View Single Post
  #1  
Old 29th December 2007, 11:48
smoko smoko is offline
Junior Member
 
Join Date: Dec 2007
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation Hacking attack (ubuntu 7.04 server + local root exploit on kernel)

Hello

My server was attack hacker. He tell me about this.

my /etc/passwd was changed

HTML Code:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
smoko:x:1000:1000:SMOKO,,,:/home/smoko:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh
bind:x:105:110::/var/cache/bind:/bin/false
mysql:x:106:111:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:107:113::/var/spool/postfix:/bin/false
proftpd:x:108:65534::/var/run/proftpd:/bin/false
ftp:x:109:65534::/home/ftp:/bin/false
ntp:x:110:115::/home/ntp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
ossec:x:1002:1002::/var/ossec:/bin/false
ossecm:x:1003:1002::/var/ossec:/bin/false
ossecr:x:1004:1002::/var/ossec:/bin/false
Number of group 65534 what is this?? This is hacker changed (user games was added by hacker)

I install a OSSEC monitoring a i was get a info on e-mail

HTML Code:
OSSEC HIDS Notification. 2007 Dec 29 06:25:02 Received From: dragon->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
My /var/log/auth.log was like that

HTML Code:
Dec 29 05:00:02 dragon CRON[29410]: (pam_unix) session closed for user root
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session closed for user root
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session closed for user root
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session closed for user root
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session closed for user root
Dec 29 06:00:01 dragon CRON[30209]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session closed for user root
Dec 29 06:00:02 dragon CRON[30209]: (pam_unix) session closed for user root
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session closed for user root
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session closed for user root
Dec 29 06:25:01 dragon CRON[30576]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:25:01 dragon su[30607]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30609]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30609]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30611]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30611]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30611]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:03 dragon su[30611]: (pam_unix) session closed for user nobody
Dec 29 06:26:35 dragon CRON[30576]: (pam_unix) session closed for user root
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session closed for user root
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session closed for user root
Dec 29 07:00:01 dragon CRON[11432]: (pam_unix) session opened for user root by (uid=0)


I'm sorry but my english is not well ;( Please help me

Last edited by smoko; 29th December 2007 at 11:55.
Reply With Quote
Sponsored Links