Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] I have been hacked, what to do now?
  • From: Leo Rivas <leorivas@xxxxxxxxx>
  • Date: Thu, 17 Jan 2002 11:17:47 -0400
  • Message-id: <3C46EB1A.5D8292AD@xxxxxxxxx>
Hi
The machine is behind a firewall, but masqueraded some ports (21, 22, 80) to
the outside, the logcheck is configured to check the /var/log/allmessages
periodically and sends a mail to root about the recent changes.

Leo


Patrick Grantham wrote:

> What log file did this come out of? Was the machine behind a firewall or
> router with simple port blocking?
> ----- Original Message -----
> From: "Leo Rivas" <leorivas@xxxxxxxxx>
> To: "Suse Security" <suse-security@xxxxxxxx>
> Sent: Thursday, January 17, 2002 10:03 AM
> Subject: [suse-security] I have been hacked, what to do now?
>
> > Hi
> > Someone hacked on my suse6.3 machine (old ssh1 was on), what i need to
> > know is what to check, i want to use this chance to learn about how to
> > find a possible trojan or something else (obviously, y already rescued
> > data and im ready to reinstall to suse 7.2). The machine wasnt critical,
> >
> > nor important (just a 'toy' with ftp, ssh, apache+phpnuke+mysql), now i
> > can make any tests to learn from this.
> >
> > This machine was named 'batiwater' and had Psionic's logcheck, this is
> > the mail it sent me:
> >
> > ---mail---
> >
> > Active System Attack Alerts
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=
> > Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:16:19 batiwater sshd[2571]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:16:45 batiwater sshd[2572]: fatal: Local: crc32 compensation
> > attack: network attack detected
> >
> > ...many more like this...
> >
> > Jan 12 05:24:25 batiwater sshd[2595]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation
> > attack: network attack detected
> >
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation
> > attack: network attack detected
> >
> > ...more like this...
> >
> > Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation
> > attack: network attack detected
> >
> > Unusual System Events
> > =-=-=-=-=-=-=-=-=-=-=
> > Jan 12 05:00:04 batiwater sshd[2465]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:00:25 batiwater sshd[2507]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:01:05 batiwater sshd[2509]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:16:19 batiwater sshd[2571]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:16:45 batiwater sshd[2572]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:17:10 batiwater sshd[2573]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:19:02 batiwater sshd[2578]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:20:22 batiwater sshd[2582]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:21:46 batiwater sshd[2587]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:22:26 batiwater sshd[2589]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:23:06 batiwater sshd[2591]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:24:25 batiwater sshd[2595]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation
> > attack: network attack detected
> > Jan 12 05:00:04 batiwater sshd[2465]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:00:15 batiwater sshd[2507]: connect from 209.147.160.67
> > Jan 12 05:00:15 batiwater sshd[2507]: log: Connection from
> > 209.147.160.67 port 1385
> > Jan 12 05:00:20 batiwater sshd[2507]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:00:25 batiwater sshd[2507]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:00:35 batiwater sshd[2508]: connect from 209.147.160.67
> > Jan 12 05:00:35 batiwater sshd[2508]: log: Connection from
> > 209.147.160.67 port 1386
> > Jan 12 05:00:40 batiwater sshd[2508]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:00:54 batiwater sshd[2509]: connect from 209.147.160.67
> > Jan 12 05:00:54 batiwater sshd[2509]: log: Connection from
> > 209.147.160.67 port 1387
> > Jan 12 05:00:59 batiwater sshd[2509]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:01:05 batiwater sshd[2509]: fatal: Local: Corrupted check
> > bytes on input.
> > Jan 12 05:01:15 batiwater sshd[2510]: connect from 209.147.160.67
> > Jan 12 05:01:15 batiwater sshd[2510]: log: Connection from
> > 209.147.160.67 port 1388
> > Jan 12 05:01:20 batiwater sshd[2510]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:01:35 batiwater sshd[2511]: connect from 209.147.160.67
> > Jan 12 05:01:35 batiwater sshd[2511]: log: Connection from
> > 209.147.160.67 port 1389
> > Jan 12 05:01:40 batiwater sshd[2511]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:01:55 batiwater sshd[2512]: connect from 209.147.160.67
> > Jan 12 05:01:55 batiwater sshd[2512]: log: Connection from
> > 209.147.160.67 port 1390
> > Jan 12 05:02:00 batiwater sshd[2512]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:02:14 batiwater sshd[2513]: connect from 209.147.160.67
> > Jan 12 05:02:14 batiwater sshd[2513]: log: Connection from
> > 209.147.160.67 port 1391
> > Jan 12 05:02:19 batiwater sshd[2513]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:02:34 batiwater sshd[2514]: connect from 209.147.160.67
> > Jan 12 05:02:34 batiwater sshd[2514]: log: Connection from
> > 209.147.160.67 port 1392
> > Jan 12 05:02:39 batiwater sshd[2514]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:02:54 batiwater sshd[2515]: connect from 209.147.160.67
> > Jan 12 05:02:54 batiwater sshd[2515]: log: Connection from
> > 209.147.160.67 port 1393
> > Jan 12 05:02:59 batiwater sshd[2515]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:03:14 batiwater sshd[2516]: connect from 209.147.160.67
> > Jan 12 05:03:14 batiwater sshd[2516]: log: Connection from
> > 209.147.160.67 port 1394
> > Jan 12 05:03:19 batiwater sshd[2516]: log: Could not reverse map address
> >
> > 209.147.160.67.
> >
> > ...more like this...
> >
> >
> > Jan 12 05:28:06 batiwater sshd[2606]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:28:21 batiwater sshd[2607]: connect from 209.147.160.67
> > Jan 12 05:28:21 batiwater sshd[2607]: log: Connection from
> > 209.147.160.67 port 1468
> > Jan 12 05:28:26 batiwater sshd[2607]: log: Could not reverse map address
> >
> > 209.147.160.67.
> > Jan 12 05:28:26 batiwater sshd[2607]: fatal: Did not receive ident
> > string.
> > Jan 12 05:50:33 batiwater sshd[1034]: log: Generating new 768 bit RSA
> > key.
> > Jan 12 05:50:34 batiwater sshd[1034]: log: RSA key generation complete.
> >
> > ---/mail---
> >
> > Sorry about what a long message, my first oppinion is that this guy used
> >
> > a software to hack in, and if he made it, wasnt smart enough to delete
> > the traces, you can see his IP there, maybe a script kiddie?. What else
> > may i expect from this?
> >
> > Thanks in advance
> > Leo


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


< Previous Next >
This Thread
References