Last modified: 16 October 2001
From paul.tan@embrace.com Thu Oct 11 18:30:56 2001 Date: Tue, 25 Sep 2001 14:43:03 +0800 From: Paul Tan <paul.tan@embrace.com> To: incidents@securityfocus.com Subject: Hacked using vulnerable FTP daemon. Hello experts, I am helping a friend who got hacked last few days. Below is the logs from /var/log/messages, i managed to get the logs from the "last" command too. Is this sufficient info to call their ISP and get that guy? Rgds, Paul If you need more evidence i can produce eg. rootkits and stuff i found on the webserver. Sep 23 04:59:21 www inetd[1638]: pid 28367: exit status 1 Sep 23 07:29:23 www ftpd[28419]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 213.41.95.158 [213.41.95.158], anonymous Sep 23 17:31:55 www inetd[1638]: pid 28592: exit status 1 Sep 23 17:33:20 www ftpd[28594]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp Sep 23 17:33:47 www ftpd[28595]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp Sep 23 17:33:58 www inetd[1638]: pid 28596: exit status 1 Sep 23 17:52:38 www useradd[28609]: new user: name=jogja, uid=506, gid=10, home=/etc/jogja, shell=/bin/bash Sep 23 17:55:34 www PAM_pwdb[28610]: password for (jogja/506) changed by ((null)/0) Sep 23 17:58:03 www PAM_pwdb[28612]: check pass; user unknown Sep 23 17:58:04 www login[28612]: FAILED LOGIN 1 FROM 202.155.35.132 FOR ku ^H^H^H^H, User not known to the underlying authentication module Sep 23 17:58:11 www PAM_pwdb[28612]: authentication failure; (uid=0) -> jogja for login service Sep 23 17:58:12 www login[28612]: FAILED LOGIN 2 FROM 202.155.35.132 FOR jogja, Authentication failure Sep 23 17:58:16 www PAM_pwdb[28612]: (login) session opened for user jogja by (uid=0) Sep 23 17:58:46 www inetd[1638]: pid 28611: exit status 1 Sep 23 18:00:04 www PAM_pwdb[28632]: check pass; user unknown Sep 23 18:00:05 www login[28632]: FAILED LOGIN 1 FROM 202.155.35.132 FOR D, User not known to the underlying authentication module Sep 23 18:00:12 www PAM_pwdb[28632]: (login) session opened for user jogja by (uid=0) Sep 23 18:02:32 www adduser[30101]: new group: name=D, gid=507 Sep 23 18:02:32 www adduser[30101]: new user: name=D, uid=507, gid=507, home=/home/D, shell=/bin/bash Sep 23 18:02:48 www PAM_pwdb[30102]: password for (D/507) changed by (jogja/0) Sep 23 18:02:55 www PAM_pwdb[28632]: (login) session closed for user jogja Sep 23 18:02:55 www inetd[1638]: pid 28631: exit status 1 Sep 23 18:04:42 www PAM_pwdb[30107]: (login) session opened for user D by (uid=0) Sep 23 18:07:26 www inetd[1638]: pid 30106: exit status 1 Sep 23 18:08:08 www PAM_pwdb[30132]: (login) session opened for user D by (uid=0) Sep 23 18:12:08 www inetd[1638]: pid 30131: exit status 1 Sep 23 18:12:18 www inetd[1638]: pid 30159: exit status 1 Sep 23 18:13:06 www PAM_pwdb[30162]: (login) session opened for user D by (uid=0) Sep 23 18:15:23 www PAM_pwdb[30162]: (login) session closed for user D Sep 23 18:15:23 www inetd[1638]: pid 30161: exit status 1 Sep 23 18:36:15 www PAM_pwdb[30200]: (login) session opened for user jogja by (uid=0) Sep 23 18:38:21 www ftpd[30221]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp Sep 23 18:40:01 www inetd[1638]: pid 30220: exit signal 13 Sep 23 18:40:01 www telnetd[30197]: ttloop: read: Connection reset by peer Sep 23 18:40:01 www inetd[1638]: pid 30197: exit status 1 Sep 23 18:40:01 www ftpd[30196]: lost connection to 202.155.35.132 [202.155.35.132] Sep 23 18:40:01 www inetd[1638]: pid 30196: exit status 255 Sep 23 18:41:22 www PAM_pwdb[30200]: (login) session closed for user jogja Sep 23 18:41:22 www inetd[1638]: pid 30199: exit status 1 Sep 23 18:42:37 www inetd[1638]: pid 28600: exit status 1 Sep 23 18:42:38 www PAM_pwdb[30226]: (login) session opened for user jogja by (uid=0) Sep 23 18:48:17 www PAM_pwdb[30226]: (login) session closed for user jogja Sep 23 18:48:17 www inetd[1638]: pid 30225: exit status 1 Sep 23 18:48:43 www PAM_pwdb[30256]: (login) session opened for user jogja by (uid=0) Sep 23 18:57:49 www telnetd[30277]: ttloop: peer died: EOF Sep 23 18:57:49 www inetd[1638]: pid 30277: exit status 1 Sep 23 18:58:36 www PAM_pwdb[30279]: (login) session opened for user D by (uid=0) Sep 23 18:59:15 www inetd[1638]: pid 30278: exit status 1 Sep 23 18:59:29 www PAM_pwdb[30300]: (login) session opened for user D by (uid=0) Sep 23 19:01:53 www PAM_pwdb[30300]: (login) session closed for user D Sep 23 19:01:53 www inetd[1638]: pid 30299: exit status 1 Sep 23 19:03:07 www PAM_pwdb[31765]: (login) session opened for user D by (uid=0) Sep 23 19:05:15 www PAM_pwdb[31765]: (login) session closed for user D ...skipping... Sep 23 18:04:42 www PAM_pwdb[30107]: (login) session opened for user D by (uid=0) Sep 23 18:07:26 www inetd[1638]: pid 30106: exit status 1 Sep 23 18:08:08 www PAM_pwdb[30132]: (login) session opened for user D by (uid=0) Sep 23 18:12:08 www inetd[1638]: pid 30131: exit status 1 Sep 23 18:12:18 www inetd[1638]: pid 30159: exit status 1 Sep 23 18:13:06 www PAM_pwdb[30162]: (login) session opened for user D by (uid=0) Sep 23 18:15:23 www PAM_pwdb[30162]: (login) session closed for user D Sep 23 18:15:23 www inetd[1638]: pid 30161: exit status 1 Sep 23 18:36:15 www PAM_pwdb[30200]: (login) session opened for user jogja by (uid=0) Sep 23 18:38:21 www ftpd[30221]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp Sep 23 18:40:01 www inetd[1638]: pid 30220: exit signal 13 Sep 23 18:40:01 www telnetd[30197]: ttloop: read: Connection reset by peer Sep 23 18:40:01 www inetd[1638]: pid 30197: exit status 1 Sep 23 18:40:01 www ftpd[30196]: lost connection to 202.155.35.132 [202.155.35.132] Sep 23 18:40:01 www inetd[1638]: pid 30196: exit status 255 Sep 23 18:41:22 www PAM_pwdb[30200]: (login) session closed for user jogja Sep 23 18:41:22 www inetd[1638]: pid 30199: exit status 1 Sep 23 18:42:37 www inetd[1638]: pid 28600: exit status 1 Sep 23 18:42:38 www PAM_pwdb[30226]: (login) session opened for user jogja by (uid=0) Sep 23 18:48:17 www PAM_pwdb[30226]: (login) session closed for user jogja Sep 23 18:48:17 www inetd[1638]: pid 30225: exit status 1 Sep 23 18:48:43 www PAM_pwdb[30256]: (login) session opened for user jogja by (uid=0) Sep 23 18:57:49 www telnetd[30277]: ttloop: peer died: EOF Sep 23 18:57:49 www inetd[1638]: pid 30277: exit status 1 Sep 23 18:58:36 www PAM_pwdb[30279]: (login) session opened for user D by (uid=0) Sep 23 18:59:15 www inetd[1638]: pid 30278: exit status 1 Sep 23 18:59:29 www PAM_pwdb[30300]: (login) session opened for user D by (uid=0) Sep 23 19:01:53 www PAM_pwdb[30300]: (login) session closed for user D Sep 23 19:01:53 www inetd[1638]: pid 30299: exit status 1 Sep 23 19:03:07 www PAM_pwdb[31765]: (login) session opened for user D by (uid=0) Sep 23 19:05:15 www PAM_pwdb[31765]: (login) session closed for user D Sep 23 19:05:15 www inetd[1638]: pid 31764: exit status 1 Sep 23 19:06:51 www PAM_pwdb[31787]: (login) session opened for user D by (uid=0) Sep 23 19:13:44 www PAM_pwdb[813]: (login) session opened for user D by (uid=0) Sep 23 19:23:48 www inetd[1638]: pid 812: exit status 1 Sep 23 19:30:08 www PAM_pwdb[30256]: (login) session closed for user jogja Sep 23 19:30:08 www inetd[1638]: pid 30255: exit status 1 Sep 23 19:30:49 www PAM_pwdb[868]: (login) session opened for user jogja by (uid=0) Sep 23 19:38:00 www inetd[1638]: pid 867: exit status 1 Sep 23 19:38:32 www PAM_pwdb[2390]: authentication failure; (uid=0) -> jogja for login service Sep 23 19:38:33 www login[2390]: FAILED LOGIN 1 FROM 202.155.35.132 FOR jogja, Authentication failure Sep 23 19:38:47 www PAM_pwdb[2390]: (login) session opened for user jogja by (uid=0) Sep 23 19:45:00 www PAM_pwdb[31787]: (login) session closed for user D Sep 23 19:45:00 www inetd[1638]: pid 31786: exit status 1 Sep 23 19:51:33 www inetd[1638]: pid 2389: exit status 1 Sep 23 19:52:31 www PAM_pwdb[2429]: (login) session opened for user jogja by (uid=0) Sep 23 19:58:24 www inetd[1638]: pid 2428: exit status 1 Sep 23 19:58:41 www PAM_pwdb[2461]: (login) session opened for user jogja by (uid=0) Sep 23 20:52:49 www inetd[1638]: pid 2460: exit status 1 Sep 23 21:05:29 www PAM_pwdb[5396]: (login) session opened for user jogja by (uid=0) Sep 23 21:51:22 www inetd[1638]: pid 5395: exit status 1 Sep 23 22:57:22 www PAM_pwdb[6889]: (login) session opened for user D by (uid=0) Sep 23 23:42:01 www PAM_pwdb[6889]: (login) session closed for user D Sep 23 23:42:01 www inetd[1638]: pid 6888: exit status 1 Sep 23 23:42:37 www ftpd[6969]: lost connection to 202.155.35.132 [202.155.35.132] Sep 23 23:42:37 www inetd[1638]: pid 6969: exit status 255 Sep 23 23:48:37 www PAM_pwdb[8425]: (login) session opened for user D by (uid=0) Sep 23 23:51:28 www inetd[1638]: pid 8424: exit status 1 Sep 24 04:02:00 www anacron[8529]: Updated timestamp for job `cron.daily' to 2001-09-24 Sep 24 04:02:01 www syslogd 1.3-3: restart. Sep 24 09:23:01 www ftpd[8785]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 217.125.56.172 [217.125.56.172], anonymous Sep 24 09:49:39 www PAM_pwdb[8791]: (login) session opened for user jogja by (uid=0) Sep 24 09:55:44 www inetd[1638]: pid 8813: exit status 1 Sep 24 09:56:47 www PAM_pwdb[8816]: check pass; user unknown Sep 24 09:56:48 www login[8816]: FAILED LOGIN 1 FROM ykt-101.mega.net.id FOR joja^H^H^H^H^H^H^H^H^Hjogja, User not known to the underlying authentication module Sep 24 09:57:11 www inetd[1638]: pid 8815: exit status 1 Sep 24 09:58:05 www PAM_pwdb[8818]: (login) session opened for user jogja by (uid=0) Sep 24 10:36:30 www inetd[1638]: pid 8817: exit status 1 Sep 24 12:03:44 www inetd[1638]: pid 8790: exit status 1 Sep 24 13:58:52 www PAM_pwdb[10350]: (login) session opened for user jogja by (uid=0) Sep 24 14:10:23 www PAM_pwdb[10350]: (login) session closed for user jogja Sep 24 14:10:23 www inetd[1638]: pid 10349: exit status 1 Sep 24 14:56:45 www telnetd[11830]: ttloop: read: Connection reset by peer Sep 24 14:56:45 www inetd[1638]: pid 11830: exit status 1 Sep 24 15:36:51 www PAM_pwdb[11845]: (login) session opened for user jogja by (uid=0) Sep 24 18:30:48 www inetd[1638]: pid 11844: exit status 1 Sep 24 18:31:56 www PAM_pwdb[11933]: (login) session opened for user jogja by (uid=0) Sep 24 18:57:20 www PAM_pwdb[13402]: (login) session opened for user jogja by (uid=0) Sep 24 19:00:37 www PAM_pwdb[13428]: (login) session opened for user jogja by (uid=0) Sep 24 20:16:01 www PAM_pwdb[16718]: (login) session opened for user root by LOGIN(uid=0) Sep 24 20:17:09 www kernel: end_request: I/O error, dev 02:00 (floppy), sector 0 Sep 24 20:17:09 www insmod: Note: /etc/conf.modules is more recent than /lib/modules/2.2.14-5.0smp/modules.dep Sep 24 20:17:09 www kernel: end_request: I/O error, dev 02:00 (floppy), sector 0 Sep 24 20:17:50 www last message repeated 2 times Sep 24 20:18:47 www last message repeated 5 times Sep 24 20:18:56 www insmod: Note: /etc/conf.modules is more recent than /lib/modules/2.2.14-5.0smp/modules.dep Sep 24 20:18:56 www kernel: end_request: I/O error, dev 02:00 (floppy), sector 0 Sep 24 20:19:54 www PAM_pwdb[13545]: password for (paultan/505) changed by (root/0) Sep 24 20:19:56 www PAM_pwdb[16718]: (login) session closed for user root Sep 24 20:22:48 www /sbin/mingetty[13547]: tty4: invalid character ^[ in login name Sep 24 20:22:53 www PAM_pwdb[13552]: (login) session opened for user root by LOGIN(uid=0) Sep 24 20:24:26 www PAM_pwdb[13599]: (login) session opened for user jogja by (uid=0) Sep 24 20:24:59 www PAM_pwdb[13621]: (login) session opened for user paultan by (uid=0) Sep 24 20:25:25 www PAM_pwdb[13641]: (su) session opened for user root by paultan(uid=505) Sep 24 20:48:26 www inetd[1638]: pid 11932: exit status 1 Sep 24 20:56:42 www PAM_pwdb[15158]: (login) session opened for user D by (uid=0) Sep 24 21:04:28 www PAM_pwdb[15158]: (login) session closed for user D Sep 24 21:04:28 www inetd[1638]: pid 15157: exit status 1 Sep 24 21:13:06 www inetd[1638]: pid 13598: exit status 1 Sep 24 21:39:14 www PAM_pwdb[13641]: (su) session closed for user root Sep 24 21:39:14 www PAM_pwdb[13621]: (login) session closed for user paultan