SEND AN ABUSE MAIL TO [EMAIL PROTECTED] \>nslookup 195.96.105.247 Server: mail.magic.nl.com Address: 192.168.1.1 Name: 4dyn247.delft.casema.net Address: 195.96.105.247 It's one of those dutch cable users in the city of Delft. Probably a student. -- MVG, Rob van Eijk -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Kevin D Gesendet: woensdag 6 juni 2001 16:06 An: [EMAIL PROTECTED] Betreff: [cobalt-security] owned by 187? I was greeted this morning with an email in my box that read, "owned by 187" Apparently the user obtained root on my system, because the message was from root@localhost When I logged into the box, I found a user with a stale FTP connection still open from 195.96.105.247. I checked the logs and found several entries for that IP in my message log, including: Jun 6 09:03:18 ns1 proftpd[20608]: ns1.mtsolutions.net (4dyn247.delft.casema.net[195.96.105.247]) - PAM(mtsolutions): Authentication failure. Jun 6 09:03:19 ns1 proftpd[20608]: ns1.mtsolutions.net (4dyn247.delft.casema.net[195.96.105.247]) - FTP session closed. Jun 6 09:03:28 ns1 proftpd[20609]: ns1.mtsolutions.net (4dyn247.delft.casema.net[195.96.105.247]) - Malformed entry in group file: Jun 6 09:03:29 ns1 proftpd[20609]: ns1.mtsolutions.net (4dyn247.delft.casema.net[195.96.105.247]) - Malformed entry in group file: Jun 6 09:09:04 ns1 proftpd[20609]: ns1.mtsolutions.net (4dyn247.delft.casema.net[195.96.105.247]) - FTP no transfer timeout, disconnected. I have been slow to install the latest proftp patches (waiting on the kernel update, actually), so I assume this is the method that the intruder used to gain access. Also, I found several log entries relating to modprobe. My baseline file checker found that only the passwd and shadow files were modified, but it looks like the hacker changed them back to what they originally were?? Originally the file was 14697 bytes, then it was changed to 51544 bytes, and then back to 14697 bytes. I figure the hacker probably backed up my passwd file and then restored it maybe? Is there a way to check for recently deleted files? The real bummer here is that I set up a bulk email CGI utility and the idiot hacker used it to send messages to everyone saying, "Owned by 187" Anyone ever hear of that before? Alas, while the idiot didn't bother to clean up the FTP log, he left no trace of himself in the root history file, so I have no idea what he did other than from my baseline checker. After this lovely scenario, I'd love to know of a program that will record keystrokes of logged in users. My baseline checker reports no more modified files, and I've portscanned all IPs on the raq, so it looks like the box is clean, which of course surprises me. Any opinions? Kevin _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
