The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I need to find entrypoint of hacker into server?? Here is some info !!

Discussion in 'General Discussion' started by atul, Aug 6, 2004.

  1. atul

    atul Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Hello All,
    I have a compromised server ... I have posted query for the same ...
    Now my logwatch says this :
    My xferlogs are saying:
    --------------------- ftpd-xferlog Begin ------------------------

    TOTAL KB IN: 119KB (0MB)

    ---------------------- ftpd-xferlog End --------

    It seems that somebody uploaded something ...very little as 119KB ? Serious looking !!!

    IMAPd] Logout stats:
    ====================
    User | Logouts | Downloaded | Mbox Size
    --------------------------------------- | ------- | ---------- | ----------
    ??? domain=??? | 161 | |
    beth@pachak.com domain=pachak.com | 2 | |
    jlong domain=s3tech.net | 3 | |
    joel domain=swspeed.com | 12 | |
    westerman@aknb.org domain=aknb.org | 3 | |
    ----------------------------------------------------------------------------
    181 | 0 | 0



    **Unmatched Entries**
    Connection timed out, while reading line user=david@devianconsult.com host=pcp03161084pcs.parads01.nm.comca
    st.net [68.35.41.63]: 1 Time(s)
    Connection timed out, while reading line user=david@pachak.com host=pcp03161084pcs.parads01.nm.comcast.net
    [68.35.41.63]: 1 Time(s)
    Logout user=??? domain=??? host=UNKNOWN: 12 Time(s)

    So many dropped packets:
    --------------------- Kernel Begin ------------------------


    Dropped 56 packets on interface eth0
    From 61.110.238.96 - 5 packets to tcp(17300,17300,17300,17300,17300)
    From 64.179.97.193 - 3 packets to tcp(2745)
    From 69.39.92.168 - 3 packets to tcp(2745)
    From 69.91.24.102 - 9 packets to tcp(1025,2745,6129)
    From 69.137.65.77 - 3 packets to tcp(2745)
    From 69.144.221.228 - 6 packets to tcp(1025,2745,6129)
    From 69.167.198.187 - 4 packets to tcp(1025,2745,6129)
    From 213.236.248.149 - 10 packets to tcp(4561,44464,4561,44464,4561,44464,4561,44464,4561,44464)
    From 218.89.104.161 - 3 packets to tcp(5554,5554,9898)
    From 221.143.42.23 - 10 packets to udp(1026,1026,1026,1026,1026)

    Logged 10 packets on interface eth0
    From 61.11.23.142 - 6 packets to tcp(22)
    From 69.240.64.97 - 4 packets to tcp(22)

    ---------------------- Kernel End -------------------------
    pam_unix says:
    Unknown Entries:
    2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
    nm.comcast.net user=admin: 1 Time(s)

    -------------------------------------------------
    VERY SERIOUS LINE:
    PAM-listfile: Couldn't open /etc/ftpusers
    hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM(ryan@swspeed.com): User not
    known to the underlying authentication module.
    -----------------------------------------------------

    Now see some entries in access_log :
    root@hosting [~]# cat /usr/local/apache/logs/access_log | grep -i "/../"
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -

    Security experts can u help me to find what is entry point?What must have gone wrong?
    What should I do?
    Any suggestion ?
     
  2. OCX

    OCX Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -



    the kiddie thinks your on IIS server......nothinng to be worried about as far as thats concerned

    just ban the ip
     
  3. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    I agree, I think it looking for IIS effected with Code Red.
     
  4. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    what makes you think you have a compromised server? only those apache logs? everybody gets tons of iis exploits tryouts on theyr apaches, so no worries there.
     
Loading...

Share This Page