Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: have i beenn HACKED or rooted ??

From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Tue, 23 Mar 2004 12:31:16 -0300
May be this helps, just received it this morning from securityfocus:

1. Forensic Analysis of a Live Linux System, Pt. 1
By Mariusz Burdach
This article is the first of a two-part series that provides step-by-step
instructions on forensics of a live Linux system that has been recently
compromised.
http://www.securityfocus.com/infocus/1769

If you are in Mexico try this mexican site http://www.unam-cert.unam.mx/
option "Atencion e incidentes"

Saludos desde Argentina y suerte!

PABLO


Message: 5
Date: Tue, 23 Mar 2004 04:10:54 -0600 (CST)
From: =?iso-8859-1?q?soldier=20Mx?= <soldi3rmx () yahoo com mx>
To: snort-users () lists sourceforge net
Subject: [Snort-users] have i beenn HACKED or rooted ??

Hey, unfortunately i think so i have been rooted but i
dont really know is the alerts of snort are TRUE..

here i show waht happened..

in the snort alert..

[**] [1:2182:2] BACKDOOR typot trojan traffic [**]
[Priority: 0]
03/18-23:28:11.737519 220.168.51.247:3784 ->
10.17.113.195:80
TCP TTL:107 TOS:0x0 ID:28415 IpLen:20 DgmLen:52 DF
******S* Seq: 0x1339E431 Ack: 0x0 Win: 0xDA00 TcpLen:
32
TCP Options (6) => MSS: 1452 NOP WS: 2 NOP NOP SackOK


--- Scanss Before the alert of the backdoor...


[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT
(stateful) detection [**]
03/18-18:52:20.792822 10.17.112.20:48968 ->
10.17.42.10:22 TCP TTL:44 TOS:0x0 ID:10515 IpLen:20
DgmLen:60
***A**** Seq: 0x1A464800 Ack: 0x0 Win: 0x400 TcpLen:
40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567
0 EOL

[**] [111:10:1] (spp_stream4$03/18-18:52:20.793136
10.17.112.20:48971 -> 10.17.42.10:137
TCP TTL:53 TOS:0x0 ID:25545 IpLen:20 DgmLen:60
**U*P**F Seq: 0x1A464800 Ack: 0x0 Win: 0x800 TcpLen:
40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP MSS: 26$
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL
scan) detection [**]
03/18-18:52:22.339509 10.17.112.20:48966 ->
10.17.42.10:22 TCP TTL:46 TOS:0x0 ID:63890 IpLen:20
DgmLen:60
******** Seq: 0x1A464800 Ack: 0x0 Win: 0xC00 TcpLen:
40




** Then..i watched my root () site org mail .... and..


i got this mail ...


X-Original-To: root () linux mty itesm mx
Delivered-To: root () linux mty itesm mx
Date: Sun, 21 Mar 2004 17:50:17 -0600 (CST)
From: Mail Delivery System
<MAILER-DAEMON () linux mty itesm mx>
Subject: Undelivered Mail Returned to Sender
To: root () linux mty itesm mx

[-- Attachment #1: Notification --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.7K --]

This is the Postfix program at host
linux.mty.itesm.mx.

I'm sorry to have to inform you that the message
returned
below could not be delivered to one or more
destinations.

For further assistance, please send mail to
<postmaster>

If you do so, please include this problem report. You
can
delete your own text from the message returned below.

The Postfix program

<---@linux.mty.itesm.mx>: invalid recipient syntax:
"---@linux.mty.itesm.mx"

<codigo () linux mty itesm mx>: unknown user: "codigo"

<malicioso () linux mty itesm mx>: unknown user:
"malicioso"

<esta () linux mty itesm mx>: unknown user: "esta"

<te () linux mty itesm mx>: unknown user: "te"

<metiendo () linux mty itesm mx>: unknown user:
"metiendo"

[-- Attachment #2: Delivery error report --]
[-- Type: message/delivery-status, Encoding: 7bit,
Size: 0.9K --]

Reporting-MTA: dns; linux.mty.itesm.mx
Final-Recipient: rfc822; ---@linux.mty.itesm.mx
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; invalid recipient syntax:
"---@linux.mty.itesm.mx"

Final-Recipient: rfc822; codigo () linux mty itesm mx
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "codigo"

Final-Recipient: rfc822; malicioso () linux mty itesm mx
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "malicioso"

Final-Recipient: rfc822; esta () linux mty itesm mx
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "esta"

Final-Recipient: rfc822; te () linux mty itesm mx
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "te"

Final-Recipient: rfc822; metiendo () linux mty itesm mx
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "metiendo"

[-- Attachment #3: Undelivered Message --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 0.5K
--]

To: te () linux mty itesm mx, esta () linux mty itesm mx,
metiendo () linux mty itesm mx,
codigo () linux mty itesm mx,
malicioso () linux mty itesm mx, exploits
<---@linux.mty.itesm.mx>
Subject: ---
Date: Sun, 21 Mar 2004 17:50:13 -0600 (CST)



IN Spanish ... "Codigo " "Malicioso" "esta " te"
Metiendo " ,, means ...

malicious code is injecting or Joining...

MAILS that doesnt exists, appeared with thoses
words... "exploit " ??..

soo.. then i followed the date of that mail, and i got
this
with SNORT

SNORT IS REALLY HELP FULLL DUDES, install it!!!!



[**] [1:1847:3] WEB-MISC webalizer access [**]
[Classification: access to a potentially vulnerable
web application] [Priority: 2]
03/21-04:04:38.162233 200.79.236.229:32845 ->
10.17.112.20:80
TCP TTL:45 TOS:0x0 ID:56349 IpLen:20 DgmLen:614 DF
***AP*** Seq: 0x78B0DFA Ack: 0xC1792671 Win: 0x16D0
TcpLen: 32
TCP Options (3) => NOP NOP TS: 250376 50257049
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0643][Xref
=> http://cgi.nessus.org/
plugins/dump.php3?id=10816]


->THE FAMOUS SHELLCode that comes with the exploits

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected]
[Priority: 1]
03/21-07:40:19.230659 67.113.43.137:2660 ->
10.17.112.20:80
TCP TTL:107 TOS:0x0 ID:34217 IpLen:20 DgmLen:1466 DF
***A**** Seq: 0xE8F7EDDF Ack: 0x7061584A Win: 0xFAAA
TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181] $

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected]
[Priority: 1]
03/21-07:40:19.315870 67.113.43.137:2660 ->
10.17.112.20:80
TCP TTL:107 TOS:0x0 ID:34218 IpLen:20 DgmLen:1466 DF
***A**** Seq: 0xE8F7F371 Ack: 0x7061584A Win: 0xFAAA
TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

The alerts have been triggered,

HOW CAN I KNOW If i have been rooted, or some files
where modified,,

The question is, How can i know is the script kiddies,
Got what they wanted, or, They really
got root, or just was a FALSE -ALERT of snort.. but i
dont think so!...


here i missed another alert...

1 day before the shellcode
i got this..


[**] ATTACK-RESPONSES id check returned root [**]
03/20-03:34:51.818529 10.17.112.20:80 ->
201.128.139.115:25308
TCP TTL:64 TOS:0x0 ID:42330 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x5D2FC4BB Ack: 0x39653CBE Win: 0x1920
TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+



.. so means something about that they got root ??

:S ??

Well this stuff is intersting to investigate...



** I have used chkrootkit, but didnt detect
ANYTHING!..


what should i see or do, to know if i have benn
rooted,

* i dont wanna RE-install until i know how to know if
i have been rooted..


* Any thoughts !??
* i will really apreciate your comments.. and dont
tell me re-install.. until we know what really
happened, or just a bit..


THANKS
from mexico !!


_________________________________________________________
Do You Yahoo!?
La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes. http://net.yahoo.com.mx



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: