Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th December 2007, 11:48
smoko smoko is offline
Junior Member
 
Join Date: Dec 2007
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation Hacking attack (ubuntu 7.04 server + local root exploit on kernel)

Hello

My server was attack hacker. He tell me about this.

my /etc/passwd was changed

HTML Code:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
smoko:x:1000:1000:SMOKO,,,:/home/smoko:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh
bind:x:105:110::/var/cache/bind:/bin/false
mysql:x:106:111:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:107:113::/var/spool/postfix:/bin/false
proftpd:x:108:65534::/var/run/proftpd:/bin/false
ftp:x:109:65534::/home/ftp:/bin/false
ntp:x:110:115::/home/ntp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
ossec:x:1002:1002::/var/ossec:/bin/false
ossecm:x:1003:1002::/var/ossec:/bin/false
ossecr:x:1004:1002::/var/ossec:/bin/false
Number of group 65534 what is this?? This is hacker changed (user games was added by hacker)

I install a OSSEC monitoring a i was get a info on e-mail

HTML Code:
OSSEC HIDS Notification. 2007 Dec 29 06:25:02 Received From: dragon->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
My /var/log/auth.log was like that

HTML Code:
Dec 29 05:00:02 dragon CRON[29410]: (pam_unix) session closed for user root
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session closed for user root
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session closed for user root
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session closed for user root
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session closed for user root
Dec 29 06:00:01 dragon CRON[30209]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session closed for user root
Dec 29 06:00:02 dragon CRON[30209]: (pam_unix) session closed for user root
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session closed for user root
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session closed for user root
Dec 29 06:25:01 dragon CRON[30576]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:25:01 dragon su[30607]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30609]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30609]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30611]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30611]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30611]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:03 dragon su[30611]: (pam_unix) session closed for user nobody
Dec 29 06:26:35 dragon CRON[30576]: (pam_unix) session closed for user root
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session closed for user root
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session closed for user root
Dec 29 07:00:01 dragon CRON[11432]: (pam_unix) session opened for user root by (uid=0)


I'm sorry but my english is not well ;( Please help me

Last edited by smoko; 29th December 2007 at 11:55.
Reply With Quote
Sponsored Links
  #2  
Old 29th December 2007, 16:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,083
Thanks: 826
Thanked 5,397 Times in 4,241 Posts
Default

If you want to know the name of the group, have a look at the /etc/group file.

Did you install all available updates for your linux distribution?

Please check your system with rkhunter: http://www.rootkit.nl
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
bowlAltetle (24th July 2014)
  #3  
Old 25th May 2008, 20:38
linuxbitch linuxbitch is offline
Junior Member
 
Join Date: May 2008
Posts: 1
Thanks: 0
Thanked 1 Time in 1 Post
Thumbs up hello

For The admin server who was hacked ..
what is your Ubuntu kernel version
and i wanna tell ya ..rk-hunter don`t work all the time .. belive me .. ) .. if .. the rk is a troian .. yes is possible to be detect .. if is not .. then you have a problem .. or .. if the man who enter on your comp .. don`t put a rootkit on him .. then you'll have a prob ..
try a socklist .. and see the ports ..
if you are intrested to talk more about that .. killer_judge2001@yahoo.com
contact me!
Reply With Quote
The Following User Says Thank You to linuxbitch For This Useful Post:
bowlAltetle (21st July 2014)
  #4  
Old 26th August 2008, 23:56
houms houms is offline
Junior Member
 
Join Date: May 2008
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default Hacking Attack????

looking at your log, it does not appear to be something you need to worry about. those entries are showing a cron job doing its thing. it is not something you need to worry about. I have the same entries in my log

Root is 'su'ing to 'nobody' to run a scheduled system service or a cron job...It starts the service then hands it over to 'nobody'.

oh, and 65534 is uid for user 'nobody', you probably have cron jobs running for various services... you may also want to check your /etc/cron.daily/ directory.

Last edited by houms; 27th August 2008 at 00:01.
Reply With Quote
The Following User Says Thank You to houms For This Useful Post:
Williamsl (8th July 2014)
  #5  
Old 15th September 2013, 05:05
daddyfish daddyfish is offline
Junior Member
 
Join Date: Sep 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Talking Indexing cron for "locate" command.

I think some will appreciate this addition to this old thread. I spent some time figuring this out.

The cron job that runs the index update for the locate command causes the following log entries in auth.log:

Sep 14 22:48:14 mydomain su[24053]: Successful su for nobody by root
Sep 14 22:48:14 mydomain su[24053]: + ??? root:nobody
Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session opened for user nobody by (uid=0)
Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session closed for user nobody
Sep 14 22:48:14 mydomain su[24055]: Successful su for nobody by root
Sep 14 22:48:14 mydomain su[24055]: + ??? root:nobody
Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session opened for user nobody by (uid=0)
Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session closed for user nobody
Sep 14 22:48:14 mydomain su[24057]: Successful su for nobody by root
Sep 14 22:48:14 mydomain su[24057]: + /dev/pts/0 root:nobody
Sep 14 22:48:14 mydomain su[24057]: pam_unix(su:session): session opened for user nobody by myself(uid=0)
Sep 14 22:48:20 mydomain su[24057]: pam_unix(su:session): session closed for user nobody

Although these types of log entries look very suspecious, especially in the auth.log, they are quite normal if the locate command is installed. Also, other cron jobs or action may make similar entires.

If you wish to see this for yourself, run "/etc/cron.daily/locate" as root or "sudo /etc/cron.daily/locate" as sudoer, then inspect /var/log/auth.log

Hopefully this will lay unwarranted fears to rest !

Last edited by daddyfish; 15th September 2013 at 05:10.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
monit howto Jamesk5 HOWTO-Related Questions 11 5th August 2008 15:10
apache not working cruz Server Operation 21 29th October 2007 00:19
mysql replication tera7 Server Operation 9 3rd October 2007 15:04
Mod_security on Debian Etch tsmaudio Server Operation 23 20th June 2007 15:20


All times are GMT +2. The time now is 02:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.