Snort mailing list archives
RE: have i beenn HACKED or rooted ??
From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Tue, 23 Mar 2004 12:31:16 -0300
May be this helps, just received it this morning from securityfocus: 1. Forensic Analysis of a Live Linux System, Pt. 1 By Mariusz Burdach This article is the first of a two-part series that provides step-by-step instructions on forensics of a live Linux system that has been recently compromised. http://www.securityfocus.com/infocus/1769 If you are in Mexico try this mexican site http://www.unam-cert.unam.mx/ option "Atencion e incidentes" Saludos desde Argentina y suerte! PABLO
Message: 5 Date: Tue, 23 Mar 2004 04:10:54 -0600 (CST) From: =?iso-8859-1?q?soldier=20Mx?= <soldi3rmx () yahoo com mx> To: snort-users () lists sourceforge net Subject: [Snort-users] have i beenn HACKED or rooted ?? Hey, unfortunately i think so i have been rooted but i dont really know is the alerts of snort are TRUE.. here i show waht happened.. in the snort alert.. [**] [1:2182:2] BACKDOOR typot trojan traffic [**] [Priority: 0] 03/18-23:28:11.737519 220.168.51.247:3784 -> 10.17.113.195:80 TCP TTL:107 TOS:0x0 ID:28415 IpLen:20 DgmLen:52 DF ******S* Seq: 0x1339E431 Ack: 0x0 Win: 0xDA00 TcpLen: 32 TCP Options (6) => MSS: 1452 NOP WS: 2 NOP NOP SackOK --- Scanss Before the alert of the backdoor... [**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**] 03/18-18:52:20.792822 10.17.112.20:48968 -> 10.17.42.10:22 TCP TTL:44 TOS:0x0 ID:10515 IpLen:20 DgmLen:60 ***A**** Seq: 0x1A464800 Ack: 0x0 Win: 0x400 TcpLen: 40 TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL [**] [111:10:1] (spp_stream4$03/18-18:52:20.793136 10.17.112.20:48971 -> 10.17.42.10:137 TCP TTL:53 TOS:0x0 ID:25545 IpLen:20 DgmLen:60 **U*P**F Seq: 0x1A464800 Ack: 0x0 Win: 0x800 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP MSS: 26$ [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] 03/18-18:52:22.339509 10.17.112.20:48966 -> 10.17.42.10:22 TCP TTL:46 TOS:0x0 ID:63890 IpLen:20 DgmLen:60 ******** Seq: 0x1A464800 Ack: 0x0 Win: 0xC00 TcpLen: 40 ** Then..i watched my root () site org mail .... and.. i got this mail ... X-Original-To: root () linux mty itesm mx Delivered-To: root () linux mty itesm mx Date: Sun, 21 Mar 2004 17:50:17 -0600 (CST) From: Mail Delivery System <MAILER-DAEMON () linux mty itesm mx> Subject: Undelivered Mail Returned to Sender To: root () linux mty itesm mx [-- Attachment #1: Notification --] [-- Type: text/plain, Encoding: 7bit, Size: 0.7K --] This is the Postfix program at host linux.mty.itesm.mx. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to <postmaster> If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program <---@linux.mty.itesm.mx>: invalid recipient syntax: "---@linux.mty.itesm.mx" <codigo () linux mty itesm mx>: unknown user: "codigo" <malicioso () linux mty itesm mx>: unknown user: "malicioso" <esta () linux mty itesm mx>: unknown user: "esta" <te () linux mty itesm mx>: unknown user: "te" <metiendo () linux mty itesm mx>: unknown user: "metiendo" [-- Attachment #2: Delivery error report --] [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.9K --] Reporting-MTA: dns; linux.mty.itesm.mx Final-Recipient: rfc822; ---@linux.mty.itesm.mx Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; invalid recipient syntax: "---@linux.mty.itesm.mx" Final-Recipient: rfc822; codigo () linux mty itesm mx Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "codigo" Final-Recipient: rfc822; malicioso () linux mty itesm mx Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "malicioso" Final-Recipient: rfc822; esta () linux mty itesm mx Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "esta" Final-Recipient: rfc822; te () linux mty itesm mx Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "te" Final-Recipient: rfc822; metiendo () linux mty itesm mx Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "metiendo" [-- Attachment #3: Undelivered Message --] [-- Type: message/rfc822, Encoding: 7bit, Size: 0.5K --] To: te () linux mty itesm mx, esta () linux mty itesm mx, metiendo () linux mty itesm mx, codigo () linux mty itesm mx, malicioso () linux mty itesm mx, exploits <---@linux.mty.itesm.mx> Subject: --- Date: Sun, 21 Mar 2004 17:50:13 -0600 (CST) IN Spanish ... "Codigo " "Malicioso" "esta " te" Metiendo " ,, means ... malicious code is injecting or Joining... MAILS that doesnt exists, appeared with thoses words... "exploit " ??.. soo.. then i followed the date of that mail, and i got this with SNORT SNORT IS REALLY HELP FULLL DUDES, install it!!!! [**] [1:1847:3] WEB-MISC webalizer access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 03/21-04:04:38.162233 200.79.236.229:32845 -> 10.17.112.20:80 TCP TTL:45 TOS:0x0 ID:56349 IpLen:20 DgmLen:614 DF ***AP*** Seq: 0x78B0DFA Ack: 0xC1792671 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 250376 50257049 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0643][Xref => http://cgi.nessus.org/ plugins/dump.php3?id=10816] ->THE FAMOUS SHELLCode that comes with the exploits [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 03/21-07:40:19.230659 67.113.43.137:2660 -> 10.17.112.20:80 TCP TTL:107 TOS:0x0 ID:34217 IpLen:20 DgmLen:1466 DF ***A**** Seq: 0xE8F7EDDF Ack: 0x7061584A Win: 0xFAAA TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] $ [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 03/21-07:40:19.315870 67.113.43.137:2660 -> 10.17.112.20:80 TCP TTL:107 TOS:0x0 ID:34218 IpLen:20 DgmLen:1466 DF ***A**** Seq: 0xE8F7F371 Ack: 0x7061584A Win: 0xFAAA TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] The alerts have been triggered, HOW CAN I KNOW If i have been rooted, or some files where modified,, The question is, How can i know is the script kiddies, Got what they wanted, or, They really got root, or just was a FALSE -ALERT of snort.. but i dont think so!... here i missed another alert... 1 day before the shellcode i got this.. [**] ATTACK-RESPONSES id check returned root [**] 03/20-03:34:51.818529 10.17.112.20:80 -> 201.128.139.115:25308 TCP TTL:64 TOS:0x0 ID:42330 IpLen:20 DgmLen:1492 DF ***A**** Seq: 0x5D2FC4BB Ack: 0x39653CBE Win: 0x1920 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ .. so means something about that they got root ?? :S ?? Well this stuff is intersting to investigate... ** I have used chkrootkit, but didnt detect ANYTHING!.. what should i see or do, to know if i have benn rooted, * i dont wanna RE-install until i know how to know if i have been rooted.. * Any thoughts !?? * i will really apreciate your comments.. and dont tell me re-install.. until we know what really happened, or just a bit.. THANKS from mexico !! _________________________________________________________ Do You Yahoo!? La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. http://net.yahoo.com.mx
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- have i beenn HACKED or rooted ?? soldier Mx (Mar 23)
- <Possible follow-ups>
- RE: have i beenn HACKED or rooted ?? Petriz, Pablo (Mar 23)