netstat -apln
I tried, but here I get some things which I don't understand: tcp 0 0 0.0.0.0:9705 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 my_machine:7373 213.3.142.211:65338 ESTABLISHED tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:2030 0.0.0.0:* let me give some more things: (/var/log/messages) Feb 6 15:08:10 linux1 sshd[3355]: log: Connection from 213.3.142.43 port 65462 Feb 6 15:08:10 linux1 sshd[3355]: fatal: Connection closed by remote host. Feb 6 15:08:13 linux1 sshd[3357]: log: Connection from 213.3.142.43 port 65456 Feb 6 15:08:14 linux1 sshd[3357]: fatal: Connection closed by remote host. Feb 6 15:08:32 linux1 sshd[3359]: log: Connection from 213.3.142.43 port 65199 Feb 6 15:08:32 linux1 sshd[3359]: fatal: Connection closed by remote host. Feb 6 15:09:12 linux1 sshd[3360]: log: Connection from 213.3.142.43 port 65441 Feb 6 15:09:13 linux1 sshd[3360]: fatal: Connection closed by remote host. Feb 6 15:09:37 linux1 sshd[3361]: log: Connection from 213.3.142.43 port 65431 Feb 6 15:09:37 linux1 sshd[3361]: fatal: Connection closed by remote host. Feb 6 15:09:48 linux1 sshd[3362]: log: Connection from 213.3.142.43 port 65190 Feb 6 15:09:48 linux1 sshd[3362]: fatal: Connection closed by remote host. Feb 6 15:10:54 linux1 sshd[3363]: log: Connection from 213.3.142.43 port 65433 Feb 6 15:10:54 linux1 sshd[3363]: log: Password authentication for root accepted. Feb 6 15:10:54 linux1 sshd[3363]: log: ROOT LOGIN as 'root' from bw2-142pub43.bluewin.ch Feb 6 15:12:06 linux1 sshd[3363]: log: Closing connection to 213.3.142.43 Feb 6 18:21:05 linux1 popper[3484]: connect from 213.3.142.43 Feb 6 15:24:59 linux1 sshd[214]: log: Generating new 768 bit RSA key. Feb 6 15:24:59 linux1 sshd[214]: log: RSA key generation complete. This 213.3.142.43 is a bluewin.ch dialin. The one above which still has a connection open is one as well. (probably the same guy). Is there a trojan listening in my system? Could I find it somehow? I have backups of /bin/ps and /bin/ls but they seem to be the same! Thanks Raffy
This 213.3.142.43 is a bluewin.ch dialin. The one above which still has a connection open is one as well. (probably the same guy). contact the provider of this guy. Is there a trojan listening in my system? Could I find it somehow? I have backups of /bin/ps and /bin/ls but they seem to be the same!
On Thu, 8 Feb 2001, Raffy wrote: put the machine off the net, backup hard disk and re-install. There is no other way. (and maybe sue the attacker if you can get him) Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Thu, 8 Feb 2001, Markus Gaugusch wrote:
This 213.3.142.43 is a bluewin.ch dialin. The one above which still has a connection open is one as well. (probably the same guy). contact the provider of this guy. Is there a trojan listening in my system? Could I find it somehow? I have backups of /bin/ps and /bin/ls but they seem to be the same!
On Thu, 8 Feb 2001, Raffy wrote: put the machine off the net, backup hard disk and re-install. There is no other way. (and maybe sue the attacker if you can get him)
DON'T!! re-install until you have tried every avenue to try and find out how he got in, or you might end up spending days configuring your machine again, in exactly the same way and have him walk right back in after that. I just posted the CERT adresses dealing with this in response to another mail, but take a look at www.cert.org/tech_tips/root_compromise.html. Unplug the box from the internet, and connect it to a safe machine. Use that one to portscan etc. Preferably a linux machine with the same OS/Version that you're sure has not been compromised. Put versions of every binary you want to use on a floppy or something using binaries from the clean machine, because if this guy placed a root kit on your system you can't trust anything anymore. If you want to check if binaries were replaced, compare MD5 sums with known correct binaries. Once you're pretty certain you've found the way he got in, THEN reinstall (don't try to clean up, you can't be sure you got everything). Judging from your logs it looks like he attacked you through ssh. Are you running an older (i.e. vulnerable) version of openssh for example? That's how a host in our net was recently cracked.
Markus --
good luck, Stefan
DON'T!! re-install until you have tried every avenue to try and find out how he got in, or you might end up spending days configuring your machine again, in exactly the same way and have him walk right back in after that. I said "put it off the net, backup, reinstall". I forgot to say, that the backup should be used to reconstruct the incident. He also said, that he was running a vulnerable version of bind. (ok, it may be something less obvious too, ...)
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Hi, There is a package called TCT (The Coroner's toolkit),by Dan Farmer and Wietse Venema ( the writers of tcp wrappers). It specializes in forensics of computer security. U can look for it at http://www.porcupine.org/forensics the docs say.... <quote> ........we feel that it's high time that more people knew about (and how to effectively utilize) MAC times, the possibilities of exploring - and recovering - Unix files that were removed or destroyed, capturing processes and their associated information and a fair bit more besides. If nothing else, we hope that when a Unix system has been broken into that the owner of the computer would have a chance of capturing (if not understanding) much of the crucial forensics data that is needed in order to understand what has happened on that system. </quote> On Thu, 8 Feb 2001, Markus Gaugusch wrote:
DON'T!! re-install until you have tried every avenue to try and find out how he got in, or you might end up spending days configuring your machine again, in exactly the same way and have him walk right back in after that. I said "put it off the net, backup, reinstall". I forgot to say, that the backup should be used to reconstruct the incident. He also said, that he was running a vulnerable version of bind. (ok, it may be something less obvious too, ...)
Markus
regards omicron -- ****** An optimist sees light at the end of every tunnel. A pessimist fears it might be of an incoming train. omicron@omicron.dyndns.org omicron.symonds.net C O G I T O E R G O S U M ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (4)
-
Markus Gaugusch -
omicron@omicron.dyndns.org -
Raffy -
Stefan Suurmeijer