hi all, i've got a box in the clear ( no firewall, i have my internal ip set in the DMZ of my Cablemodem router, the linksys 4 port ) at ip 68.38.132.128, RedHat 7.0. it's a comcast.net ip, shhh, don't tell ;) i'm pretty sure i've been hacked and someone knows the root password. i can't log in via the localhost, but i can still log in via ssh (sometimes). when i try and login from the localhost the password prompt shows, but when i enter my system ID, it skipps past the passworrd prompt, requesting the system ID once more. i noticed that root had email, an error message, attached, that shows some info about the attacker.
how do i change the root passwd without the party involved seeing the change. what other measures should i take. i was just figuring on backing up some datafiles, and wiping the hd, installing 7.2 with the firewall enabled but for port 23, but i decided that it might be interesting to see if i could find out who this is, and investegate a little more about linux security before i destroy any evedence that may still be around. the hack occured before 4/1/2002 @ 12:27 pm or before. i think that this is an attack because i don't send email as root, and i don't know anyone at [EMAIL PROTECTED] also, when i rebooted the computer the rsa keys were changed, so when i login via ssh/putty now i get the warning about the key change. this should be fun =) rob >From: "Allen, Rob" <[EMAIL PROTECTED]> >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >Subject: FW: Returned mail: see transcript for details (fwd) >Date: Fri, 5 Apr 2002 12:03:58 -0500 >MIME-Version: 1.0 >Received: from [65.115.230.1] by hotmail.com (3.2) with ESMTP id >MHotMailBE772403001A400432634173E60170430; Fri, 05 Apr 2002 09:04:05 -0800 >From [EMAIL PROTECTED] Fri, 05 Apr 2002 09:04:18 -0800 >Message-ID: <57D029DD6EE6D5119CE9006097BA94963050A0@RSPI-EMAIL> > > > > > -----Original Message----- > > From: root [mailto:root@dangerx] > > Sent: Friday, April 05, 2002 11:04 AM > > To: [EMAIL PROTECTED] > > Subject: Returned mail: see transcript for details (fwd) > > > > > > > > > > ---------- Forwarded message ---------- > > Date: Mon, 1 Apr 2002 12:27:39 -0500 > > From: Mail Delivery Subsystem <MAILER-DAEMON@dangerx> > > To: root@dangerx > > Subject: Returned mail: see transcript for details > > > > The original message was received at Mon, 1 Apr 2002 12:27:06 -0500 > > from root@localhost > > > > ----- The following addresses had permanent fatal errors ----- > > [EMAIL PROTECTED] > > (reason: 501 Syntax error in parameters or arguments) > > > > ----- Transcript of session follows ----- > > ... while talking to mx1.mail.yahoo.com.: > > >>> MAIL From:<root@dangerx> SIZE=3434 > > <<< 501 Syntax error in parameters or arguments > > 501 5.6.0 [EMAIL PROTECTED] Data format error > > > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
ATT04160.TXT
Description: Binary data
--- Begin Message ---
eth0 Link encap:Ethernet HWaddr 00:40:05:22:C4:D2
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25646 errors:0 dropped:0 overruns:0 frame:0
TX packets:18005 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x240
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
apache:x:48:48:Apache:/var/www:/bin/false
named:x:25:25:Named:/var/named:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/dev/null
dangerx:x:500:500::/home/dangerx:/bin/bash
mysql:x:501:501::/home/mysql:/bin/bash
rob:x:502:502::/home/rob:/bin/bash
michele:x:503:503::/home/michele:/bin/bash
allen:x:504:504::/home/allen:/bin/bash
rallen:x:505:505::/home/rallen:/bin/bash
dknouse:x:506:506::/home/dknouse:/bin/bash
root:$1$SRu.Bs4l$C58KJxfq6U2b1dNvDnJVa/:11375:0:99999:7:::
bin:*:11375:0:99999:7:::
daemon:*:11375:0:99999:7:::
adm:*:11375:0:99999:7:::
lp:*:11375:0:99999:7:::
sync:*:11375:0:99999:7:::
shutdown:*:11375:0:99999:7:::
halt:*:11375:0:99999:7:::
mail:*:11375:0:99999:7:::
news:*:11375:0:99999:7:::
uucp:*:11375:0:99999:7:::
operator:*:11375:0:99999:7:::
games:*:11375:0:99999:7:::
gopher:*:11375:0:99999:7:::
ftp:*:11375:0:99999:7:::
nobody:*:11375:0:99999:7:::
apache:!!:11375:0:99999:7:::
named:!!:11375:0:99999:7:::
xfs:!!:11375:0:99999:7:::
gdm:!!:11375:0:99999:7:::
rpcuser:!!:11375:0:99999:7:::
rpc:!!:11375:0:99999:7:::
postgres:!!:11375:0:99999:7:::
mailnull:!!:11375:0:99999:7:::
dangerx:$1$1Z.1WM8Z$aN/Kg776kdamLcKTt3sH/.:11375:0:99999:7:::
mysql:!!:11376:0:99999:7:::
rob:$1$uI8pNw7A$P.TLbQtZX56L27t40eG0F1:11424::99999::::
michele:$1$FgwScqAj$xb/KVKmSj/Uh2lBa/oMEd/:11388::99999::::
allen:$1$k6EE6Ztw$88FKAu1u6QbeK/B/vbfjU.:11535::99999::::
rallen:$1$igngyc4D$7xPJkMNC84eqmNumJjvD10:11764::99999::::
dknouse:$1$wK9WSQwu$T.URs99d9eJigIt/KK2eJ.:11759:0:99999:7:::
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 5
model name : Celeron (Covington)
stepping : 0
cpu MHz : 300.686
cache size : 0 KB
fdiv_bug : no
hlt_bug : no
sep_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov
pat pse36 mmx fxsr
bogomips : 599.65
Linux dangerx 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
--- End Message ---
