Security Incidents mailing list archives
Intrusion - Advice?
From: "Cook, Oliver" <o.cook () ETONCOLLEGE ORG UK>
Date: Sun, 12 Nov 2000 19:03:38 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A system I administrate, running Slackware 7.0, was compromised today at 18:00 GMT. I would appreciate it if you could lend me some advice. I run a modified version of bash, so at least I can see what commands they were issuing. This is the log of the commands the intruders issued: Nov 12 18:00:11 ws232 -bash: #joe# w Nov 12 18:00:22 ws232 -bash: #joe# ps Nov 12 18:00:29 ws232 -bash: #joe# cd public_hmtl Nov 12 18:00:34 ws232 -bash: #joe# cd public_html Nov 12 18:00:36 ws232 -bash: #joe# dir Nov 12 18:00:42 ws232 -bash: #joe# cd diary_img Nov 12 18:00:43 ws232 -bash: #joe# dir Nov 12 18:00:53 ws232 -bash: #joe# uname -a Nov 12 18:01:28 ws232 -bash: #joe# whereis rpc.statd Nov 12 18:02:01 ws232 -bash: #joe# passwd Nov 12 18:03:03 ws232 -bash: #joe# ps Nov 12 18:03:19 ws232 -bash: #joe# kill -9 6984 Nov 12 18:05:06 ws232 -bash: #joe# passwd Nov 12 18:06:01 ws232 -bash: #joe# finger Nov 12 18:06:16 ws232 -bash: #joe# ps -aux Nov 12 18:07:09 ws232 -bash: #joe# kill -9 6432 Nov 12 18:07:41 ws232 -bash: #joe# passwd Nov 12 18:08:59 ws232 -bash: #joe# ls Nov 12 18:09:35 ws232 -bash: #joe# ps -aux Nov 12 18:10:03 ws232 -bash: #joe# id Nov 12 18:10:47 ws232 -bash: #joe# uname -a Nov 12 18:11:49 ws232 -bash: #joe# ls Nov 12 18:13:02 ws232 -bash: #joe# passwd Nov 12 18:15:54 ws232 -bash: #joe# who Nov 12 18:15:59 ws232 -bash: #joe# uname -a Nov 12 18:16:03 ws232 -bash: #joe# uptime Nov 12 18:16:10 ws232 -bash: #joe# ls -al /bin/login Nov 12 18:16:19 ws232 -bash: #joe# ls -al /usr/bin/*perl* Nov 12 18:16:55 ws232 -bash: #joe# w Nov 12 18:16:55 ws232 -bash: #joe# netstat Nov 12 18:17:00 ws232 -bash: #joe# ln -fs /dev/null bash_history Nov 12 18:17:02 ws232 -bash: #joe# cd /var/tmp Nov 12 18:17:04 ws232 -bash: #joe# cat > p Nov 12 18:17:12 ws232 -bash: #joe# chmod u+x p Nov 12 18:17:13 ws232 -bash: #joe# ./p Nov 12 18:17:44 ws232 -bash: #joe# ls -al /usr/bin/*perl* Nov 12 18:17:54 ws232 -bash: #joe# vi p Nov 12 18:18:19 ws232 -bash: #joe# ./p Nov 12 18:18:57 ws232 -bash: #joe# last joe Nov 12 18:19:08 ws232 -bash: #joe# ls Nov 12 18:19:21 ws232 -bash: #joe# find / \( -perm -4000 -o -perm - -2000 \) -type f -exec ls -l {} \; > suids 2>/dev/null & Nov 12 18:19:34 ws232 -bash: #joe# ls -al sush Nov 12 18:19:42 ws232 -bash: #joe# cat suids Nov 12 18:19:51 ws232 -bash: #joe# ls Nov 12 18:19:56 ws232 -bash: #joe# ps joe Nov 12 18:20:01 ws232 -bash: #joe# cat suids Nov 12 18:20:05 ws232 -bash: #joe# ps aux Nov 12 18:20:11 ws232 -bash: #joe# ps -ef Nov 12 18:20:18 ws232 -bash: #joe# cat /etc/passwd | grep :0: Nov 12 18:20:23 ws232 -bash: #joe# cat s* Nov 12 18:20:31 ws232 -bash: #joe# cat suids Nov 12 18:20:42 ws232 -su: #root# write joe pts/6 Nov 12 18:20:59 ws232 -bash: #joe# write -f Nov 12 18:20:59 ws232 -su: #root# tail /home/joe/.bash_history Nov 12 18:21:02 ws232 -bash: #joe# write -d Nov 12 18:21:13 ws232 -bash: #joe# rm .bash_history Nov 12 18:21:23 ws232 -bash: #joe# unset HISTFILE Nov 12 18:21:23 ws232 -su: #root# write joe pts/7 Nov 12 18:21:26 ws232 -bash: #joe# cat /etc/hosts Nov 12 18:21:37 ws232 -bash: #joe# ls Nov 12 18:21:38 ws232 -bash: #joe# rm -f * Nov 12 18:21:44 ws232 -bash: #joe# write ollie Nov 12 18:21:49 ws232 -bash: #joe# bas Nov 12 18:22:00 ws232 -bash: #joe# write Nov 12 18:22:01 ws232 -bash: #joe# cd bot Nov 12 18:22:01 ws232 -bash: #joe# ls Nov 12 18:22:16 ws232 -bash: #joe# cd scripts/ Nov 12 18:22:27 ws232 -bash: #joe# ls -al Nov 12 18:22:28 ws232 -bash: #joe# ls Nov 12 18:22:41 ws232 -bash: #joe# su Nov 12 18:22:47 ws232 -bash: #joe# ls Nov 12 18:22:53 ws232 -bash: #joe# cd /home/ollie Nov 12 18:22:56 ws232 -bash: #joe# ls -al Nov 12 18:23:01 ws232 -bash: #joe# cd / Nov 12 18:23:08 ws232 -bash: #joe# cat password.tcl Nov 12 18:23:10 ws232 -bash: #joe# ls -al `which traceroute` Nov 12 18:23:28 ws232 -bash: #joe# who A number of things occur to me about this intrusion. They seem amateur missing out the '.' in "ln -fs /dev/null bash_history". Stupidly, I thought the login was legitimate (it is a friend of mine's account), which is why I sent a message to his terminal: "write joe pts/6". I received back a message: Message from joe () ws232 compromised machine tld on pts/6 at 18:21 ... ahuahu gay ppp EOF I then realised this was an intrusion when I did 'w' and saw: ws232:~# w 6:21pm up 23 days, 3:50, 3 users, load average: 0.05, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT joe pts/6 151.99.162.162 6:15pm 15.00s 0.10s 0.10s - -bash joe pts/7 dns.hokuto.ed.jp 6:05pm 4.00s 0.09s 0.09s - -bash ollie pts/5 ws102.school.eto 5:45pm 0.00s 0.12s 0.02s w The IP address is an Italian one belonging to: inetnum: 151.99.162.160 - 151.99.162.191 netname: STARLANE descr: Starlane Srl country: IT admin-c: LF614-RIPE tech-c: LF614-RIPE status: ASSIGNED PA notify: network () cgi interbusiness it mnt-by: INTERB-MNT changed: cgiadmin () cgi interbusiness it 19991117 source: RIPE Before I had logged the users off and changed the account password, however, the intruder issued "rm -f *" which removed his 'p' file from /var/tmp - a real shame. The reference to "rpc.statd" alarms me because I know there are various exploits for this. I've come to the point where I've done as much investigation as I can trust myself with. I wonder if any of the people on this list can let me know if they've seen an attack from these machines, or one that has been along these lines. I'm particularly interested in this "p" file that the intruder made and then executed... Have any of you seen anything like that before? Is it worth emailing the administrative contacts for the IP ranges that the attacks originated from? I eagerly anticipate any replies that may be forthcoming. Thank you. With regards, Ollie Cook - --- Optimist: "The glass if half full" Pessimist: "The glass is half empty" Engineer: "The glass is twice as large as it needs to be" - --- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOg7pgsPaWaNT0pVnEQJr6wCeI1JLxkK0PqfURY58p262p39rCBwAoPxp VEayoKi8mB8GLM7oiVUYLzWJ =Zg2Y -----END PGP SIGNATURE-----
Current thread:
- Intrusion - Advice? Cook, Oliver (Nov 13)