Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

hack attempt?

0 views
Skip to first unread message

LRW

unread,
Mar 2, 2003, 9:10:18 PM3/2/03
to
I've got a small PC with RH 6.2 that I'm using to play around with, and left
it up and open to telnet/ftp/ssh over the weekend.
I came back today to find some odd messages. I'd left a login up with:
#tail -f /var/log/messages
so I have a screen of interesting messages (see below), but when I go in
from another console session and view messages (or messages.1, etc) that
day's messages are gone. As with that day from /var/log/secure.
Also, I tried to run PINE, (as root) and when I did, it created the files as
if I'd not used it before. I'm not positive I HAD used PINE or not as root
before, but even so, if this was the 1st time, shouldn't I have received the
daily cron files waiting for me from past days? If not, then I'm being
paranoid, but if so, then is that possibly an indication of more
infiltration?
So, I take it, the PC was hacked and then the log deleted? The owner of the
log is "root", so, does this person know how to access the PC as root now?
Here's the messages, and I'd really appreciate any assistance in explaining
what some of this is.
Obviously I pulled it off the network now.
Thanks!
Liam
PS: The order below is exactly the way it appears in the "tail -f" and the
timestamps are accurate. Does the incorrect chronological order of some of
the items indicate something? Are there any other files I can check to see
what else might show what was done?

Mar 1 04:02:00 pcname anacron[3125]: Updated timestamp for job 'cron.daily'
to 2003-03-01
Mar 1 04:02:21 pcname PAM_pwdb[3228]: (su) session opened for user news by
(uid=0)
Mar 1 04:02:21 pcname PAM_pwdb[3228]: (su) session closed for user news
Mar 1 04:42:00 pcname anacron[3297]: Updated timestamp for job
'cron.monthly' to 2003-03-01
Mar 1 16:25:25 pcname ftpd[3386]: ANONYMOUS FTP LOGIN FROM
213-96-129-151.uc.nombres.ttd.es [213.96.129.151], gu...@here.com
Mar 1 16:25:30 pcname ftpd[3386]: FTP session closed
Mar 1 10:56:53 pcname pumpd[1022]: renewed lease for interface eth0
Mar 1 18:49:10 pcname ftpd[3513]: FTP session closed
Mar 1 18:52:56 pcname ftpd[3516]: FTP session closed
Mar 2 00:53:22 pcname ftpd[3517]: ANONYMOUS FTP LOGIN FROM
61-21-160-185.home.ne.jp [61.21.160.185], mozilla@
Mar 1 18:54:50 pcname kernel: kiod uses obsolete (PF_INET,SOCK_PACKET)
Mar 1 18:54:50 pcname kernel: device eth0 entered promiscuous mode
Mar 2 04:02:00 pcname anacron[3876]: Updated timestamp for job 'cron.daily'
to 2003-03-02
Killed
[root@pcname log]# lockd: connect from unprivileged port:
127.0.0.1:2079<4>lockd: accept failed (err 11)!


Thanks for any help translating! I get the ouple of anonymous ftp logins,
but I don't really understand the rest.
If I change subnet and ip and close all ports except ssh, will this likely
happen again?
Thanks!


Kirk Strauser

unread,
Mar 2, 2003, 10:30:10 PM3/2/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 2003-03-03T02:10:18Z, "LRW" <dr...@NOSPAHM.celticbear.com> writes:

> Mar 1 16:25:30 pcname ftpd[3386]: FTP session closed
> Mar 1 10:56:53 pcname pumpd[1022]: renewed lease for interface eth0

The backward stepping isn't a Good Thing.

> Mar 1 18:54:50 pcname kernel: kiod uses obsolete (PF_INET,SOCK_PACKET)
> Mar 1 18:54:50 pcname kernel: device eth0 entered promiscuous mode

Your visitor just launched a packet sniffer.

> Thanks for any help translating! I get the ouple of anonymous ftp logins,
> but I don't really understand the rest. If I change subnet and ip and
> close all ports except ssh, will this likely happen again? Thanks!

Download some new RedHat ISOs and reinstall. Anything else is a crapshoot,
since it's pretty difficult to clean out all traces of a determind cracker.
- --
Kirk Strauser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Ysus5sRg+Y0CpvERAjDcAJ9s1C1v3ztDU+5MNYIRsfmWIAnNugCeIbVw
qmJ6otn0QGIPACx5/KI8q3U=
=4tHU
-----END PGP SIGNATURE-----

Jeff Breitner

unread,
Mar 2, 2003, 11:30:03 PM3/2/03
to
LRW wrote:

> I've got a small PC with RH 6.2

There are many established problems with 6.2, including my favorite which is
the remote root compromise through the portmapping services.

>that I'm using to play around with, and
> left it up and open to telnet/ftp/ssh over the weekend.
> I came back today to find some odd messages. I'd left a login up with:
> #tail -f /var/log/messages
> so I have a screen of interesting messages (see below), but when I go in
> from another console session and view messages (or messages.1, etc) that
> day's messages are gone. As with that day from /var/log/secure.

Generally, when the log files are gone, that's a bad sign.

Sometimes if you cat /root/.bash_history, you can see what they did. But
only if they were sloppy and forgot to clean that file too.


> Also, I tried to run PINE, (as root) and when I did, it created the files
> as if I'd not used it before. I'm not positive I HAD used PINE or not as
> root before, but even so, if this was the 1st time, shouldn't I have
> received the daily cron files waiting for me from past days?

Looks like they *did* remember to clean out .bash_history for root. Ok,
ignore that last one...


>If not, then
> I'm being paranoid, but if so, then is that possibly an indication of more
> infiltration?


You are correct, this machine has been compromised.


> So, I take it, the PC was hacked and then the log deleted? The owner of
> the log is "root", so, does this person know how to access the PC as root
> now? Here's the messages, and I'd really appreciate any assistance in
> explaining what some of this is.
> Obviously I pulled it off the network now.
> Thanks!
> Liam


Yes, they know how to access the PC as root. What happens is that either
there is a way for them to get into your unpatched machine remotely through
a compromise that gives them root, or through a local compromise that they
exploit to elevate their privilege.

You did the right thing in tearing it off the network. Not only the right
thing, but the responsible thing. Plus it's a good learning experience for
you to go through it and figure out how they managed to get into it in the
first place.

> Mar 1 04:02:00 pcname anacron[3125]: Updated timestamp for job
> 'cron.daily' to 2003-03-01
> Mar 1 04:02:21 pcname PAM_pwdb[3228]: (su) session opened for user news by
> (uid=0)

This is a bad sign right off the bat. User "news" su'ing to root (assuming
it wasn't you).

> Mar 1 04:02:21 pcname PAM_pwdb[3228]: (su) session closed for user news
> Mar 1 04:42:00 pcname anacron[3297]: Updated timestamp for job
> 'cron.monthly' to 2003-03-01
> Mar 1 16:25:25 pcname ftpd[3386]: ANONYMOUS FTP LOGIN FROM
> 213-96-129-151.uc.nombres.ttd.es [213.96.129.151], gu...@here.com

Never a good idea to have an anonymous FTP site unless that's what you need
to do. Someone from Spain is knocking on your door.

> Mar 1 16:25:30 pcname ftpd[3386]: FTP session closed
> Mar 1 10:56:53 pcname pumpd[1022]: renewed lease for interface eth0

Houston, why did the clock roll-back? It went from 16:25:30 to 10:56:53.
Plus, if memory serves me correctly, dhcpd has an exploit and "renewing
lease" should be the dhcpd client.

> Mar 1 18:49:10 pcname ftpd[3513]: FTP session closed
> Mar 1 18:52:56 pcname ftpd[3516]: FTP session closed
> Mar 2 00:53:22 pcname ftpd[3517]: ANONYMOUS FTP LOGIN FROM
> 61-21-160-185.home.ne.jp [61.21.160.185], mozilla@
> Mar 1 18:54:50 pcname kernel: kiod uses obsolete (PF_INET,SOCK_PACKET)
> Mar 1 18:54:50 pcname kernel: device eth0 entered promiscuous mode

Your ethernet card has been turned into a packet sniffer.

> Mar 2 04:02:00 pcname anacron[3876]: Updated timestamp for job
> 'cron.daily' to 2003-03-02
> Killed
> [root@pcname log]# lockd: connect from unprivileged port:

Looks like they might have installed something here...


> Thanks for any help translating! I get the ouple of anonymous ftp logins,
> but I don't really understand the rest.
> If I change subnet and ip and close all ports except ssh, will this likely
> happen again?
> Thanks!


Yes, it's likely to happen again. They now pretty much control your machine
and may have installed their own software, libraries or who knows what
else. Simply changing the networking components may or may not work since
it's conceivable that the machine could call "home" to tell them where it
can be found.

Best bet is to burn your 6.2 CD's and download something more current.
Nothing wrong with giving Linux a try, but a 6.2 stock system has quite a
few very well-known security flaws. Plus it lacks the essential tools like
iptables.

When you do get that new system installed, spend a few hours researching the
various opinions on the Internet on how to secure a Linux box. With Red
Hat (SuSE too), I do a "/sbin/chkconfig --list | grep on" to see what
services are going to start at boot. Things like nfs and portmap, I really
don't need them so I issue the /sbin/chkconfig --del portmap command and
get them outta there.

Good luck...

Nils Petter Vaskinn

unread,
Mar 3, 2003, 5:00:09 AM3/3/03
to
On Mon, 03 Mar 2003 05:30:03 +0100, Jeff Breitner wrote:

>> Mar 1 18:49:10 pcname ftpd[3513]: FTP session closed Mar 1 18:52:56
>> pcname ftpd[3516]: FTP session closed Mar 2 00:53:22 pcname ftpd[3517]:
>> ANONYMOUS FTP LOGIN FROM 61-21-160-185.home.ne.jp [61.21.160.185],
>> mozilla@ Mar 1 18:54:50 pcname kernel: kiod uses obsolete
>> (PF_INET,SOCK_PACKET) Mar 1 18:54:50 pcname kernel: device eth0 entered
>> promiscuous mode
>
> Your ethernet card has been turned into a packet sniffer.
>
>

Which means other machines on the network (if any) may be compromized too.
At least if they talked to eachother using some nonencrypted protocol. If
you have more machines on that network check them too.

Did any of the users have ssh keys in their directories? Are those keys
added to authorized_keys somewhere? Also if you have ssh'd to/from that
box it's probably in known_hosts somewhere. That means if the attacker
copied them he can pretend to be from your machine, and possibly pretend
to be you. And may even gain access without a password (if you've set
such up for convenience for yourself).

Time to clean out your ssh keys from machines you have communicated with.


regards
NP

LRW

unread,
Mar 3, 2003, 8:28:05 AM3/3/03
to
Well, I have a Win2K and an XP machine behind the same firewall, but I never
set up SAMBA. Should be OK?
I went into my router and changed the netmask, and the domain controller IP,
and changed the DHCP scope and gave the two Win machines new IP's.
The one thing that concerns me, is that I HAVE SSH'd FROM the Win2K machine
into the Linux box. Not vise versa. So it should be ok, you think?

Here's the funny thing. =) This Linux box I actually set up with fake users,
and created fake e-mails they sent back and forth and fake files, all for
this "Spycraft" role-playing game I'm running. I have my players log in and
send clues, etc. So, this hacker is either going to get nothing important
and know it's just a game, or, LOL maybe if he's just a scriptkiddie and
isn't very bright except for what few exploits someone else taught him,
might actually think he hacked into some spy ring. Well, one can hope. =)

The risk to my other 2 PC's does have me worried though. Do you think if
this person IS bright enough to see the IP the Linux box had to be a local
intranet IP (192.x.x.x) he's going to know there are other machines on the
network, and try for them?
I completely closed all ports from the router, so that FTP and telnet and
SSH port are closed now (they were open intentionally for the game for my
players.) But could he have in that day of time, somehow gotten into my
Windows PC's and installed a packet sniffer or some kind of backdoor that
simply closing the ports won't stop?

Thanks for any advice, or books or web sites anyone might have they can
point me to so I can learn about this specific issue w/o having to bother
other people about it. =)
Thanks!
Liam

"Nils Petter Vaskinn" <n...@spam.for.me.invalid> wrote in message
news:pan.2003.03.03.11...@spam.for.me.invalid...

Nils Petter Vaskinn

unread,
Mar 3, 2003, 9:56:39 AM3/3/03
to
On Mon, 03 Mar 2003 14:28:05 +0100, LRW wrote:

> might actually think he hacked into some spy ring. Well, one can hope.
> =)

Here's hoping he thinks the stuff is real and tries to report it so some
Three-Letter-Agency only to get caught as a hacker :)


There are only two reasons I can think of that a hacker would start a
packet sniffer on his hacked machine:

1. Looking for more "targets". This means he could have read any
unencrypted information to/from your other machines. This includes email
passwords and website passwords (if the website didn't use https or
something).

2. He installed a hacked version of tcpdump to hide packets to/from
himself and wanted to check if it worked.


I would think hard about what the two windows machines where doing at the
time, and if anything of that could have sent an unencrypted password. And
possibly change my passwords just to be safe. He could also have read any
file on your linux box, including the files from your email program, is
your email program set up with the password to your mail account(s)? If so
change them. Did your email include any "Here's your password" mails? He
could have read those too. I would also run some kind of
backdoor-detection on the windows machines. When you have your linux box
up again with a clean install use a packet sniffer yourself to look for
unusual traffic.

regards
NP

LRW

unread,
Mar 3, 2003, 12:58:46 PM3/3/03
to
Well, fortunately, the only intentional communication between the
Linux box and one of the Win2K pc's was SSH connections from the Win
box to the Linux box. I never set up SMB (SAMBA?) of an fstab (?) to
connect to either of the Win boxes.

I did use the Linux box a couple of times, with Sylpheed, to check
mail...but I set it up to detect and use whatever secuirty the remote
host's POP3 and SMTP servers offered. (Don't recall what they were,
though.) But yeah, I changed the passwords on that account anyway from
a completely different computer on a completely different network this
morning.

I can see the mail was read though, because the /home/user/Mail folder
was missing, yet /root/Mail contained several files titled 1 through
52, and each one is a separate e-mail. (Is there something one does
manually, or a script one installs to pull the spool and parse it into
separate files onto the drive?)
Fortunately, nothing sensitive was in any of them. But I suppose if he
a little time on his hands and wanted to be annoying he could send
e-mail to everyone found in those e-mails posing as me. =/ I'm glad
most of the mail was spam. =)

Is BlackICE a decent backdoor detector? I used ZoneAlarm for a long
time, but I found it to be pretty unstable. Are there any good
recommendations for other programs?
What about Windows based packet sniffers?

I really appreciate the feedback you've given! I know just enough
about Linux to know I've been hacked, and can understand what I'm
told, but not enough to really delve into it. Good thing I at least
knew what the "message" log was and how to tail-follow it. =)
Do you have any recommendations for learning more about intrusion
countermeasures, and investigating hacker damage, etc, stuff like
that? I'd love to be able to hole up and research and not bug
newsgroups too much. =)

I'm all for allowing non-damaging hackers to live and let live, but I
just don't want them living in MY stuff. ;)

Thanks again!!
Liam


Nils Petter Vaskinn <n...@spam.for.me.invalid> wrote in message news:<pan.2003.03.03.15...@spam.for.me.invalid>...

Nils Petter Vaskinn

unread,
Mar 4, 2003, 4:18:07 AM3/4/03
to
On Mon, 03 Mar 2003 18:58:46 +0100, LRW wrote:

> Well, fortunately, the only intentional communication between the Linux
> box and one of the Win2K pc's was SSH connections from the Win box to
> the Linux box. I never set up SMB (SAMBA?) of an fstab (?) to connect to
> either of the Win boxes.

Depending on your setup communication between the two windows boxes, or
between one of the winpcs and the Internet, could have been sniffed too.

e.g:
ADSL-modem-----Internet
|
WinBox ---------HUB-------LinuxBox
|
WinBox

would mean the LinuxBox could sniff all the communication to/from all of
the machines.

> Is BlackICE a decent backdoor detector? I used ZoneAlarm for a long
> time, but I found it to be pretty unstable. Are there any good
> recommendations for other programs?
> What about Windows based packet sniffers?

I think you'll have to search the net or ask in a windows newsgroup about
that.

>
> I really appreciate the feedback you've given! I know just enough about
> Linux to know I've been hacked, and can understand what I'm told, but
> not enough to really delve into it. Good thing I at least knew what the
> "message" log was and how to tail-follow it. =) Do you have any
> recommendations for learning more about intrusion countermeasures, and
> investigating hacker damage, etc, stuff like that? I'd love to be able
> to hole up and research and not bug newsgroups too much. =)


http://www.tldp.org/guides.html
Where you might look at:
Securing & Optimizing Linux: The Ultimate Solution
The Linux System Administrators' Guide
The Linux Network Administrator's Guide, Second Edition

And
Linux Administrator's Security Guide (http://www.seifried.org/lasg/)

0 new messages