possible ssh hack

From: Ver Allan Sumabat (ver_allan@yahoo.com)
Date: 09/10/02

• Previous message: Yonatan Bokovza: "RE: remote kernel exploits?"
• Next in thread: Alvin Oga: "Re: possible ssh hack"
• Reply: Alvin Oga: "Re: possible ssh hack"
• Reply: Adam Bultman: "Re: possible ssh hack"
• Reply: Loki: "RE: possible ssh hack"
• Reply: Loki: "RE: possible ssh hack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 10 Sep 2002 03:07:40 -0700 (PDT)
From: Ver Allan Sumabat <ver_allan@yahoo.com>
To: incidents@securityfocus.com

Hi,

We have just recently been hacked. I have no idea how
he came in. Here are my preliminary investigations:

1. He was able to add a user without logging in.

**Unmatched Entries**
Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse
map address 10.13.41.4.
Sep 5 10:39:35 srv1 sshd[20514]: Accepted password
for root from 10.13.41.4
port 4207
Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse
map address 10.13.41.4.
Sep 5 17:30:41 srv1 sshd[23299]: Accepted password
for root from 10.13.41.4
port 2491
Sep 5 22:16:59 srv1 useradd[23532]: new group:
name=war, gid=502
Sep 5 22:16:59 srv1 useradd[23532]: new user:
name=war, uid=502, gid=502,
home=/home/war, shell=/bin/bash
Sep 5 22:17:31 srv1 sshd[23534]: Accepted password
for war from
212.179.207.211 port 2746
Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from
socket failed: Connection
reset by peer
Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP;
restarting.

2. He installed a tarball w00tkit.tgz in /home/war

3. After running chkrootkit, the significant lines
are:

...
Checking `ifconfig'... INFECTED
...
Searching for Showtee... Warning: Possible Showtee
Rootkit installed
...
Checking `lkm'... You have 1 process hidden for ps
command
Warning: Possible LKM Trojan installed

4. ssh won't run anymore

Can anyone help me on how the intrusion was done?

Thanks.

Regards,

Allan

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Yonatan Bokovza: "RE: remote kernel exploits?"
• Next in thread: Alvin Oga: "Re: possible ssh hack"
• Reply: Alvin Oga: "Re: possible ssh hack"
• Reply: Adam Bultman: "Re: possible ssh hack"
• Reply: Loki: "RE: possible ssh hack"
• Reply: Loki: "RE: possible ssh hack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Kernel panic on all versions of FreeBSD ... WARNING: WITNESS option enabled, expect reduced performance. ... <ACPI PCI bus> on pcib0 ... configured irq 4 not in bitmap of probed irqs 0 ... port may not be enabled ... (freebsd-current) Kernel panic on 7.2-STABLE ... WARNING: WITNESS option enabled, expect reduced performance. ... <ACPI PCI bus> on pcib0 ... configured irq 4 not in bitmap of probed irqs 0 ... port may not be enabled ... (freebsd-stable) Kernel panic on all versions of FreeBSD ... WARNING: WITNESS option enabled, expect reduced performance. ... <ACPI PCI bus> on pcib0 ... configured irq 4 not in bitmap of probed irqs 0 ... port may not be enabled ... (freebsd-current) IPsec: panic/reboot with 5.4-STABLE ... WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant ... acpi0: on motherboard ... <ACPI PCI bus> on pcib0 ... fdc0: port ... (freebsd-net) Panic/Reboot in 5.4-STABLE ... WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant ... acpi0: on motherboard ... <ACPI PCI bus> on pcib0 ... fdc0: port ... (freebsd-stable)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-09