Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45: > From last night's LogWatch: > -------------------------------------------------------------------------- > > sshd: > Invalid Users: > Unknown Account: 7 Time(s) > Unknown Entries: > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=johnstongrain.com : 2 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=211.117.191.70 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=216.97.110.1 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=ccia-062-204-197-193.uned.es : 1 Time(s) > > su: > Sessions Opened: > brian(uid=500) -> root: 1 Time(s) > > ------------------------------------------------------------------------ > > Ok, guys- what do we do with this? Should we be writing down the > addresses from which these attempts were made? They're probably all > 'stooge' addresses, I know, but it might help authorities to know what > other machines have been compromised... > > I'll go save the log somewhere... > > ------------------------------------------------------------------------ Just got these SSH login attempts from a machine which is obviously hacked! I did a portscan immediately after the messages occured in my log: $ nmap -vvvv -sS -sV -P0 -O 64.86.78.209 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03 16:53 CEST Host 64.86.78.209 appears to be up ... good. Initiating SYN Stealth Scan against 64.86.78.209 at 16:53 Adding open port 5101/tcp Adding open port 23/tcp adjust_timeout: packet supposedly had rtt of 11522743 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 11516952 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 12503503 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 25062938 microseconds. Ignoring time. Adding open port 818/tcp adjust_timeout: packet supposedly had rtt of 25019107 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 25985784 microseconds. Ignoring time. Adding open port 111/tcp Adding open port 22/tcp Adding open port 1984/tcp Adding open port 3001/tcp Adding open port 21/tcp Adding open port 443/tcp Adding open port 3000/tcp adjust_timeout: packet supposedly had rtt of 11461759 microseconds. Ignoring time. Adding open port 5102/tcp Adding open port 32770/tcp Adding open port 5100/tcp Adding open port 80/tcp Adding open port 3306/tcp adjust_timeout: packet supposedly had rtt of 11455679 microseconds. Ignoring time. The SYN Stealth Scan took 54 seconds to scan 1657 ports. Initiating service scan against 15 services on 1 host at 16:54 The service scan took 27 seconds to scan 15 services on 1 host. Initiating RPCGrind Scan against 64.86.78.209 at 16:54 The RPCGrind Scan took 7 seconds to scan 3 ports. For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled Interesting ports on 64.86.78.209: (The 1642 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp vsFTPd 1.1.0 22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99) 23/tcp open telnet Linux telnetd Telnet is open! 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 111/tcp open rpcbind 2 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux)) 818/tcp open rquotad 1-2 (rpc #100011) 1984/tcp open ssh See below for port 1984! 3000/tcp open ppp? 3001/tcp open nessusd? 3306/tcp open mysql? 5100/tcp open http Apache httpd 1.3.27 ((Unix) Sun-ONE-ASP/4.0.0) 5101/tcp open admdog? 5102/tcp open admeng? 32770/tcp open mountd 1-3 (rpc #100005) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-FucKiT\x20R SF:ootKit\x20by\x20Cyrax\n"); ON PORT 1984 THE ROOTKIT SSH IS LISTENING! Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No question why a rootkit is on this box. OS Fingerprint: TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) TCP Sequence Prediction: Class=random positive increments Difficulty=2261355 (Good luck!) TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 119.684 seconds I mailed the responsible person according whois data. We'll see... Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp Serendipity 17:31:12 up 2 days, 22:55, load average: 0.39, 0.27, 0.21
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
