'Re: am I hacked?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: am I hacked?
From:       Calvin Yeh <elpatoz () microntec ! com ! br>
Date:       2004-10-31 17:34:25
Message-ID: 41852221.1040800 () microntec ! com ! br
[Download RAW message or body]

I've also received a lot of connection attempts, and it's almost certain 
that these attempts were originated from a Brute Force Cracker Utility

See http://www.k-otik.com/exploits/08202004.brutessh2.c.php

Calvin

Emil Perhinschi wrote:

>False alerts or rootkit?
>
>I got a lot of similar (no root among users, but a lot of
>"admin", "administrator" etc.) attempts to connect to my ssd(some from
>the McGill University in Montreal ... they might have a compromised host
>on the ip-s that belonged to the electrical engineering dep. in 1994..
>if anyone is from there, let them know, because the contact they filed
>in 1994 does not exit anymore and their lawyers don't seem to care).
>
>the attempts continued even after I disabled sshd, and my firewall
>reports communication (syn, ack ... I did not log outgoing traffic)
>from a single foreing host (from Koreea) on my 22 port.
>
>eth0 seems to be entering promiscuous mode from time to time,
>without this being reported in logs.
>
>chkrootkit 0.43 reports processes that can not be seen with ps and
>also:
>Warning: Possible LKM Trojan installed.
>
>but rkhunter 1.1.8 found nothing.
>
>I am running debian sarge, with kernel 2.6.7, with modules enabled.
>I did run Gtk-Gnutella, but almos a month ago, and in the meantime I
>did a clean install and now I do not have gtpk-gnuetlla
>installed on the system, nor other p2p software.
>
>
>thank you
>
>Emil Per.
>
>On Sun, 31 Oct 2004 16:59:12 +0100
>Arthur de Jong <adejong@debian.org> wrote:
>
>  
>
>>On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:
>>    
>>
>>>for a few days now I see in the logs of my firewall (debian/stable)
>>>entries about someone trying to connect to my SSH server with
>>>several users (root, test, mysql, etc..) without success. today I
>>>saw an entry which alarmed me:
>>>Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version
>>>identification 'GNUTELLA CONNECT/0.6' from 192.168.0.5
>>>      
>>>
>>This is probably what you would see if someone advertised a gnutella
>>host with ip 192.168.0.1 (or whatever your server's ip is) and port
>>22. Noting to worry about.
>>
>>    
>>
>>>running chkrootkit (0.43) I got this surprise (the short version):
>>>parker:~/src/rkhunter# chkrootkit  lkm
>>>ROOTDIR is `/'
>>>Checking `lkm'... You have    36 process hidden for readdir command
>>>You have    36 process hidden for ps command
>>>Warning: Possible LKM Trojan installed
>>>      
>>>
>>chkrootkit is know to sometimes produce false positives but these
>>generally don't show up on repeated calls. There was a problem once
>>with an incompatible libc or somesuch that could explain this (maybe
>>see http://bugs.debian.org/chkrootkit).
>>
>>-- 
>>-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
>>
>>    
>>
>
>
>  
>


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic