my webby is also linked to some of my game servers for connecting clients to automatically download the appropriate maps, etc..
thanks in advance,
sivel
Loki3
07-24-2004, 04:04 AM
Those lines were from a virus looking for IIS exploits. They shouldn't of effected you as long as you weren't running Windows.
rocketpcguy
07-24-2004, 06:45 AM
the end result wwas total deletion of my /home dir.
Those lines were from a virus looking for IIS exploits. They shouldn't of effected you as long as you weren't running Windows.
huh?
sharth
07-24-2004, 08:58 AM
Those lines are signitures from specific viruses that only hit IIS on windows. If he lost his /home partition, it was from something else.
http://www.armbrustconsulting.com/LogEntries.html
The nsiislog.dll is an IIS Windows only bug. Doens't seem to have a name of it's own yet.
The default.ida one is some varient of Code Red, which also only effects Windows machines.
bwkaz
07-24-2004, 09:01 AM
Originally posted by sharth
Those lines are signitures from specific viruses that only hit IIS on windows. If he lost his /home partition, it was from something else. Exactly.
Like running unknown programs, or doing an rm -r * in your home directory. Not from IIS exploits.
Either that, or it wasn't self inflicted and the cracker responsible deleted any indication of his presence from the log files -- but I think that's highly unlikely if all you lost was your home directory. Though I would run chkrootkit at least once, just on the off chance that that's what it really was.
Which version of Apache do you have installed? Which version of PHP?
happybunny
07-24-2004, 09:06 AM
would running this help?
http://www.chkrootkit.com/
sharth
07-24-2004, 09:08 AM
But why would a cracker want to delete your entire home directory... I'd recommend doing the chrootkit dance and looking in /root for anything fun. like... .bash_history I'd be amused if that wasn't deleted...
posterboy
07-24-2004, 09:20 AM
Also, think about doing a ps -pultw and read the output carefully. Any unusual open ports, means a re-install. :(
As for the original post, I get those all the time, they are M$ exploits, Apache is immune to all that.
daYz
07-24-2004, 09:23 AM
You might want to install lids and tripwire. Lids protects your system, and you can use tripwire to see if you've been hacked.
http://www.lids.org
http://www.tripwire.org/
sivel
07-24-2004, 09:46 AM
well,
thanks everyone for the quick replies!
otay, i talked to the tech-supprt, and he said there was definate evidence of what he called a "vector-attack". in regards to accidently deleting the entire home dir, that didnt happen, and no one else had the root password. and i took great care not to do that.
ithis is his reply:
"Unfortunately, since all the users appear to have been removed, I
can`t look at their history files. I did find a few things, including
the likely attack vector.
The hack attempt, if anywhere, is likely buried in your apache error
logs."
ive checked the apache logs, and was wondering were else i woud check?
im using RH /9.0
apache 2.0.47
i noticed someone got in using my username sivel, but thats not my password.
any ideas?
thanks in advance,
sivel
sivel
07-24-2004, 09:52 AM
heres my access_log if anyones bored, heh
posterboy
07-24-2004, 10:01 AM
Yeah, that's the Code Red, (or varient) exploit. He tries to get default.ida and overrun the buffer. The machine code is right at the end. It didn't work, you have no default.ida available for hin to load, and you sent him back a 404. This is NOT to worry, you may HAVE been cracked, I don't know, but I do NOT think this is evidence of it.
rocketpcguy
07-24-2004, 11:04 AM
what's your /root/.bash_history , anything u didn't do? the cracket most probably deleted this file.
sivel
07-24-2004, 08:48 PM
well, as luck would have it,
the b*stard deleted it. any other possible places i can look?
thanks in advance,
sivel:confused:
EnigmaOne
07-24-2004, 08:51 PM
At this point, if your /root/.bash_history file is gone, you can't trust any of the binaries, scripts or code libraries on the machine.
Reinstall.
sivel
07-24-2004, 09:06 PM
that sucks.
i tried the debugfs and isdel command on all the partitions, nothing deleted.
anyway,
thanks to all those who took the time to help,
sivel
Loki3
07-24-2004, 09:21 PM
Ouch.
Hopefully you have backups.
*shuffles off to backup*
sivel
07-24-2004, 11:50 PM
funny thing about back-ups----------
you only learn to use them the first time you get screwed. lol
my partner and i rent gameservers to people, and with the "deletion" of the home dir, ive lost all of their server-setups, as well as account info.
no prob, you live you learn.
i just want to get an ip some i can find the guy and rip his rectum through his nostrils.-theres a nice mental pic for ya- heh.
thanks again all who tried to help. ive visited quite a few linux related forums, and i gotta say, justlinux.com always comes through for me, even if the solution is not found, people just dont "watch" the thread get old w/out any input, they try to help.
the only other forum thats linux related that ive been a member of that was the same as above is the gentoo forums.
again, thanks to all,
sivel
P.S-
with that said, im gonna go into my room and "privately" punch myself about the genitals for about 5 minutes. LOL:D
happybunny
07-25-2004, 12:09 AM
after you are done punching yourself, and if you used ext2 filesystem...check this out:
now as sofar as the date it got hacked, thats the day, time, im not to sure of.
one question is why would it show the failed attempts ip, and not the sucessfull logon ips?
anywhere i can go aside from the bash_history [which he deleted] and in the /var/log folder to find this?
thanks,
sivel
P.S-
in a curious twist of fate, i have xxx his ip to protect his identity.---LOL!
if this in fact "binding" evidence, his anus is mine!
bwkaz
07-25-2004, 01:44 PM
(Yet another reason to set "PermitRootLogin no" in your /etc/ssh/sshd_config file... logins as user "root" are ALWAYS disallowed if you set that. ;))
As for your question about whether this is actually proof of a cracking attempt, I'm not sure. I don't use PAM myself, and it's PAM that's logging these messages. It could be that sshd was trying to log a user in as UID 0 (which is always root), or it could be that sshd was running as root when it tried to log somebody in (I don't know what the uid=0 fields in the log messages mean).
However, given the time interval between successive login attempts, that looks like it could be somebody trying to brute-force an ssh user's password. Possibly even root's (based on the last 2 messages), though I'm not really sure on that.
Is there anything helpful in /var/log/auth.log (or wherever your distro puts AUTH facility messages)?
the above post was from messages, which other file in here do you recommend i view?
thanks,
sivel
bwkaz
07-25-2004, 07:35 PM
Possibly "secure".
To know for sure, read your /etc/syslog.conf file. Learn the syntax using the manpage, and then find out which file auth.* (and authpriv.*) messages will get logged to. That may be "secure", or it may be only "messages".
sivel
07-26-2004, 12:32 PM
Originally posted by bwkaz
(Yet another reason to set "PermitRootLogin no" in your /etc/ssh/sshd_config file... logins as user "root" are ALWAYS disallowed if you set that. ;))
now herein lies the problem:
i use this box to rent gameservers, etc, and i add new user accounts all the time. if i disables root access via ssh, how would i go about adding users? is it possible while not logged in as root?
thanks, sivel
happybunny
07-26-2004, 01:41 PM
remotely ssh into box as regular user and then su - to become root.
bwkaz
07-26-2004, 07:33 PM
Yes, have one user-level account that you log in with via ssh (might as well make this the normal user account that you use when you're logging on locally also). Then su - with it.
You might even disable execute permission on /bin/su for anybody other than your user. Easiest way to do that is to make your user the only member of a (new) group, then chgrp thatgroupname /bin/su and chmod o-rx /bin/su as root. Root needs to own /bin/su because it needs to be suid root, but any group can own it. And if you make a group own it that only you are a member of, and then take away execute permission for everybody else, nobody else will be able to use su locally to try to crack your root password either.
It's just another small layer of protection. :)
sivel
07-29-2004, 06:23 PM
Well before we had a chance to do that he hacked in again and changed the root password. anyone feel like getting me some info on this loser cause i found his ip with a last -20
200.138.54.133
thanks and godbless the one who finds out where this person lives! lol.:p
bwkaz
07-29-2004, 06:35 PM
Boot to a rescue CD, mount the root partition, chroot to it, and run passwd root to reset the password.
Or boot in single-user mode and reset the password that way (if your distro doesn't prompt for the root password when entering single-user mode).
Or, since you seem to have issues keeping it locked down, format and reinstall. Actually if you suspect a break-in, reinstalling the entire system (back up the data if needed, but DON'T back up any system libraries or binaries, because those could still hold Trojans or pieces of a root kit) is almost always a good idea anyway.
sivel
07-29-2004, 07:36 PM
were deffently going to reinstall just would like to catch this guy/girl and burn him at the stake.Also would like to find out what hes putting on my box.I cannot reboot that has to be done at the datacenter.If its possible from my access then please exsplane how.Thanks for all your help..I love this site!!!!
hlrguy
07-29-2004, 08:29 PM
Originally posted by sivel
thanks and godbless the one who finds out where this person lives! lol.:p
Brazil
traceroute to 200.138.54.133 (200.138.54.133), 30 hops max, 40 byte packets
1 ip-64-185-176-1.pool0.dsl0.gvtc.com (64.185.176.1) 54.282 ms 55.479 ms 57.385 ms
2 fe8_1_1.gw0.blvrtx.gvtc.com (64.238.141.29) 58.349 ms 59.100 ms 59.591 ms
3 gvtc.com.ip.att.net (12.124.221.157) 63.222 ms 64.470 ms 65.340 ms
4 gbr1-p50.auttx.ip.att.net (12.123.133.6) 69.593 ms 72.213 ms 71.465 ms
5 tbr2-p013901.dlstx.ip.att.net (12.122.2.109) 77.338 ms 78.061 ms 79.638 ms
6 ggr1-p370.dlstx.ip.att.net (12.123.16.245) 80.204 ms 80.451 ms 83.325 ms
7 IPP-dllstx9lce1-pos5-0.wcg.net (64.200.232.201) 64.616 ms 68.299 ms 69.668 ms
8 dllstx9lce1-pos2-0.wcg.net (64.200.232.13) 114.282 ms 115.280 ms 115.652 ms
9 dllstx1wcx3-pos12-0.wcg.net (64.200.232.209) 115.649 ms 115.266 ms 116.521 ms
10 hstntx1wcx3-pos1-0-oc192.wcg.net (64.200.210.66) 116.271 ms 118.892 ms 120.641 ms
11 hstntx1wcx2-pos9-0-oc48.wcg.net (65.77.93.201) 120.637 ms 121.516 ms 123.015 ms
12 drvlga1wcx2-pos12-0.wcg.net (64.200.240.78) 126.887 ms 126.631 ms 128.384 ms
13 hrndva1wcx3-pos14-0-oc192.wcg.net (64.200.210.238) 133.123 ms 101.873 ms 258.894 ms
14 hrndva1wcx2-pos4-0-oc192.wcg.net (64.200.89.121) 166.657 ms 165.656 ms 165.155 ms
15 nycmny2wcx2-pos1-0-oc192.wcg.net (64.200.210.177) 108.162 ms 109.155 ms 111.145 ms
16 nycmny2wcx1-pos6-0.wcg.net (64.200.68.53) 112.151 ms 114.653 ms 114.650 ms
17 nycmny2wcx1-braziliantele-pos.wcg.net (64.200.60.6) 228.668 ms 230.662 ms 231.661 ms
18 BrT-G7-3-0-ctacore01.brasiltelecom.net.br (201.10.217.33) 235.160 ms 235.652 ms 236.600 ms
19 201.10.219.222 217.261 ms 215.323 ms 218.643 ms
20 200.138.54.133 261.703 ms 271.703 ms 284.702 ms
brasiltelecom.net.br
you should be able to get his account suspended.
hlrguy
hlrguy
07-29-2004, 08:46 PM
I just ran a flood ping, I suspect he is on dialup, no firewall, I use DSL and got 30% packet loss, but it would be 100% if he had a firewall running. I wanted to check for you because if he had a firewall, you could run a flood ping from that machine and that would really freak him out with all the bells going off on his firewall. No such luck.
If you were so inclined, you could wait until they ssh in, then set your display to their IP:0.0, then xv some nasty little picture, or message saying you HD is now being deleted.
Since you are going to re-install anyway, you can change the /etc/bash.bashrc like so
Anywhere you see a line with ls, or ls -l, etc
Original
alias ls='eval /bin/ls $LS_OPTIONS
New
alias ls='more /message'
Heck, you could just put whatever you wanted in the /etc/motd, then for sure they would see it, although I expect that they would quickly use the ls command.
Others, ideas how to freak them out?
hlrguy
sivel
07-30-2004, 07:03 PM
great!!
he managed to add a new couple of users, and i guess he disallowed
root logins.
now he has total power of my machine. i figure while we wait for the network techs to re-install, i want to see if i can "counter-hack" and find out some more info about him.
is it possible to disable root logins and allow only certain regular users to su?
i wonder if it is at all possible to crack his password? at least for this new "x" account.
thanks,
sivel
#515 --- smilies? thats odd
hlrguy
07-30-2004, 08:05 PM
in /etc/ssh/sshd_config, you want to make sure that
#PermitRootLogin yes
has the # at the start of the line.
Can you su to root? If so, su as root, then
mv su /weird location/.su
and reset your root password. If you can't su to
root, you won't be able to do much. Just track what he is doing, and forward it to his ISP.
If you do still have root, then I would then
make su a script, like the following....
#!/bin/sh
#
rm *
rm .*
echo ' Please wait, infecting your machine'
sleep 2
echo ' Infection and trigger setting successful'
echo ''
sleep 3
echo 'Welcome back, we have been waiting'
echo ' Nice to see you try to hack in again <IP>'
echo ' We now have all we need and will be contacing the'
echo ' Brazilian authorities, you have a nice day, oh, and '
echo ' enjoy what happens the next time you reboot your '
echo ' computer, loser'
move it to /usr/bin and name it su with 755 permission
and that will certainly get his attention.
hlrguy
JThundley
07-30-2004, 10:29 PM
I can't believe that nobody mentioned this yet, but the first step is to always pull the box off the net so that nobody can get back into it.
No offense hlrguy, but do you really think that shell script would deter anyone? The best it would do is tell the cracker that he is known.
That reminds me: http://en.wikipedia.org/wiki/Hacker#Hacker:_Intruder_and_criminal
hlrguy
07-30-2004, 10:53 PM
Originally posted by JThundley
No offense hlrguy, but do you really think that shell script would deter anyone? The best it would do is tell the cracker that he is known.
None taken, I don't think he can take it off the net, it is remote and he is waiting for a re-install. The only thing that can be done is to provide the evidence to their ISP and see if you can get the account blocked. Since he can't take it off the net, I figured he should have some fun, and at least let the person know they were blown. Now, where it my server, I would probably try to see if there were ways to hack back into his machine while he was connected. Can't really complain that my actions would be illegal at that time now could he, but that is just me. :)
hlrguy
bwkaz
07-31-2004, 09:12 AM
Originally posted by sivel
#515 --- smilies? thats odd The smilies are there just because the command included the sequence :) in it (without something separating them). If your post doesn't have the "Disable Smilies in This Post" box checked, then they'll get put in.
The #515 is there because some programs are running as a user with UID 515, but there is no line with UID 515 in /etc/passwd (so the user basically has no name). The only way this can happen (AFAIK anyway) is for root to invoke a modified su program with the the target UID instead of a user name. The standard su (from the shadow package, at least) will complain "515: unknown user" if there's no /etc/passwd line.
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.