Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 29th December 2007, 11:48
smoko smoko is offline
Junior Member
 
Join Date: Dec 2007
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation Hacking attack (ubuntu 7.04 server + local root exploit on kernel)

Hello

My server was attack hacker. He tell me about this.

my /etc/passwd was changed

HTML Code:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
smoko:x:1000:1000:SMOKO,,,:/home/smoko:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh
bind:x:105:110::/var/cache/bind:/bin/false
mysql:x:106:111:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:107:113::/var/spool/postfix:/bin/false
proftpd:x:108:65534::/var/run/proftpd:/bin/false
ftp:x:109:65534::/home/ftp:/bin/false
ntp:x:110:115::/home/ntp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
ossec:x:1002:1002::/var/ossec:/bin/false
ossecm:x:1003:1002::/var/ossec:/bin/false
ossecr:x:1004:1002::/var/ossec:/bin/false
Number of group 65534 what is this?? This is hacker changed (user games was added by hacker)

I install a OSSEC monitoring a i was get a info on e-mail

HTML Code:
OSSEC HIDS Notification. 2007 Dec 29 06:25:02 Received From: dragon->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
My /var/log/auth.log was like that

HTML Code:
Dec 29 05:00:02 dragon CRON[29410]: (pam_unix) session closed for user root
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session closed for user root
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session closed for user root
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session closed for user root
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session opened for user root by (uid=0)
Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session closed for user root
Dec 29 06:00:01 dragon CRON[30209]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session closed for user root
Dec 29 06:00:02 dragon CRON[30209]: (pam_unix) session closed for user root
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session closed for user root
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session closed for user root
Dec 29 06:25:01 dragon CRON[30576]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:25:01 dragon su[30607]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30607]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30609]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30609]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:01 dragon su[30609]: (pam_unix) session closed for user nobody
Dec 29 06:25:01 dragon su[30611]: Successful su for nobody by root
Dec 29 06:25:01 dragon su[30611]: + ??? root:nobody
Dec 29 06:25:01 dragon su[30611]: (pam_unix) session opened for user nobody by (uid=0)
Dec 29 06:25:03 dragon su[30611]: (pam_unix) session closed for user nobody
Dec 29 06:26:35 dragon CRON[30576]: (pam_unix) session closed for user root
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session closed for user root
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session opened for user root by (uid=0)
Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session closed for user root
Dec 29 07:00:01 dragon CRON[11432]: (pam_unix) session opened for user root by (uid=0)


I'm sorry but my english is not well ;( Please help me

Last edited by smoko; 29th December 2007 at 11:55.
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
monit howto Jamesk5 HOWTO-Related Questions 11 5th August 2008 15:10
apache not working cruz Server Operation 21 29th October 2007 00:19
mysql replication tera7 Server Operation 9 3rd October 2007 15:04
Mod_security on Debian Etch tsmaudio Server Operation 23 20th June 2007 15:20


All times are GMT +2. The time now is 16:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.