I need to find entrypoint of hacker into server?? Here is some info !!

atul

Well-Known Member
May 6, 2004
52
0
156
Hello All,
I have a compromised server ... I have posted query for the same ...
Now my logwatch says this :
My xferlogs are saying:
--------------------- ftpd-xferlog Begin ------------------------

TOTAL KB IN: 119KB (0MB)

---------------------- ftpd-xferlog End --------

It seems that somebody uploaded something ...very little as 119KB ? Serious looking !!!

IMAPd] Logout stats:
====================
User | Logouts | Downloaded | Mbox Size
--------------------------------------- | ------- | ---------- | ----------
??? domain=??? | 161 | |
[email protected] domain=pachak.com | 2 | |
jlong domain=s3tech.net | 3 | |
joel domain=swspeed.com | 12 | |
[email protected] domain=aknb.org | 3 | |
----------------------------------------------------------------------------
181 | 0 | 0



**Unmatched Entries**
Connection timed out, while reading line [email protected] host=pcp03161084pcs.parads01.nm.comca
st.net [68.35.41.63]: 1 Time(s)
Connection timed out, while reading line [email protected] host=pcp03161084pcs.parads01.nm.comcast.net
[68.35.41.63]: 1 Time(s)
Logout user=??? domain=??? host=UNKNOWN: 12 Time(s)

So many dropped packets:
--------------------- Kernel Begin ------------------------


Dropped 56 packets on interface eth0
From 61.110.238.96 - 5 packets to tcp(17300,17300,17300,17300,17300)
From 64.179.97.193 - 3 packets to tcp(2745)
From 69.39.92.168 - 3 packets to tcp(2745)
From 69.91.24.102 - 9 packets to tcp(1025,2745,6129)
From 69.137.65.77 - 3 packets to tcp(2745)
From 69.144.221.228 - 6 packets to tcp(1025,2745,6129)
From 69.167.198.187 - 4 packets to tcp(1025,2745,6129)
From 213.236.248.149 - 10 packets to tcp(4561,44464,4561,44464,4561,44464,4561,44464,4561,44464)
From 218.89.104.161 - 3 packets to tcp(5554,5554,9898)
From 221.143.42.23 - 10 packets to udp(1026,1026,1026,1026,1026)

Logged 10 packets on interface eth0
From 61.11.23.142 - 6 packets to tcp(22)
From 69.240.64.97 - 4 packets to tcp(22)

---------------------- Kernel End -------------------------
pam_unix says:
Unknown Entries:
2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
nm.comcast.net user=admin: 1 Time(s)

-------------------------------------------------
VERY SERIOUS LINE:
PAM-listfile: Couldn't open /etc/ftpusers
hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM([email protected]): User not
known to the underlying authentication module.
-----------------------------------------------------

Now see some entries in access_log :
[email protected] [~]# cat /usr/local/apache/logs/access_log | grep -i "/../"
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -

Security experts can u help me to find what is entry point?What must have gone wrong?
What should I do?
Any suggestion ?
 

OCX

Well-Known Member
Sep 20, 2003
231
0
166
208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -



the kiddie thinks your on IIS server......nothinng to be worried about as far as thats concerned

just ban the ip
 

easyhoster1

Well-Known Member
Sep 25, 2003
656
0
166
OCX said:
208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -



the kiddie thinks your on IIS server......nothinng to be worried about as far as thats concerned

just ban the ip
I agree, I think it looking for IIS effected with Code Red.