[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] hacked raq3

Hi, and please help me

Our raq3 was hacked (mars 11-12) and files and programs where deleted and/or
permissions where changed on some files. I do not have the full view on all
the hacked files or how it happened. A server in the us kept sending big
packages to our raq for several hours until our network supplier cut theirs
IP range off (see atch1). I do think they started their own telnet (telnetd)
and ftp (data-ftp) programs. One of the users they created was 42:

drwxr-xr-x   3 42       42           1024 Jun 20  2000 apache (atch 2)

If it can give a clue, I can tell that sendmail is giving a error in admin-
web interface that says it?s not running but mails get delivered an it looks
ok. I also restarted the server in the admin console but the admin-console
says the server has been running for over 14 days. I tried to disconnect the
telnet server but even myself where still using telnet after it was turned
off.

Anybody who can help me with names on processes that normally should not
run, and commands I can use to get port, user and other info, useful when I
think there is something going wrong in the cobalt. (I am a newbi).

I am grateful to all tips regarding this hack and how to trace things in the
future. Take a look at the logs and info at the end of the mail.

regards

Kai R Schantz
Euroweb AS
Verksgaten 42
N-4013 Stavanger
Norway
Tlf:+47 51 89 64 64  fax:+47 51 89 56 41
www.euroweb.no



hotellet-gw#sh ip accounting
   Source           Destination              Packets               Bytes
 213.142.74.118   212.37.252.106                   2                  86
 192.36.148.17    212.37.252.106                   1                 120
 62.66.242.228    212.37.252.106                   1                  40
 170.140.161.237  212.37.252.106                 592               33152
XXXXXX
 170.140.161.238  212.37.252.106                 592               33152
XXXXXX
 194.29.203.100   212.37.252.106                  13                1019
 152.163.132.250  212.37.252.106                   1                  56
 195.204.132.202  212.37.252.106                  16                 728
 170.140.43.64    212.37.252.106                  18                 720
XXXXXXX
 152.163.159.232  212.37.252.106                   1                 157
 212.33.133.33    212.37.252.106                   2                 309
 129.240.64.2     212.37.252.106                   1                 165
 205.188.157.232  212.37.252.106                   1                 182
 170.140.102.64   212.37.252.106               38315             1532600
XXXXXX
 130.67.15.194    212.37.252.106                   1                  62
 193.156.90.14    212.37.252.106                   2                 112
 130.67.61.34     213.236.138.20                   1                  56
 209.15.2.61      212.37.252.106                   2                  84
 195.204.218.58   212.37.252.106                 336               31100  x?
 130.67.81.122    212.37.252.106                  39                1560
 192.36.144.133   212.37.252.106                   2                 454
 170.140.164.127  212.37.252.106                 734               29360
XXXXXX
   Source           Destination              Packets               Bytes
 62.1.254.14      212.37.252.106                   1                  40
 216.35.103.81    212.37.252.106                  13                 894
 209.202.148.41   212.37.252.106                   5                 561
 130.67.231.136   212.37.252.106                 102                8820
 128.39.2.9       212.37.252.106                   6                 401
 170.140.48.191   212.37.252.106               23718              948720
XXXXXX
 213.236.138.2    212.37.252.106                   1                 170
 212.37.252.106   213.236.138.2                    1                  70
 148.122.161.49   213.236.138.20                  11                2959
 216.35.112.51    212.37.252.106                  10                 783
 193.215.2.145    212.37.252.106                  71               10178
XXXXXXX
 152.163.225.90   212.37.252.106                   2                 116
 62.191.152.149   212.37.252.106                   8                 367
 152.163.225.69   212.37.252.106                  11                1730

Accounting data age is 0

WHOIS:
IP block lookup for 170.140.102.64
whois -h whois.arin.net 170.140.102.64

Emory University (NET-EMORY2)
   Atlanta GA, 30322
   US

   Netname: EMORY2
   Netblock: 170.140.0.0 - 170.140.255.255

   Coordinator:
      Petersen, Paul  (PP1526-ARIN)  ppeters@xxxxxxxxx
      (404) 727-7686 (FAX) (404) 727-2599



(atch 2)

-rw-rw-rw-   1 root     root         9300 Mar 11 20:07 chili-psm
-rw-r--r--   1 root     root      1776311 Mar 11 04:11 access.1.gz

drwxr-xr-x  16 root     root         1024 Mar 12 14:15 .
drwxr-xr-x  16 root     root         1024 Mar 12 12:34 ..
drwxr-xr-x   3 42       42           1024 Jun 20  2000 apache
drwxr-xr-x  17 root     root         1024 Jan 18 08:03 chiliasp
drwxr-xr-x   9 root     root         1024 Dec 19 19:28 cmu
drwxr-xr-x   3 root     root         1024 Jan  6  2000 httpd
drwxr-xr-x   3 root     root         1024 Jan  6  2000 log
drwxr-xr-x   2 root     root        12288 Jan  6  2000 lost+found
drwxr-xr-x  12 httpd    httpd        1024 Jun 21  2000 openshop
drwxr-xr-x   2 admin    admin        1024 Feb 13 05:36 packages
drwx------   3 postgres postgres     1024 Feb 15 20:01 pgsql
-rw-------   1 root     root        32032 Mar 13 12:33 quota.group
-rw-------   1 root     root        32480 Mar 13 17:32 quota.user
drwxr-xr-x   7 root     root         1024 Jan  6  2000 redhat
drwxr-xr-x   2 root     nobody       1024 Jul 22  1999 samba
drwxr-xr-x 196 root     root         9216 Mar  5 12:10 sites
-rw-rw-r--   1 admin    admin    695162297 Mar 12 14:12 sites.tar.gz
drwxr-xr-x   4 root     root         1024 Jan  6  2000 spool
drwxrwxrwx   4 root     root         1024 Mar 13 15:55 tmp