[CrackMonkey] security and t0rn

eric richardson e at ericrichardson.com
Sat Apr 14 22:44:18 PDT 2001 

So I got back from LA this afternoon and found a nice little present
waiting for me.  Apparently some little 31337 script kiddie cracked into
my school's web server (which I administer), and was port-scanning from it
like crazy, raising outcries from a good number of admins.

Using find / -ctime -3 I was able to figure out that the rootkit they're
using is 't0rn'.

Any suggestions on where to go from here?  I recognize that ultimately,
the only way to re-secure the box is to wipe it and re-install clean, but
what should I do in the mean-time with the two-fold aim of a) figuring out
who did this and how and b) securing the box until I can get physical
access to it Monday morning?

Here are interesting looking log entries from syslog:

Apr 11 09:21:05 gonzo modprobe: modprobe: Can't locate module ******
(where ****** is six very abnormal characters which I can't seem to copy
and paste)

Apr 11 22:33:18 gonzo sshd[24410]: log: Connection from 4.3.92.125 port
4360
Apr 11 22:33:18 gonzo sshd[24410]: fatal: Did not receive ident string.

Apr 11 22:33:27 gonzo proftpd[24459]: localhost.localdomain
(4.3.92.125[4.3.92.1
25]) - FTP session opened. 
Apr 11 22:33:27 gonzo proftpd[24459]: localhost.localdomain
(4.3.92.125[4.3.92.1
25]) - FTP session closed. 
Apr 11 22:35:34 gonzo proftpd[25080]: localhost.localdomain
(4.3.92.125[4.3.92.1
25]) - FTP session opened. 
Apr 11 22:35:37 gonzo proftpd[25080]: localhost.localdomain
(4.3.92.125[4.3.92.1
25]) - no such user 'anonymous' 
Apr 11 22:35:43 gonzo last message repeated 4 times
Apr 11 22:35:43 gonzo proftpd[25080]: localhost.localdomain
(4.3.92.125[4.3.92.1
25]) - USER anonymous (Login failed): Can't find user. 
Apr 11 22:36:18 gonzo proftpd[25080]: PAM-listfile: Refused user nobody
for service ftp
Apr 11 22:36:18 gonzo PAM_pwdb[25080]: get passwd; pwdb: request not
recognized
Apr 11 22:36:20 gonzo proftpd[25080]: localhost.localdomain
(4.3.92.125[4.3.92.125]) - PAM(nobody): Authentication failure. 

These ftp hits continued all through the 12th and into the 13th.  At times
they were hard enough to trigger proftpd's 30 concurrent user limit.  They
also came from four different IPs that I can find.

Apr 13 01:54:56 gonzo proftpd[21984]: localhost.localdomain
(4.40.61.241[4.40.61.241]) - no such user 'retina'

Is that a user you would normally have?  I can see anonymous and nobody,
but retina?  I don't get it.

All in all, I'm just annoyed at the moment.  Why couldn't they have waited
a lousy two more months and let me graduate before this happened?

e;

--
  ____  ________________________________________________________________
_/ __ \       e  @  e  r  i  c  r  i  c  h  a  r  d  s  o  n  .  c  o  m
\  ___/             ericrichardson.com    ethreads.com    escripting.com
 \_____>________________________________________________________________

More information about the Crackmonkey mailing list