Hacking attack (ubuntu 7.04 server + local root exploit on kernel)

Discussion in 'General' started by smoko, Dec 29, 2007.

  1. smoko

    smoko New Member

    Hello

    My server was attack hacker. He tell me about this.

    my /etc/passwd was changed

    HTML:
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    #games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    dhcp:x:100:101::/nonexistent:/bin/false
    syslog:x:101:102::/home/syslog:/bin/false
    klog:x:102:103::/home/klog:/bin/false
    smoko:x:1000:1000:SMOKO,,,:/home/smoko:/bin/bash
    sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
    fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh
    bind:x:105:110::/var/cache/bind:/bin/false
    mysql:x:106:111:MySQL Server,,,:/var/lib/mysql:/bin/false
    postfix:x:107:113::/var/spool/postfix:/bin/false
    proftpd:x:108:65534::/var/run/proftpd:/bin/false
    ftp:x:109:65534::/home/ftp:/bin/false
    ntp:x:110:115::/home/ntp:/bin/false
    admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
    ossec:x:1002:1002::/var/ossec:/bin/false
    ossecm:x:1003:1002::/var/ossec:/bin/false
    ossecr:x:1004:1002::/var/ossec:/bin/false
    
    Number of group 65534 what is this?? This is hacker changed (user games was added by hacker)

    I install a OSSEC monitoring a i was get a info on e-mail

    HTML:
    
    OSSEC HIDS Notification. 2007 Dec 29 06:25:02 Received From: dragon->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
    
    
    My /var/log/auth.log was like that

    HTML:
    
    Dec 29 05:00:02 dragon CRON[29410]: (pam_unix) session closed for user root
    Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session closed for user root
    Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session closed for user root
    Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session closed for user root
    Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session closed for user root
    Dec 29 06:00:01 dragon CRON[30209]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session closed for user root
    Dec 29 06:00:02 dragon CRON[30209]: (pam_unix) session closed for user root
    Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session closed for user root
    Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session closed for user root
    Dec 29 06:25:01 dragon CRON[30576]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:25:01 dragon su[30607]: Successful su for nobody by root
    Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody
    Dec 29 06:25:01 dragon su[30607]: (pam_unix) session opened for user nobody by (uid=0)
    Dec 29 06:25:01 dragon su[30607]: (pam_unix) session closed for user nobody
    Dec 29 06:25:01 dragon su[30609]: Successful su for nobody by root
    Dec 29 06:25:01 dragon su[30609]: + ??? root:nobody
    Dec 29 06:25:01 dragon su[30609]: (pam_unix) session opened for user nobody by (uid=0)
    Dec 29 06:25:01 dragon su[30609]: (pam_unix) session closed for user nobody
    Dec 29 06:25:01 dragon su[30611]: Successful su for nobody by root
    Dec 29 06:25:01 dragon su[30611]: + ??? root:nobody
    Dec 29 06:25:01 dragon su[30611]: (pam_unix) session opened for user nobody by (uid=0)
    Dec 29 06:25:03 dragon su[30611]: (pam_unix) session closed for user nobody
    Dec 29 06:26:35 dragon CRON[30576]: (pam_unix) session closed for user root
    Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session closed for user root
    Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session opened for user root by (uid=0)
    Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session closed for user root
    Dec 29 07:00:01 dragon CRON[11432]: (pam_unix) session opened for user root by (uid=0)
    
    
    


    I'm sorry but my english is not well ;( Please help me
     
    Last edited: Dec 29, 2007
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    If you want to know the name of the group, have a look at the /etc/group file.

    Did you install all available updates for your linux distribution?

    Please check your system with rkhunter: http://www.rootkit.nl
     
  3. linuxbitch

    linuxbitch New Member

    hello

    For The admin server who was hacked ..
    what is your Ubuntu kernel version
    and i wanna tell ya ..rk-hunter don`t work all the time .. belive me .. :D) .. if .. the rk is a troian .. yes is possible to be detect .. if is not .. then you have a problem .. or .. if the man who enter on your comp .. don`t put a rootkit on him .. then you'll have a prob .. :D
    try a socklist .. and see the ports ..
    if you are intrested to talk more about that .. killer_judge2001@yahoo.com
    contact me!
     
  4. houms

    houms New Member

    Hacking Attack????

    looking at your log, it does not appear to be something you need to worry about. those entries are showing a cron job doing its thing. it is not something you need to worry about. I have the same entries in my log:)

    Root is 'su'ing to 'nobody' to run a scheduled system service or a cron job...It starts the service then hands it over to 'nobody'.

    oh, and 65534 is uid for user 'nobody', you probably have cron jobs running for various services... you may also want to check your /etc/cron.daily/ directory.
     
    Last edited: Aug 27, 2008
  5. daddyfish

    daddyfish New Member

    Indexing cron for "locate" command.

    I think some will appreciate this addition to this old thread. I spent some time figuring this out.

    The cron job that runs the index update for the locate command causes the following log entries in auth.log:

    Sep 14 22:48:14 mydomain su[24053]: Successful su for nobody by root
    Sep 14 22:48:14 mydomain su[24053]: + ??? root:nobody
    Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session opened for user nobody by (uid=0)
    Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session closed for user nobody
    Sep 14 22:48:14 mydomain su[24055]: Successful su for nobody by root
    Sep 14 22:48:14 mydomain su[24055]: + ??? root:nobody
    Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session opened for user nobody by (uid=0)
    Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session closed for user nobody
    Sep 14 22:48:14 mydomain su[24057]: Successful su for nobody by root
    Sep 14 22:48:14 mydomain su[24057]: + /dev/pts/0 root:nobody
    Sep 14 22:48:14 mydomain su[24057]: pam_unix(su:session): session opened for user nobody by myself(uid=0)
    Sep 14 22:48:20 mydomain su[24057]: pam_unix(su:session): session closed for user nobody

    Although these types of log entries look very suspecious, especially in the auth.log, they are quite normal if the locate command is installed. Also, other cron jobs or action may make similar entires.

    If you wish to see this for yourself, run "/etc/cron.daily/locate" as root or "sudo /etc/cron.daily/locate" as sudoer, then inspect /var/log/auth.log

    Hopefully this will lay unwarranted fears to rest !
     
    Last edited: Sep 15, 2013

Share This Page