?
Solved

does anyone know how someone could execute 'useradd' without being logged into the server?

Posted on 2005-03-09
10
Medium Priority
?
728 Views
Last Modified: 2012-08-13
system details:
RedHat 9 - kernel: Linux version 2.4.20-8 (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5))
SSH-1.99-OpenSSH_3.5p13.0.1 on i686-pc-linux-gnu

when i logged in, i got this message:
Last login: Wed Dec 31 1969 19:00:00 -0500
No mail.

after doing some searching of logs:

/var/log/secure
Mar  8 14:02:51 <server> useradd[17414]: new user: name=tcp, uid=0, gid=0, home=/dev/ , shell=/bin/bash
Mar  8 14:02:58 <server> sshd[17405]: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 202.177.2.165
Mar  8 14:03:16 <server> sshd[17436]: Accepted password for tcp from 202.177.2.165 port 840 ssh2
Mar  8 14:15:47 <server> userdel[25720]: delete user `tcp'

/var/log/messages
Mar  8 14:03:18 <server> sshd(pam_unix)[17436]: session opened for user tcp by (uid=0)
Mar  8 14:14:45 <server>     [25653]: Listener created on port 22.
Mar  8 14:14:45 <server>     [25655]: Daemon is running.
Mar  8 14:15:04 <server> sshd(pam_unix)[17436]: session closed for user tcp

does anyone know how someone could execute 'useradd' without being logged in to the server?

now i noticed with netstat that something was listening on port 3303, which is not normal, when i connected i got this message:
:Welcome!psyBNC@lam3rz.de NOTICE * :psyBNC2.3.1
Login failed. Disconnecting.

after rebooting the server, and changing all critical passwords, and locking down the firewall extra-tight things seem back to normal.  But I still cannot find where that program was residing, and I would like to make sure I've got the server clean without having to do a reinstall...any thoughts, ideas, suggestions?
0
Comment
Question by:NoelKent
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 13502153
Look's like they logged on just fine at one point... did they roll your system date and time back to 1969?
http://www.honeynet.org/scans/scan28/sol/24/nard/dia2.htm
http://www.rosiello.org/archivio/fakepsy.c

I'd start looking for root kit's and added user names etc... your running ssh 1.9 ... and the current build is 3.9 (actually 4.0 came out today...)
You could of been exploited with those older versions... http://www.ciac.org/ciac/bulletins/m-054.shtml (there are many ssh vuln's)

RootKit finders:
http://www.google.com/search?hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=rootkit+linux&btnG=Search
-rich



0
 

Author Comment

by:NoelKent
ID: 13502215
system date appears to be fine, not that it doesnt mean they didnt change it, and then change it back...the thing is non of the logs from before this point in time show any successful logins other than from our own IP addresses...which has me completely stumped
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13502270
Scan for the root kit's... never hurts... might consider removing the HD and scanning it in another linux pc, you can do some good diff's that way also to look for modified versions of programs etc... kernel root kit's are hard to detect. And you can delete just the log's you want too... paranoia will help you with this one- and your not really paranoid if they are really out to get you.
-rich
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 10

Expert Comment

by:neteducation
ID: 13502989

Mar  8 14:02:58 <server> sshd[17405]: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 202.177.2.165

This sounds a lot like the bug in openssl that was in until 0.96e or something like this.  What Version of openssl do you use (if you use openssl)?
0
 

Author Comment

by:NoelKent
ID: 13503058
# openssl version
OpenSSL 0.9.7a Feb 19 2003
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13503475
There are a whole host of ways someone could have done this.

Your error message is just part of what happened, but is not the main cause for your apparent break in:
Mar  8 14:02:58 <server> sshd[17405]: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 202.177.2.165

It appears to be an SSH scan looking for the pre-1.5 SSH vulnerabilities from a few years ago (remote root), which would have given root, intruder adds user, and/or loads a ton of backdoors on your system (end of game...must start over and patch).

I'm curious on your version of SSH?
What else are you running with listening services?
Who's got accounts on the box?
http://www.securityfocus.com/archive/121/281557/2002-07-06/2002-07-12/0
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 1000 total points
ID: 13504223
http://www.psychoid.net/psybnc.html

is an irc 'bouncer'.

The exploit that was used t gain access has already been mentioned as relating to the sshd. You need to patch/upgrade your sshd. I personally change the /etc/ssh/ssh_config file and replace the protocol line with

Protocol 2

By omitting the protocol 1, your server will get less attention from script kiddies which will make life irritating by creating reams of logs even if the sshd is not vulnerable.

As your system has been 'rooted', the best bet is to do a complete reinstall, because you cannot guarantee any aspect of the system. Alternatively, you can reinstall a clean version of your rpm command, and 'freshen -F' as many of the rpms as possible.

I also recommend using:

http://freshmeat.net/projects/chkrootkit/

but even then, I'd be a little suspicious if anything strange happened in the future.

In order to give future warning and tell you which files have been tampered with, I recommend Tripwire:

http://www.tripwire.org/

HTH:)
0
 

Author Comment

by:NoelKent
ID: 13504361
well i just found a ton of crap in /etc/local/bin all new ssh stuff, apparently they did a good number here, and obviously they had to get the root password somehow, but i still havent figured that one out. i just completely wiped out SSH on the server and it looks like a reinstall at this point will be the best plan to fix everything that has been tampered with....adn you'd think a root password 15 characters alpha-numeric would be fine, maybe someone got a torjan on their windows box that has access to the server...?

thanks for everyones input on this, i feel the need to spread the points out fairly evenly, you all did a great job helping point me in the rigth direction...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13505768
with an overflow or heap expolit, you get the added benefit of running as root or  the root context(sometimes) with many exploits, no need to crack pass's or guess pass's.
I should of mentioned tripwire it's awesome! When we got root'd we used diff to find all the nice places they hid their files, and the root kit detection wasn't enough. Good Luck!
-rich
0
 

Author Comment

by:NoelKent
ID: 13508889
It looks like the original problem came from an exploit in awstats ver 6.2  

Thanks to chris, our other IT guy, he found this this morning: http://www.k-otik.com/english/advisories/2005/0032
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=true

Guess we shouldnt get to relaxed on checking for secutiy updates for programs we run *shrug*
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question