Feb 10th, root compromise on skillz.303.org Unlike the first attack, the intruder(s) were able to clean up most of the system logs and essentially cover their tracks. The following entries from various logs are the only entries I could deem relevant. These are based on certain things like information from the previous attack, Eric Ginorio (Bronc Buster) bragging to people that he was involved in the intrusion, etc. The first attack was believed to come from teleport.com, and the user account 'lstaley' was the compromised login point. =-= 'hits' is the following script: cat $1 | egrep -i '(syix|succeed|showdown|sekurity|shoe|k12|rt66|uk)' syix, succeed, showdown, k12 = known sites Bronc comes from rt66 = Carolyn Meinel known host uk = possible intruder so1o comes from several uk sites frequently Logs ending in ".10" are the result of: grep "Feb 10" log >> log.10 =-= .hits debug.10 Feb 10 13:33:53 skillz named[56]: Lame server on '133.234.110.206.in-addr.arpa' (in '234.110.206.in-addr.arpa'?): [206.110.1.34].53 'plato.alameda-coe.k12.ca.us': learnt (A=128.9.0.32,NS=206.110.1.34) Feb 10 14:03:25 skillz named[56]: Lame server on '133.234.110.206.in-addr.arpa' (in '234.110.206.in-addr.arpa'?): [206.110.1.34].53 'plato.alameda-coe.k12.ca.us': learnt (A=128.9.0.32,NS=206.110.1.34) Feb 10 14:38:20 skillz named[56]: Lame server on '133.234.110.206.in-addr.arpa' (in '234.110.206.in-addr.arpa'?): [206.110.1.34].53 'plato.alameda-coe.k12.ca.us': learnt (A=128.9.0.32,NS=206.110.1.34) Feb 10 18:47:48 skillz named[56]: Lame server on 'luke.midmo.net.78.207.208.in-addr.arpa' (in '78.207.208.in-addr.arpa'?): [198.6.1.161].53 'AUTH50.NS.UU.NET': learnt (A=198.6.1.181,NS=192.36.148.17) Feb 10 18:47:48 skillz named[56]: Lame server on 'luke.midmo.net.78.207.208.in-addr.arpa' (in '78.207.208.in-addr.arpa'?): [198.6.1.83].53 'AUTH03.NS.UU.NET': learnt (A=198.6.1.181,NS=192.36.148.17) =-= dev.log = ls -al /dev as soon as the attack was noticed. The previous attack showed the intruder to backdoor SSH to log all traffic to a file in /dev .. obscure /home/jericho/303org$ egrep -v '(crw|brw|srw|lrw|drw|cr)' dev.log total 74 drwxr-xr-x 3 root root 20480 Feb 10 12:03 ./ drwxr-xr-x 17 root root 1024 Feb 5 16:15 ../ -rwxr-xr-x 1 root root 14349 Jun 24 1997 MAKEDEV* -rwxr-xr-x 1 root root 28676 Jun 24 1997 MAKEDEV-C* -rw-r--r-- 1 root root 1035 Jun 24 1997 README.MAKEDEV -rw-r--r-- 1 root root 1434 Jun 24 1997 README.MAKEDEV-C --wx-wx-wx 1 root root 81 Feb 10 21:43 ptyrg* =-= Ends up the attackers did the exact same attack. Duplicate signatures of attacks often link the same person to multiple attacks. The first intrusion showed the trojan SSH logged to /dev/ptyrg as well. obscure /home/jericho/303org$ cat ptyrg u: gersh ru: gersh rh: 127.0.0.1 pw: 6o597karma u: maq ru: maq rh: flatland pw: =-= The timeframe of the attack was sometime on the evening of Feb 10. Looking for lstaley in the logs, we see he connects successfully. Checking the last logs, we see that there is no login on Feb 10 for 'lstaley'. After running a security audit script that calls "zapdetect", there were two instances of "zapped" entries. 'zap' is a commonly found tool used for erasing wtmp/utmp entries once root is compromised. This would explain why 'lastaley' was show connecting to the system, but not in the last logs. Feb 10 11:09:43 skillz sshd[23139]: log: Connection from 192.108.254.10 port 1021 Feb 10 11:10:07 skillz sshd[23139]: log: Password authentication for lstaley accepted. Feb 10 11:20:24 skillz sshd[23139]: log: Closing connection to 192.108.254.10 Name: user1.teleport.com Address: 192.108.254.10 lstaley ttyp0 nukem.winternet. Sun Feb 8 08:52 - 08:54 (00:01) lstaley ttyp0 nukem.winternet. Sun Feb 8 08:51 - 08:52 (00:01) lstaley ttyp1 user1.teleport.c Sat Feb 7 23:34 - 23:48 (00:14) lstaley ttyp0 user1.teleport.c Fri Feb 6 01:21 - 01:48 (00:26) lstaley ftp user1.teleport.c Fri Feb 6 01:19 - 01:19 (00:00) =-= Netstat output from 3 netstats.. hostnames trimmed. We are looking here for any connections to the machine that may be odd or somehow out of place. Since we know root was compromised, we are also looking for connections from hosts that have never connected, indicating a hacker trying to stay hidden, but accessing the box via a backdoor. host.cullman.net # there was legit cullman traffic feb 5 - 8 range stat-51.shoes.org # no IP or name in all of messages tiff-03-48.dialup. www.justgetpaid.co # outgoing web connect to this? Connections that we can easily explain. These host names were checked against 'last' or 'messages' and correspond with the following users. undertow.csh.rit. # csh.rit = user: memor ppp-207-204-90-14. # ppp-207 = user: liz ppp30-67.ght.iadf # ght.iad = user: rob uwns.student.umd.e # umd.edu = user: spee w134.salley.fsu.ed # fsu.edu = user: beez wasp.kryogenic.com # kryogen = user: kryogen modem16.powersite. # powersi = user: polymorf mail2.utexas.edu # 48 pieces of mail delivered via mail2.utexas.edu on Feb 10 mx02.erols.com # 47 pieces of mail delivered via mx02.erols.com on Feb 10 relay5.UU.NET # mail and ftp hits all day from *uu.net IRC machiens, most likely not part of the attack. tiger.sph.emo assimilation. sfdu4.cwix.ne heracles.concentri Irc.mcs.net irc.cic.net irc.class101.com irc04.primene ircd.c-com.net merlin.ais.ne localhost Machines we are fairly sure were not part of the attack. obscure.sekurity.o p07.pm3c04.pm.dimc skillz.303.org flatland.dimensio malicious.bastards tears.303.org