Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
I have been hacked, what to do now?
  • From: Leo Rivas <leorivas@xxxxxxxxx>
  • Date: Thu, 17 Jan 2002 11:03:03 -0400
  • Message-id: <3C46E7A6.E22267A1@xxxxxxxxx>
Hi
Someone hacked on my suse6.3 machine (old ssh1 was on), what i need to
know is what to check, i want to use this chance to learn about how to
find a possible trojan or something else (obviously, y already rescued
data and im ready to reinstall to suse 7.2). The machine wasnt critical,

nor important (just a 'toy' with ftp, ssh, apache+phpnuke+mysql), now i
can make any tests to learn from this.

This machine was named 'batiwater' and had Psionic's logcheck, this is
the mail it sent me:

---mail---

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:16:19 batiwater sshd[2571]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:16:45 batiwater sshd[2572]: fatal: Local: crc32 compensation
attack: network attack detected

...many more like this...

Jan 12 05:24:25 batiwater sshd[2595]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation
attack: network attack detected

Security Violations
=-=-=-=-=-=-=-=-=-=
Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation
attack: network attack detected

...more like this...

Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation
attack: network attack detected

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 12 05:00:04 batiwater sshd[2465]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:00:25 batiwater sshd[2507]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:01:05 batiwater sshd[2509]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:10:22 batiwater sshd[2537]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:13:46 batiwater sshd[2545]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:15:54 batiwater sshd[2570]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:16:19 batiwater sshd[2571]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:16:45 batiwater sshd[2572]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:17:10 batiwater sshd[2573]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:19:02 batiwater sshd[2578]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:20:22 batiwater sshd[2582]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:21:46 batiwater sshd[2587]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:22:26 batiwater sshd[2589]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:23:06 batiwater sshd[2591]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:24:25 batiwater sshd[2595]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:25:49 batiwater sshd[2599]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:27:09 batiwater sshd[2603]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:27:29 batiwater sshd[2604]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 12 05:00:04 batiwater sshd[2465]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:00:15 batiwater sshd[2507]: connect from 209.147.160.67
Jan 12 05:00:15 batiwater sshd[2507]: log: Connection from
209.147.160.67 port 1385
Jan 12 05:00:20 batiwater sshd[2507]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:00:25 batiwater sshd[2507]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:00:35 batiwater sshd[2508]: connect from 209.147.160.67
Jan 12 05:00:35 batiwater sshd[2508]: log: Connection from
209.147.160.67 port 1386
Jan 12 05:00:40 batiwater sshd[2508]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:00:54 batiwater sshd[2509]: connect from 209.147.160.67
Jan 12 05:00:54 batiwater sshd[2509]: log: Connection from
209.147.160.67 port 1387
Jan 12 05:00:59 batiwater sshd[2509]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:01:05 batiwater sshd[2509]: fatal: Local: Corrupted check
bytes on input.
Jan 12 05:01:15 batiwater sshd[2510]: connect from 209.147.160.67
Jan 12 05:01:15 batiwater sshd[2510]: log: Connection from
209.147.160.67 port 1388
Jan 12 05:01:20 batiwater sshd[2510]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:01:35 batiwater sshd[2511]: connect from 209.147.160.67
Jan 12 05:01:35 batiwater sshd[2511]: log: Connection from
209.147.160.67 port 1389
Jan 12 05:01:40 batiwater sshd[2511]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:01:55 batiwater sshd[2512]: connect from 209.147.160.67
Jan 12 05:01:55 batiwater sshd[2512]: log: Connection from
209.147.160.67 port 1390
Jan 12 05:02:00 batiwater sshd[2512]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:02:14 batiwater sshd[2513]: connect from 209.147.160.67
Jan 12 05:02:14 batiwater sshd[2513]: log: Connection from
209.147.160.67 port 1391
Jan 12 05:02:19 batiwater sshd[2513]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:02:34 batiwater sshd[2514]: connect from 209.147.160.67
Jan 12 05:02:34 batiwater sshd[2514]: log: Connection from
209.147.160.67 port 1392
Jan 12 05:02:39 batiwater sshd[2514]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:02:54 batiwater sshd[2515]: connect from 209.147.160.67
Jan 12 05:02:54 batiwater sshd[2515]: log: Connection from
209.147.160.67 port 1393
Jan 12 05:02:59 batiwater sshd[2515]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:03:14 batiwater sshd[2516]: connect from 209.147.160.67
Jan 12 05:03:14 batiwater sshd[2516]: log: Connection from
209.147.160.67 port 1394
Jan 12 05:03:19 batiwater sshd[2516]: log: Could not reverse map address

209.147.160.67.

...more like this...


Jan 12 05:28:06 batiwater sshd[2606]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:28:21 batiwater sshd[2607]: connect from 209.147.160.67
Jan 12 05:28:21 batiwater sshd[2607]: log: Connection from
209.147.160.67 port 1468
Jan 12 05:28:26 batiwater sshd[2607]: log: Could not reverse map address

209.147.160.67.
Jan 12 05:28:26 batiwater sshd[2607]: fatal: Did not receive ident
string.
Jan 12 05:50:33 batiwater sshd[1034]: log: Generating new 768 bit RSA
key.
Jan 12 05:50:34 batiwater sshd[1034]: log: RSA key generation complete.

---/mail---

Sorry about what a long message, my first oppinion is that this guy used

a software to hack in, and if he made it, wasnt smart enough to delete
the traces, you can see his IP there, maybe a script kiddie?. What else
may i expect from this?

Thanks in advance
Leo




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


< Previous Next >
This Thread