Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

does anyone know how someone could execute 'useradd' without being logged into the server?

Posted on 2005-03-09
10
Medium Priority
?
731 Views
Last Modified: 2012-08-13
system details:
RedHat 9 - kernel: Linux version 2.4.20-8 (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5))
SSH-1.99-OpenSSH_3.5p13.0.1 on i686-pc-linux-gnu

when i logged in, i got this message:
Last login: Wed Dec 31 1969 19:00:00 -0500
No mail.

after doing some searching of logs:

/var/log/secure
Mar  8 14:02:51 <server> useradd[17414]: new user: name=tcp, uid=0, gid=0, home=/dev/ , shell=/bin/bash
Mar  8 14:02:58 <server> sshd[17405]: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 202.177.2.165
Mar  8 14:03:16 <server> sshd[17436]: Accepted password for tcp from 202.177.2.165 port 840 ssh2
Mar  8 14:15:47 <server> userdel[25720]: delete user `tcp'

/var/log/messages
Mar  8 14:03:18 <server> sshd(pam_unix)[17436]: session opened for user tcp by (uid=0)
Mar  8 14:14:45 <server>     [25653]: Listener created on port 22.
Mar  8 14:14:45 <server>     [25655]: Daemon is running.
Mar  8 14:15:04 <server> sshd(pam_unix)[17436]: session closed for user tcp

does anyone know how someone could execute 'useradd' without being logged in to the server?

now i noticed with netstat that something was listening on port 3303, which is not normal, when i connected i got this message:
:Welcome!psyBNC@lam3rz.de NOTICE * :psyBNC2.3.1
Login failed. Disconnecting.

after rebooting the server, and changing all critical passwords, and locking down the firewall extra-tight things seem back to normal.  But I still cannot find where that program was residing, and I would like to make sure I've got the server clean without having to do a reinstall...any thoughts, ideas, suggestions?
0
Comment
Question by:NoelKent
10 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 13502153
Look's like they logged on just fine at one point... did they roll your system date and time back to 1969?
http://www.honeynet.org/scans/scan28/sol/24/nard/dia2.htm
http://www.rosiello.org/archivio/fakepsy.c

I'd start looking for root kit's and added user names etc... your running ssh 1.9 ... and the current build is 3.9 (actually 4.0 came out today...)
You could of been exploited with those older versions... http://www.ciac.org/ciac/bulletins/m-054.shtml (there are many ssh vuln's)

RootKit finders:
http://www.google.com/search?hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=rootkit+linux&btnG=Search
-rich



0
 

Author Comment

by:NoelKent
ID: 13502215
system date appears to be fine, not that it doesnt mean they didnt change it, and then change it back...the thing is non of the logs from before this point in time show any successful logins other than from our own IP addresses...which has me completely stumped
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13502270
Scan for the root kit's... never hurts... might consider removing the HD and scanning it in another linux pc, you can do some good diff's that way also to look for modified versions of programs etc... kernel root kit's are hard to detect. And you can delete just the log's you want too... paranoia will help you with this one- and your not really paranoid if they are really out to get you.
-rich
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 10

Expert Comment

by:neteducation
ID: 13502989

Mar  8 14:02:58 <server> sshd[17405]: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 202.177.2.165

This sounds a lot like the bug in openssl that was in until 0.96e or something like this.  What Version of openssl do you use (if you use openssl)?
0
 

Author Comment

by:NoelKent
ID: 13503058
# openssl version
OpenSSL 0.9.7a Feb 19 2003
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13503475
There are a whole host of ways someone could have done this.

Your error message is just part of what happened, but is not the main cause for your apparent break in:
Mar  8 14:02:58 <server> sshd[17405]: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 202.177.2.165

It appears to be an SSH scan looking for the pre-1.5 SSH vulnerabilities from a few years ago (remote root), which would have given root, intruder adds user, and/or loads a ton of backdoors on your system (end of game...must start over and patch).

I'm curious on your version of SSH?
What else are you running with listening services?
Who's got accounts on the box?
http://www.securityfocus.com/archive/121/281557/2002-07-06/2002-07-12/0
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 1000 total points
ID: 13504223
http://www.psychoid.net/psybnc.html

is an irc 'bouncer'.

The exploit that was used t gain access has already been mentioned as relating to the sshd. You need to patch/upgrade your sshd. I personally change the /etc/ssh/ssh_config file and replace the protocol line with

Protocol 2

By omitting the protocol 1, your server will get less attention from script kiddies which will make life irritating by creating reams of logs even if the sshd is not vulnerable.

As your system has been 'rooted', the best bet is to do a complete reinstall, because you cannot guarantee any aspect of the system. Alternatively, you can reinstall a clean version of your rpm command, and 'freshen -F' as many of the rpms as possible.

I also recommend using:

http://freshmeat.net/projects/chkrootkit/

but even then, I'd be a little suspicious if anything strange happened in the future.

In order to give future warning and tell you which files have been tampered with, I recommend Tripwire:

http://www.tripwire.org/

HTH:)
0
 

Author Comment

by:NoelKent
ID: 13504361
well i just found a ton of crap in /etc/local/bin all new ssh stuff, apparently they did a good number here, and obviously they had to get the root password somehow, but i still havent figured that one out. i just completely wiped out SSH on the server and it looks like a reinstall at this point will be the best plan to fix everything that has been tampered with....adn you'd think a root password 15 characters alpha-numeric would be fine, maybe someone got a torjan on their windows box that has access to the server...?

thanks for everyones input on this, i feel the need to spread the points out fairly evenly, you all did a great job helping point me in the rigth direction...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13505768
with an overflow or heap expolit, you get the added benefit of running as root or  the root context(sometimes) with many exploits, no need to crack pass's or guess pass's.
I should of mentioned tripwire it's awesome! When we got root'd we used diff to find all the nice places they hid their files, and the root kit detection wasn't enough. Good Luck!
-rich
0
 

Author Comment

by:NoelKent
ID: 13508889
It looks like the original problem came from an exploit in awstats ver 6.2  

Thanks to chris, our other IT guy, he found this this morning: http://www.k-otik.com/english/advisories/2005/0032
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=true

Guess we shouldnt get to relaxed on checking for secutiy updates for programs we run *shrug*
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question