(linux-br) =?iso-8859-1?q?Invas=E3o_Servidor?=

Sat, 20 Sep 2003 10:21:10 -0700 

Um servidor foi invadido e log gravado est� dessa forma.Algu�m tem alguma
explica��o pois neste servidor apenas as portas 25,80,443 estavam abertas e
o atacante conseguiu criar um usu�rio e colocar em modo promiscuo o mesmo.

Obrigado


Sep 20 04:23:44 hulk kernel: request_module[net-pf-14]: waitpid(26503,...)
failed, errno 512
Sep 20 04:23:44 hulk modprobe: modprobe: Can't locate module net-pf-14
Sep 20 04:24:47 hulk kernel: cp uses obsolete (PF_INET,SOCK_PACKET)
Sep 20 04:24:47 hulk kernel: device ppp0 entered promiscuous mode
Sep 20 04:24:47 hulk kernel: eth0: Promiscuous mode enabled.
Sep 20 04:24:47 hulk kernel: device eth0 entered promiscuous mode
Sep 20 04:26:16 hulk kernel: martian source 255.255.255.255 from
192.168.34.2, on dev eth1
Sep 20 04:26:16 hulk kernel: ll header:
ff:ff:ff:ff:ff:ff:00:06:5b:3d:0e:f8:08:00
Sep 20 04:27:25 hulk httpd: Reiniciando httpd:  succeeded
Sep 20 04:28:13 hulk sshd[26608]: error: Bind to port 22 on 192.168.1.254
failed: Address already in use.
Sep 20 04:28:13 hulk sshd[26608]: fatal: Cannot bind any address.
Sep 20 04:28:15 hulk sshd[26610]: error: Bind to port 22 on 192.168.1.254
failed: Address already in use.
Sep 20 04:28:15 hulk sshd[26610]: fatal: Cannot bind any address.
Sep 20 04:28:17 hulk kernel: martian source 10.0.0.255 from 10.0.0.1, on dev
eth1
Sep 20 04:28:17 hulk kernel: ll header:
ff:ff:ff:ff:ff:ff:00:07:e9:d6:ae:fb:08:00
Sep 20 04:28:17 hulk kernel: martian source 10.0.0.255 from 10.0.0.1, on dev
eth1
Sep 20 04:28:17 hulk kernel: ll header:
ff:ff:ff:ff:ff:ff:00:07:e9:d6:ae:fb:08:00
Sep 20 04:29:33 hulk inetd[26635]: Online and ready (1 sockets)
Sep 20 04:29:34 hulk inetd[26637]: telnet/tcp: bind: Address already in use
Sep 20 04:29:34 hulk inetd[26637]: Online and ready (0 sockets)
Sep 20 04:29:36 hulk inetd[26637]: telnet/tcp: bind: Address already in use
Sep 20 04:30:45 hulk inetd[26637]: telnet/tcp: bind: Address already in use
Sep 20 04:30:45 hulk inetd[26635]: shell/tcp: bind: Address already in use
Sep 20 04:30:45 hulk inetd[26635]: login/tcp: bind: Address already in use
Sep 20 04:31:16 hulk kernel: martian source 255.255.255.255 from
192.168.34.2, on dev eth1
Sep 20 04:31:16 hulk kernel: ll header:
ff:ff:ff:ff:ff:ff:00:06:5b:3d:0e:f8:08:00
Sep 20 04:31:41 hulk su(pam_unix)[26652]: session opened for user cerebro by
(uid=0)
Sep 20 04:32:14 hulk su(pam_unix)[26652]: session closed for user cerebro
Sep 20 04:32:31 hulk su(pam_unix)[26681]: session opened for user cerebro by
(uid=0)
Sep 20 04:32:52 hulk su(pam_unix)[26681]: session closed for user cerebro

---------------------------------------------------------------------------
Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br

Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utiliza��o da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html

Responder a