MORE SSH Hacking: heads-up

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Tue Aug 3 15:36:13 UTC 2004 

Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45:

>     From last night's LogWatch:
> --------------------------------------------------------------------------
> 
> sshd:
>    Invalid Users:
>       Unknown Account: 7 Time(s)
>    Unknown Entries:
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=johnstongrain.com  : 2 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=smms-mriley09d.chemistry.uq.edu.au  : 2 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=211.117.191.70  : 1 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.97.110.1  : 1 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=ccia-062-204-197-193.uned.es  : 1 Time(s)
> 
> su:
>    Sessions Opened:
>       brian(uid=500) -> root: 1 Time(s)
> 
> ------------------------------------------------------------------------
> 
>     Ok, guys- what do we do with this?  Should we be writing down the
> addresses from which these attempts were made? They're probably all
> 'stooge' addresses, I know, but it might help authorities to know what
> other machines have been compromised...
> 
>     I'll go save the log somewhere...
> 
> ------------------------------------------------------------------------

Just got these SSH login attempts from a machine which is obviously
hacked! I did a portscan immediately after the messages occured in my
log:

$ nmap -vvvv -sS -sV -P0 -O 64.86.78.209
 
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03 16:53
CEST
Host 64.86.78.209 appears to be up ... good.
Initiating SYN Stealth Scan against 64.86.78.209 at 16:53
Adding open port 5101/tcp
Adding open port 23/tcp
adjust_timeout: packet supposedly had rtt of 11522743 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 11516952 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 12503503 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25062938 microseconds. 
Ignoring time.
Adding open port 818/tcp
adjust_timeout: packet supposedly had rtt of 25019107 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25985784 microseconds. 
Ignoring time.
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 1984/tcp
Adding open port 3001/tcp
Adding open port 21/tcp
Adding open port 443/tcp
Adding open port 3000/tcp
adjust_timeout: packet supposedly had rtt of 11461759 microseconds. 
Ignoring time.
Adding open port 5102/tcp
Adding open port 32770/tcp
Adding open port 5100/tcp
Adding open port 80/tcp
Adding open port 3306/tcp
adjust_timeout: packet supposedly had rtt of 11455679 microseconds. 
Ignoring time.
The SYN Stealth Scan took 54 seconds to scan 1657 ports.
Initiating service scan against 15 services on 1 host at 16:54
The service scan took 27 seconds to scan 15 services on 1 host.
Initiating RPCGrind Scan against 64.86.78.209 at 16:54
The RPCGrind Scan took 7 seconds to scan 3 ports.
For OSScan assuming that port 21 is open and port 1 is closed and
neither are firewalled
Interesting ports on 64.86.78.209:
(The 1642 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsFTPd 1.1.0
22/tcp    open  ssh      OpenSSH 3.4p1 (protocol 1.99)
23/tcp    open  telnet   Linux telnetd

Telnet is open!

80/tcp    open  http     Apache httpd 2.0.40 ((Red Hat Linux))
111/tcp   open  rpcbind  2 (rpc #100000)
443/tcp   open  ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
818/tcp   open  rquotad  1-2 (rpc #100011)
1984/tcp  open  ssh

See below for port 1984!

3000/tcp  open  ppp?
3001/tcp  open  nessusd?
3306/tcp  open  mysql?
5100/tcp  open  http     Apache httpd 1.3.27 ((Unix) Sun-ONE-ASP/4.0.0)
5101/tcp  open  admdog?
5102/tcp  open  admeng?
32770/tcp open  mountd   1-3 (rpc #100005)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-FucKiT\x20R
SF:ootKit\x20by\x20Cyrax\n");

ON PORT 1984 THE ROOTKIT SSH IS LISTENING!

Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20

The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No question
why a rootkit is on this box.

OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2261355 (Good luck!)
TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A
IPID Sequence Generation: All zeros
 
Nmap run completed -- 1 IP address (1 host up) scanned in 119.684
seconds

I mailed the responsible person according whois data. We'll see...

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 17:31:12 up 2 days, 22:55, load average: 0.39, 0.27, 0.21 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040803/3c11f102/attachment-0001.sig>

More information about the fedora-list mailing list