[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [cobalt-security] owned by 187?

Subject: AW: [cobalt-security] owned by 187?
From: Rob van Eijk <rob@xxxxxxxxxxxx>
Date: Wed, 6 Jun 2001 16:36:50 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

SEND AN ABUSE MAIL TO ABUSE@xxxxxxxxxx

\>nslookup 195.96.105.247
Server:  mail.magic.nl.com
Address:  192.168.1.1

Name:    4dyn247.delft.casema.net
Address:  195.96.105.247

It's one of those dutch cable users in the city of Delft. Probably a
student.

--
 MVG,
 Rob van Eijk

-----Ursprüngliche Nachricht-----
Von: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]Im Auftrag von Kevin D
Gesendet: woensdag 6 juni 2001 16:06
An: cobalt-security@xxxxxxxxxxxxxxx
Betreff: [cobalt-security] owned by 187?


I was greeted this morning with an email in my box that read, "owned by 187"
Apparently the user obtained root on my system, because the message was from
root@localhost

When I logged into the box, I found a user with a stale FTP connection still
open from 195.96.105.247. I checked the logs and found several entries for
that IP in my message log, including:

Jun  6 09:03:18 ns1 proftpd[20608]: ns1.mtsolutions.net
(4dyn247.delft.casema.net[195.96.105.247]) - PAM(mtsolutions):
Authentication failure.
Jun  6 09:03:19 ns1 proftpd[20608]: ns1.mtsolutions.net
(4dyn247.delft.casema.net[195.96.105.247]) - FTP session closed.
Jun  6 09:03:28 ns1 proftpd[20609]: ns1.mtsolutions.net
(4dyn247.delft.casema.net[195.96.105.247]) - Malformed entry in group file:
Jun  6 09:03:29 ns1 proftpd[20609]: ns1.mtsolutions.net
(4dyn247.delft.casema.net[195.96.105.247]) - Malformed entry in group file:
Jun  6 09:09:04 ns1 proftpd[20609]: ns1.mtsolutions.net
(4dyn247.delft.casema.net[195.96.105.247]) - FTP no transfer timeout,
disconnected.

I have been slow to install the latest proftp patches (waiting on the kernel
update, actually), so I assume this is the method that the intruder used to
gain access.

Also, I found several log entries relating to modprobe.

My baseline file checker found that only the passwd and shadow files were
modified, but it looks like the hacker changed them back to what they
originally were?? Originally the file was 14697 bytes, then it was changed
to 51544 bytes, and then back to 14697 bytes. I figure the hacker probably
backed up my passwd file and then restored it maybe? Is there a way to check
for recently deleted files?

The real bummer here is that I set up a bulk email CGI utility and the idiot
hacker used it to send messages to everyone saying, "Owned by 187" Anyone
ever hear of that before?

Alas, while the idiot didn't bother to clean up the FTP log, he left no
trace of himself in the root history file, so I have no idea what he did
other than from my baseline checker. After this lovely scenario, I'd love to
know of a program that will record keystrokes of logged in users.

My baseline checker reports no more modified files, and I've portscanned all
IPs on the raq, so it looks like the box is clean, which of course surprises
me.

Any opinions?

Kevin

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- [cobalt-security] owned by 187?
  - From: Kevin D

Prev by Date: [cobalt-security] owned by 187?
Next by Date: Re: [cobalt-security] owned by 187?
Previous by thread: [cobalt-security] owned by 187?
Next by thread: Re: [cobalt-security] owned by 187?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index