[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] hacked raq3

I can't really tell you what processes should be running, because that 
depends on your services, but I can give you a somewhat good walkthrough for 
finding problems.

As a start I would advise you run "ps -auxwww" on the server and check what 
programs it says are running, and try to account for them all.  If you don't 
know what something does, look at the man page or do a google search.  Next, 
run "netstat -plven" AS ROOT.  That will tell you what programs are listening 
on what ports, and their PIDs.  After that telnet to those ports and see if 
they respond with what they should (for example, try telnetting to a host 
with FTP on port 21, they usually respond saying the FTP server type and 
version).  A good port scanner for linux is nmap, get it at freshmeat.net.  
Another good scanner system checker is nessus, get it at the same place.  
These are both linux tools, I don't know their equivalent in windows or mac.  

If you don't have access to the shell, and can't get it, you need to (or have 
someone) reboot the machine, and boot to single user mode, which can be done 
through extra parameters on bootup.  Mail if you need that.

Sorry if this doesn't apply to you too much, but I figure the more info out 
there for people, the better.

-KB

On Tuesday 13 March 2001 15:28, you wrote:
> Hi, and please help me
>
> Our raq3 was hacked (mars 11-12) and files and programs where deleted
> and/or permissions where changed on some files. I do not have the full view
> on all the hacked files or how it happened. A server in the us kept sending
> big packages to our raq for several hours until our network supplier cut
> theirs IP range off (see atch1). I do think they started their own telnet
> (telnetd) and ftp (data-ftp) programs. One of the users they created was
> 42:
>
> drwxr-xr-x   3 42       42           1024 Jun 20  2000 apache (atch 2)
>
> If it can give a clue, I can tell that sendmail is giving a error in admin-
> web interface that says it?s not running but mails get delivered an it
> looks ok. I also restarted the server in the admin console but the
> admin-console says the server has been running for over 14 days. I tried to
> disconnect the telnet server but even myself where still using telnet after
> it was turned off.
>
> Anybody who can help me with names on processes that normally should not
> run, and commands I can use to get port, user and other info, useful when I
> think there is something going wrong in the cobalt. (I am a newbi).
>
> I am grateful to all tips regarding this hack and how to trace things in
> the future. Take a look at the logs and info at the end of the mail.
>
> regards
>
> Kai R Schantz
> Euroweb AS
> Verksgaten 42
> N-4013 Stavanger
> Norway
> Tlf:+47 51 89 64 64  fax:+47 51 89 56 41
> www.euroweb.no
>
>
>
> hotellet-gw#sh ip accounting
>    Source           Destination              Packets               Bytes
>  213.142.74.118   212.37.252.106                   2                  86
>  192.36.148.17    212.37.252.106                   1                 120
>  62.66.242.228    212.37.252.106                   1                  40
>  170.140.161.237  212.37.252.106                 592               33152
> XXXXXX
>  170.140.161.238  212.37.252.106                 592               33152
> XXXXXX
>  194.29.203.100   212.37.252.106                  13                1019
>  152.163.132.250  212.37.252.106                   1                  56
>  195.204.132.202  212.37.252.106                  16                 728
>  170.140.43.64    212.37.252.106                  18                 720
> XXXXXXX
>  152.163.159.232  212.37.252.106                   1                 157
>  212.33.133.33    212.37.252.106                   2                 309
>  129.240.64.2     212.37.252.106                   1                 165
>  205.188.157.232  212.37.252.106                   1                 182
>  170.140.102.64   212.37.252.106               38315             1532600
> XXXXXX
>  130.67.15.194    212.37.252.106                   1                  62
>  193.156.90.14    212.37.252.106                   2                 112
>  130.67.61.34     213.236.138.20                   1                  56
>  209.15.2.61      212.37.252.106                   2                  84
>  195.204.218.58   212.37.252.106                 336               31100 
> x? 130.67.81.122    212.37.252.106                  39                1560
> 192.36.144.133   212.37.252.106                   2                 454
> 170.140.164.127  212.37.252.106                 734               29360
> XXXXXX
>    Source           Destination              Packets               Bytes
>  62.1.254.14      212.37.252.106                   1                  40
>  216.35.103.81    212.37.252.106                  13                 894
>  209.202.148.41   212.37.252.106                   5                 561
>  130.67.231.136   212.37.252.106                 102                8820
>  128.39.2.9       212.37.252.106                   6                 401
>  170.140.48.191   212.37.252.106               23718              948720
> XXXXXX
>  213.236.138.2    212.37.252.106                   1                 170
>  212.37.252.106   213.236.138.2                    1                  70
>  148.122.161.49   213.236.138.20                  11                2959
>  216.35.112.51    212.37.252.106                  10                 783
>  193.215.2.145    212.37.252.106                  71               10178
> XXXXXXX
>  152.163.225.90   212.37.252.106                   2                 116
>  62.191.152.149   212.37.252.106                   8                 367
>  152.163.225.69   212.37.252.106                  11                1730
>
> Accounting data age is 0
>
> WHOIS:
> IP block lookup for 170.140.102.64
> whois -h whois.arin.net 170.140.102.64
>
> Emory University (NET-EMORY2)
>    Atlanta GA, 30322
>    US
>
>    Netname: EMORY2
>    Netblock: 170.140.0.0 - 170.140.255.255
>
>    Coordinator:
>       Petersen, Paul  (PP1526-ARIN)  ppeters@xxxxxxxxx
>       (404) 727-7686 (FAX) (404) 727-2599
>
>
>
> (atch 2)
>
> -rw-rw-rw-   1 root     root         9300 Mar 11 20:07 chili-psm
> -rw-r--r--   1 root     root      1776311 Mar 11 04:11 access.1.gz
>
> drwxr-xr-x  16 root     root         1024 Mar 12 14:15 .
> drwxr-xr-x  16 root     root         1024 Mar 12 12:34 ..
> drwxr-xr-x   3 42       42           1024 Jun 20  2000 apache
> drwxr-xr-x  17 root     root         1024 Jan 18 08:03 chiliasp
> drwxr-xr-x   9 root     root         1024 Dec 19 19:28 cmu
> drwxr-xr-x   3 root     root         1024 Jan  6  2000 httpd
> drwxr-xr-x   3 root     root         1024 Jan  6  2000 log
> drwxr-xr-x   2 root     root        12288 Jan  6  2000 lost+found
> drwxr-xr-x  12 httpd    httpd        1024 Jun 21  2000 openshop
> drwxr-xr-x   2 admin    admin        1024 Feb 13 05:36 packages
> drwx------   3 postgres postgres     1024 Feb 15 20:01 pgsql
> -rw-------   1 root     root        32032 Mar 13 12:33 quota.group
> -rw-------   1 root     root        32480 Mar 13 17:32 quota.user
> drwxr-xr-x   7 root     root         1024 Jan  6  2000 redhat
> drwxr-xr-x   2 root     nobody       1024 Jul 22  1999 samba
> drwxr-xr-x 196 root     root         9216 Mar  5 12:10 sites
> -rw-rw-r--   1 admin    admin    695162297 Mar 12 14:12 sites.tar.gz
> drwxr-xr-x   4 root     root         1024 Jan  6  2000 spool
> drwxrwxrwx   4 root     root         1024 Mar 13 15:55 tmp
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

-- 
- Kevan Benson
- Colocation and Hosting Product Manager
- Sonic.net, Inc.
- (707)522-1000 x219