HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   Hacking attack (ubuntu 7.04 server + local root exploit on kernel) (http://www.howtoforge.com/forums/showthread.php?t=18806)

smoko 29th December 2007 11:48

Hacking attack (ubuntu 7.04 server + local root exploit on kernel)
 
Hello

My server was attack hacker. He tell me about this.

my /etc/passwd was changed

HTML Code:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
smoko:x:1000:1000:SMOKO,,,:/home/smoko:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh
bind:x:105:110::/var/cache/bind:/bin/false
mysql:x:106:111:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:107:113::/var/spool/postfix:/bin/false
proftpd:x:108:65534::/var/run/proftpd:/bin/false
ftp:x:109:65534::/home/ftp:/bin/false
ntp:x:110:115::/home/ntp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
ossec:x:1002:1002::/var/ossec:/bin/false
ossecm:x:1003:1002::/var/ossec:/bin/false
ossecr:x:1004:1002::/var/ossec:/bin/false

Number of group 65534 what is this?? This is hacker changed (user games was added by hacker)

I install a OSSEC monitoring a i was get a info on e-mail

HTML Code:


OSSEC HIDS Notification. 2007 Dec 29 06:25:02 Received From: dragon->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody

My /var/log/auth.log was like that

HTML Code:


Dec 29 05:00:02 dragon CRON[29410]: (pam_unix) session closed for user root
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session closed for user root
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session closed for user root
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session closed for user root
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session closed for user root
Dec 29 06:00:01 dragon CRON[30209]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session closed for user root
Dec 29 06:00:02 dragon CRON[30209]: (pam_unix) session closed for user root
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session closed for user root
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session closed for user root
Dec 29 06:25:01 dragon CRON[30576]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:25:01 dragon su[30607]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30609]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30609]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30611]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30611]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30611]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:03 dragon su[30611]: (pam_unix) session closed for user nobody
Dec 29 06:26:35 dragon CRON[30576]: (pam_unix) session closed for user root
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session closed for user root
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session closed for user root
Dec 29 07:00:01 dragon CRON[11432]: (pam_unix) session opened for user root by (uid=0)



I'm sorry but my english is not well ;( Please help me

till 29th December 2007 16:38

If you want to know the name of the group, have a look at the /etc/group file.

Did you install all available updates for your linux distribution?

Please check your system with rkhunter: http://www.rootkit.nl

linuxbitch 25th May 2008 20:38

hello
 
For The admin server who was hacked ..
what is your Ubuntu kernel version
and i wanna tell ya ..rk-hunter don`t work all the time .. belive me .. :D) .. if .. the rk is a troian .. yes is possible to be detect .. if is not .. then you have a problem .. or .. if the man who enter on your comp .. don`t put a rootkit on him .. then you'll have a prob .. :D
try a socklist .. and see the ports ..
if you are intrested to talk more about that .. killer_judge2001@yahoo.com
contact me!

houms 26th August 2008 23:56

Hacking Attack????
 
looking at your log, it does not appear to be something you need to worry about. those entries are showing a cron job doing its thing. it is not something you need to worry about. I have the same entries in my log:)

Root is 'su'ing to 'nobody' to run a scheduled system service or a cron job...It starts the service then hands it over to 'nobody'.

oh, and 65534 is uid for user 'nobody', you probably have cron jobs running for various services... you may also want to check your /etc/cron.daily/ directory.

daddyfish 15th September 2013 05:05

Indexing cron for "locate" command.
 
I think some will appreciate this addition to this old thread. I spent some time figuring this out.

The cron job that runs the index update for the locate command causes the following log entries in auth.log:

Sep 14 22:48:14 mydomain su[24053]: Successful su for nobody by root
Sep 14 22:48:14 mydomain su[24053]: + ??? root:nobody
Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session opened for user nobody by (uid=0)
Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session closed for user nobody
Sep 14 22:48:14 mydomain su[24055]: Successful su for nobody by root
Sep 14 22:48:14 mydomain su[24055]: + ??? root:nobody
Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session opened for user nobody by (uid=0)
Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session closed for user nobody
Sep 14 22:48:14 mydomain su[24057]: Successful su for nobody by root
Sep 14 22:48:14 mydomain su[24057]: + /dev/pts/0 root:nobody
Sep 14 22:48:14 mydomain su[24057]: pam_unix(su:session): session opened for user nobody by myself(uid=0)
Sep 14 22:48:20 mydomain su[24057]: pam_unix(su:session): session closed for user nobody

Although these types of log entries look very suspecious, especially in the auth.log, they are quite normal if the locate command is installed. Also, other cron jobs or action may make similar entires.

If you wish to see this for yourself, run "/etc/cron.daily/locate" as root or "sudo /etc/cron.daily/locate" as sudoer, then inspect /var/log/auth.log

Hopefully this will lay unwarranted fears to rest !


All times are GMT +2. The time now is 06:33.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.