install and I ran YOU when it was first installed (Sep 1) and installed all security patches for 7.2.

Personally, I think it's likely you are dealing with some kind of hardware/software problem, especially since you sound like you know what you are doing. I'd look into that first. That's the whole point of this thread I think: if you are unsure of what happened there isn't much use in just taking action (re-installing or otherwise).

eric

hth Stefan