I have been hacked, what to do now?
Hi Someone hacked on my suse6.3 machine (old ssh1 was on), what i need to know is what to check, i want to use this chance to learn about how to find a possible trojan or something else (obviously, y already rescued data and im ready to reinstall to suse 7.2). The machine wasnt critical, nor important (just a 'toy' with ftp, ssh, apache+phpnuke+mysql), now i can make any tests to learn from this. This machine was named 'batiwater' and had Psionic's logcheck, this is the mail it sent me: ---mail--- Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:16:19 batiwater sshd[2571]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:16:45 batiwater sshd[2572]: fatal: Local: crc32 compensation attack: network attack detected ...many more like this... Jan 12 05:24:25 batiwater sshd[2595]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation attack: network attack detected Security Violations =-=-=-=-=-=-=-=-=-= Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation attack: network attack detected ...more like this... Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation attack: network attack detected Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jan 12 05:00:04 batiwater sshd[2465]: fatal: Local: Corrupted check bytes on input. Jan 12 05:00:25 batiwater sshd[2507]: fatal: Local: Corrupted check bytes on input. Jan 12 05:01:05 batiwater sshd[2509]: fatal: Local: Corrupted check bytes on input. Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:16:19 batiwater sshd[2571]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:16:45 batiwater sshd[2572]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:17:10 batiwater sshd[2573]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:19:02 batiwater sshd[2578]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:20:22 batiwater sshd[2582]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:21:46 batiwater sshd[2587]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:22:26 batiwater sshd[2589]: fatal: Local: Corrupted check bytes on input. Jan 12 05:23:06 batiwater sshd[2591]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:24:25 batiwater sshd[2595]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation attack: network attack detected Jan 12 05:00:04 batiwater sshd[2465]: fatal: Local: Corrupted check bytes on input. Jan 12 05:00:15 batiwater sshd[2507]: connect from 209.147.160.67 Jan 12 05:00:15 batiwater sshd[2507]: log: Connection from 209.147.160.67 port 1385 Jan 12 05:00:20 batiwater sshd[2507]: log: Could not reverse map address 209.147.160.67. Jan 12 05:00:25 batiwater sshd[2507]: fatal: Local: Corrupted check bytes on input. Jan 12 05:00:35 batiwater sshd[2508]: connect from 209.147.160.67 Jan 12 05:00:35 batiwater sshd[2508]: log: Connection from 209.147.160.67 port 1386 Jan 12 05:00:40 batiwater sshd[2508]: log: Could not reverse map address 209.147.160.67. Jan 12 05:00:54 batiwater sshd[2509]: connect from 209.147.160.67 Jan 12 05:00:54 batiwater sshd[2509]: log: Connection from 209.147.160.67 port 1387 Jan 12 05:00:59 batiwater sshd[2509]: log: Could not reverse map address 209.147.160.67. Jan 12 05:01:05 batiwater sshd[2509]: fatal: Local: Corrupted check bytes on input. Jan 12 05:01:15 batiwater sshd[2510]: connect from 209.147.160.67 Jan 12 05:01:15 batiwater sshd[2510]: log: Connection from 209.147.160.67 port 1388 Jan 12 05:01:20 batiwater sshd[2510]: log: Could not reverse map address 209.147.160.67. Jan 12 05:01:35 batiwater sshd[2511]: connect from 209.147.160.67 Jan 12 05:01:35 batiwater sshd[2511]: log: Connection from 209.147.160.67 port 1389 Jan 12 05:01:40 batiwater sshd[2511]: log: Could not reverse map address 209.147.160.67. Jan 12 05:01:55 batiwater sshd[2512]: connect from 209.147.160.67 Jan 12 05:01:55 batiwater sshd[2512]: log: Connection from 209.147.160.67 port 1390 Jan 12 05:02:00 batiwater sshd[2512]: log: Could not reverse map address 209.147.160.67. Jan 12 05:02:14 batiwater sshd[2513]: connect from 209.147.160.67 Jan 12 05:02:14 batiwater sshd[2513]: log: Connection from 209.147.160.67 port 1391 Jan 12 05:02:19 batiwater sshd[2513]: log: Could not reverse map address 209.147.160.67. Jan 12 05:02:34 batiwater sshd[2514]: connect from 209.147.160.67 Jan 12 05:02:34 batiwater sshd[2514]: log: Connection from 209.147.160.67 port 1392 Jan 12 05:02:39 batiwater sshd[2514]: log: Could not reverse map address 209.147.160.67. Jan 12 05:02:54 batiwater sshd[2515]: connect from 209.147.160.67 Jan 12 05:02:54 batiwater sshd[2515]: log: Connection from 209.147.160.67 port 1393 Jan 12 05:02:59 batiwater sshd[2515]: log: Could not reverse map address 209.147.160.67. Jan 12 05:03:14 batiwater sshd[2516]: connect from 209.147.160.67 Jan 12 05:03:14 batiwater sshd[2516]: log: Connection from 209.147.160.67 port 1394 Jan 12 05:03:19 batiwater sshd[2516]: log: Could not reverse map address 209.147.160.67. ...more like this... Jan 12 05:28:06 batiwater sshd[2606]: log: Could not reverse map address 209.147.160.67. Jan 12 05:28:21 batiwater sshd[2607]: connect from 209.147.160.67 Jan 12 05:28:21 batiwater sshd[2607]: log: Connection from 209.147.160.67 port 1468 Jan 12 05:28:26 batiwater sshd[2607]: log: Could not reverse map address 209.147.160.67. Jan 12 05:28:26 batiwater sshd[2607]: fatal: Did not receive ident string. Jan 12 05:50:33 batiwater sshd[1034]: log: Generating new 768 bit RSA key. Jan 12 05:50:34 batiwater sshd[1034]: log: RSA key generation complete. ---/mail--- Sorry about what a long message, my first oppinion is that this guy used a software to hack in, and if he made it, wasnt smart enough to delete the traces, you can see his IP there, maybe a script kiddie?. What else may i expect from this? Thanks in advance Leo _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
participants (1)
-
Leo Rivas