How did this happen?

From: jason (jason@gimptroll.com)
Date: 05/13/02

• Next message: Eirik Seim: "Re: How did this happen?"
• Previous message: Wojtek Walczak: "Re: nf_hook:hook 4 already set?"
• Next in thread: Eirik Seim: "Re: How did this happen?"
• Reply: Eirik Seim: "Re: How did this happen?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: jason@gimptroll.com (jason)
Date: 13 May 2002 06:17:16 -0700

My Redhat 7.2 linux box was set up as a DMZ behind my firewall. From
this logfile, it seems that someone has gained root level access to my
machine.

A few n00bie questions:

1) How does that work? Did this person figure out my password or is it
a different type of exploit?

2) I don't remember adding LogWatch to my applications, is it just
called "LogWatch" when I chkconfig? *I ask because I can't look
anymore as I am reformating*

3) How did they find my machine?

4) I think I have all of my ports blocked now, but I need to open some
of them for my clients. How can I feel safe opening up ports for http,
ftp, ssh, etc? What do I need to read?

5) It seems the best advice for a hacked machine owner has been to
reformat and reinstall. This pains me greatly because I have spent
hours configuring and CPANing. Is there another way?

Regards,
Jason

################## LogWatch 2.1.1 Begin #####################

 --------------------- sendmail Begin ------------------------

59083 bytes transferred
126 messages sent
 ---------------------- sendmail End -------------------------

 ---------------- Connections (secure-log) Begin -------------------

Connections:
   Service ftp:
      192.168.1.100: 1 Time(s)
      212.93.149.205: 1 Time(s)
      211.215.16.152: 5 Time(s)
   Service sgi_fam:
      0.0.0.0: 3 Time(s)

**Unmatched Entries**
May 12 06:50:09 localhost sshd[9132]: Did not receive identification
string from 212.93.149.205.
May 12 06:50:41 localhost sshd[9137]: PAM pam_set_item: NULL pam
handle passed
May 12 06:50:43 localhost sshd[9137]: PAM pam_set_item: NULL pam
handle passed
May 12 06:50:43 localhost sshd[9137]: Failed password for illegal user
cgi from 212.93.149.205 port 2265
May 12 06:50:47 localhost sshd[9137]: PAM pam_set_item: NULL pam
handle passed
May 12 06:50:47 localhost sshd[9137]: Failed password for illegal user
cgi from 212.93.149.205 port 2265
May 12 06:51:03 localhost useradd[9140]: new user: name=cgi, uid=0,
gid=0, home=/home/cgi, shell=/bin/bash
May 12 06:51:28 localhost sshd[9137]: PAM pam_set_item: NULL pam
handle passed
May 12 06:51:28 localhost sshd[9137]: Failed password for illegal user
cgi from 212.93.149.205 port 2265
May 12 06:51:31 localhost sshd[9137]: PAM pam_set_item: NULL pam
handle passed
May 12 06:51:31 localhost sshd[9137]: Failed password for illegal user
cgi from 212.93.149.205 port 2265
May 12 06:51:34 localhost sshd[9137]: fatal: Read from socket failed:
Connection reset by peer
May 12 06:51:47 localhost sshd[9147]: Accepted password for ROOT from
212.93.149.205 port 2277
May 12 06:55:45 localhost userdel[9692]: delete user `cgi'
May 12 07:11:57 localhost userdel[10084]: delete user `ftp'
May 12 07:11:57 localhost userdel[10084]: remove group `ftp'
May 12 09:33:10 localhost xinetd[11082]: USERID: ftp OTHER :root
May 12 09:34:21 localhost sshd[11081]: Disconnecting: Corrupted check
bytes on input.
May 12 14:13:30 localhost sshd[976]: Received signal 15; terminating.
May 12 14:15:30 localhost sshd[1209]: Server listening on 0.0.0.0 port
22.
May 12 14:31:29 localhost sshd[1209]: Received signal 15; terminating.
May 12 15:59:08 localhost sshd[1235]: Server listening on 0.0.0.0 port
22.
May 12 15:59:16 localhost sshd[1235]: Received signal 15; terminating.
May 12 16:07:35 localhost sshd[1236]: Server listening on 0.0.0.0 port
22.
May 12 21:18:06 localhost sshd[1236]: Received signal 15; terminating.

 ----------------- Connections (secure-log) End --------------------

 --------------------- SSHD Begin ------------------------

**Unmatched Entries**
sshd -TERM succeeded
Starting sshd:
 succeeded

sshd -TERM succeeded
Starting sshd:
 succeeded

sshd -TERM succeeded
Starting sshd:
 succeeded

sshd -TERM succeeded

 ---------------------- SSHD End -------------------------

 ###################### LogWatch End #########################

---

• Next message: Eirik Seim: "Re: How did this happen?"
• Previous message: Wojtek Walczak: "Re: nf_hook:hook 4 already set?"
• Next in thread: Eirik Seim: "Re: How did this happen?"
• Reply: Eirik Seim: "Re: How did this happen?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: issue with cygwin sftp installation ... Service sshd exists ... debug1: Connecting to localhost port 22. ... (comp.security.ssh) Sind das Angriffe? ... Jan 16 06:44:22 micky sshd: Failed password for proxy from 38.97.212.172 port 52993 ssh2 ... (de.comp.security.firewall) Attempt to breakin ... port 42989 ssh2 ... Jul 6 21:37:53 findmoore sshd: Failed password for root from ... (comp.os.linux.networking) Re: MySQL/PHPMyAdmin on FC3 Connection Problem ... You say you opened the port 3306, ... that means that mysql is running and listening. ... If you had connection, then now try to access your mysql server from outside ... If you cannot connect on localhost, then please check that mysql is running ... (Fedora) Re: ssh tunnel problems ... Connecting to localhost port 5000. ... debug1: connect to address 127.0.0.1 port 5000: Connection refused ... password and I connect and see files on my home computer (from being ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)