On Fri, Apr 05, 2002 at 04:26:50PM -0500, Robert Allen babbled thus: > From: "Robert Allen" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: SECURITY:Fwd: FW: Returned mail: see transcript for details (fwd) > Date: Fri, 05 Apr 2002 16:26:50 -0500 > > hi all, > > i've got a box in the clear ( no firewall, i have my internal ip set in the > DMZ of my Cablemodem router, the linksys 4 port ) at ip 68.38.132.128, > RedHat 7.0. it's a comcast.net ip, shhh, don't tell ;)
I use Comcast as well, so I can't bitch. :) > i'm pretty sure i've been hacked and someone knows the root password. i > can't log in via the localhost, but i can still log in via ssh (sometimes). > when i try and login from the localhost the password prompt shows, but when > i enter my system ID, it skipps past the passworrd prompt, requesting the > system ID once more. System ID? Not sure what you mean. > i noticed that root had email, an error message, attached, that shows some > info about the attacker. > > how do i change the root passwd without the party involved seeing the > change. what other measures should i take. i was just figuring on backing > up some datafiles, and wiping the hd, installing 7.2 with the firewall > enabled but for port 23, but i decided that it might be interesting to see > if i could find out who this is, and investegate a little more about linux > security before i destroy any evedence that may still be around. > > the hack occured before 4/1/2002 @ 12:27 pm or before. > > i think that this is an attack because i don't send email as root, and i > don't know anyone at [EMAIL PROTECTED] also, when i rebooted the > computer the rsa keys were changed, so when i login via ssh/putty now i get > the warning about the key change. Yep. Looks like your assessment of the situation is correct - your machine was compromised. By the way, I should point out that you just sent your passwords to the list, which is probably NOT a good idea (I removed them from this reply). In any case, it's generally recommended that you wipe and reinstall in this situation, something you seem to realize. If you can take the time to try to track the intruder down, that's good as well. If you'd like my help, I have some experience in this area. Judging from what I see so far, it looks like a program (worm, perhaps?) compromised your system and attempted to send information out to it's owner. It looks like it was written badly, though, and the message didn't make it to it's destination (good). > > this should be fun =) There's no doubt about that. :) > > rob > > >From: "Allen, Rob" <[EMAIL PROTECTED]> > >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > >Subject: FW: Returned mail: see transcript for details (fwd) > >Date: Fri, 5 Apr 2002 12:03:58 -0500 > >MIME-Version: 1.0 > >Received: from [65.115.230.1] by hotmail.com (3.2) with ESMTP id > >MHotMailBE772403001A400432634173E60170430; Fri, 05 Apr 2002 09:04:05 -0800 > >>From [EMAIL PROTECTED] Fri, 05 Apr 2002 09:04:18 -0800 > >Message-ID: <57D029DD6EE6D5119CE9006097BA94963050A0@RSPI-EMAIL> > > > > > > > >> -----Original Message----- > >> From: root [mailto:root@dangerx] > >> Sent: Friday, April 05, 2002 11:04 AM > >> To: [EMAIL PROTECTED] > >> Subject: Returned mail: see transcript for details (fwd) > >> > >> > >> > >> > >> ---------- Forwarded message ---------- > >> Date: Mon, 1 Apr 2002 12:27:39 -0500 > >> From: Mail Delivery Subsystem <MAILER-DAEMON@dangerx> > >> To: root@dangerx > >> Subject: Returned mail: see transcript for details > >> > >> The original message was received at Mon, 1 Apr 2002 12:27:06 -0500 > >> from root@localhost > >> > >> ----- The following addresses had permanent fatal errors ----- > >> [EMAIL PROTECTED] > >> (reason: 501 Syntax error in parameters or arguments) > >> > >> ----- Transcript of session follows ----- > >> ... while talking to mx1.mail.yahoo.com.: > >> >>> MAIL From:<root@dangerx> SIZE=3434 > >> <<< 501 Syntax error in parameters or arguments > >> 501 5.6.0 [EMAIL PROTECTED] Data format error > >> > > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > Date: Mon, 1 Apr 2002 12:27:06 -0500 > From: root > To: [EMAIL PROTECTED] > Subject: dangerx > > eth0 Link encap:Ethernet HWaddr 00:40:05:22:C4:D2 > inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:25646 errors:0 dropped:0 overruns:0 frame:0 > TX packets:18005 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > Interrupt:10 Base address:0x240 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:3924 Metric:1 > RX packets:26 errors:0 dropped:0 overruns:0 frame:0 > TX packets:26 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > > root:x:0:0:root:/root:/bin/bash > bin:x:1:1:bin:/bin: > daemon:x:2:2:daemon:/sbin: > adm:x:3:4:adm:/var/adm: > lp:x:4:7:lp:/var/spool/lpd: > sync:x:5:0:sync:/sbin:/bin/sync > shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown > halt:x:7:0:halt:/sbin:/sbin/halt > mail:x:8:12:mail:/var/spool/mail: > news:x:9:13:news:/var/spool/news: > uucp:x:10:14:uucp:/var/spool/uucp: > operator:x:11:0:operator:/root: > games:x:12:100:games:/usr/games: > gopher:x:13:30:gopher:/usr/lib/gopher-data: > ftp:x:14:50:FTP User:/var/ftp: > nobody:x:99:99:Nobody:/: > apache:x:48:48:Apache:/var/www:/bin/false > named:x:25:25:Named:/var/named:/bin/false > xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false > gdm:x:42:42::/home/gdm:/bin/bash > rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false > rpc:x:32:32:Portmapper RPC user:/:/bin/false > postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash > mailnull:x:47:47::/var/spool/mqueue:/dev/null > dangerx:x:500:500::/home/dangerx:/bin/bash > mysql:x:501:501::/home/mysql:/bin/bash > rob:x:502:502::/home/rob:/bin/bash > michele:x:503:503::/home/michele:/bin/bash > allen:x:504:504::/home/allen:/bin/bash > rallen:x:505:505::/home/rallen:/bin/bash > dknouse:x:506:506::/home/dknouse:/bin/bash > > root:xxxxx:11375:0:99999:7::: > bin:*:11375:0:99999:7::: > daemon:*:11375:0:99999:7::: > adm:*:11375:0:99999:7::: > lp:*:11375:0:99999:7::: > sync:*:11375:0:99999:7::: > shutdown:*:11375:0:99999:7::: > halt:*:11375:0:99999:7::: > mail:*:11375:0:99999:7::: > news:*:11375:0:99999:7::: > uucp:*:11375:0:99999:7::: > operator:*:11375:0:99999:7::: > games:*:11375:0:99999:7::: > gopher:*:11375:0:99999:7::: > ftp:*:11375:0:99999:7::: > nobody:*:11375:0:99999:7::: > apache:!!:11375:0:99999:7::: > named:!!:11375:0:99999:7::: > xfs:!!:11375:0:99999:7::: > gdm:!!:11375:0:99999:7::: > rpcuser:!!:11375:0:99999:7::: > rpc:!!:11375:0:99999:7::: > postgres:!!:11375:0:99999:7::: > mailnull:!!:11375:0:99999:7::: > dangerx:xxxxx:11375:0:99999:7::: > mysql:!!:11376:0:99999:7::: > rob:xxxxx:11424::99999:::: > michele:xxxxx:11388::99999:::: > allen:xxxxx:11535::99999:::: > rallen:xxxxx:11764::99999:::: > dknouse:xxxxx:11759:0:99999:7::: > > processor : 0 > vendor_id : GenuineIntel > cpu family : 6 > model : 5 > model name : Celeron (Covington) > stepping : 0 > cpu MHz : 300.686 > cache size : 0 KB > fdiv_bug : no > hlt_bug : no > sep_bug : no > f00f_bug : no > coma_bug : no > fpu : yes > fpu_exception : yes > cpuid level : 2 > wp : yes > flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov > pat pse36 mmx fxsr > bogomips : 599.65 > > > Linux dangerx 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown > -- Mike Edwards Brainbench certified Master Linux Administrator http://www.brainbench.com/transcript.jsp?pid=158188 ----------------------------------- Unsolicited advertisments to this address are not welcome.
