Last shows user login/logoff activity from multiple services such as telnet and ftp. I am the 'spc' user, ftp is the daemon which just signals an anonymous ftp login. 'postgres' is the cracker. 'postgres' only shows up when a FTP connection is made from the cracker. This is the prelude to the attack, notice the pts/0 and pts/1 listings, every time you see me 'spc' on the pts/1 slot, the cracker is logged in as the superuser in a telnet session. At these times, he most likely knows that I am in the system as well. Examining the entire log shows that I don't begin using the pts/1 slot until 'postgres' first logs into the FTP server on Friday Mar 8 @15:47 (which is when he began superuser administration). spc pts/0 sapphire Sat Mar 9 16:41 - 17:08 (00:26) spc pts/1 sapphire Sat Mar 9 16:40 - 16:41 (00:01) spc pts/1 sapphire Sat Mar 9 15:56 - 15:59 (00:03) spc pts/0 sapphire Sat Mar 9 15:24 - 16:41 (01:16) spc pts/1 sapphire Sat Mar 9 15:01 - 15:23 (00:21) spc pts/0 sapphire Sat Mar 9 02:54 - 12:02 (09:07) spc pts/0 sapphire Sat Mar 9 02:34 - 02:52 (00:18) spc pts/0 sapphire Sat Mar 9 02:31 - 02:34 (00:02) postgres ftpd22660 61-222-173-226.H Sat Mar 9 02:11 - 02:12 (00:00) spc pts/0 sapphire Sat Mar 9 02:09 - 02:23 (00:14) postgres ftpd22074 gc.tf.itb.ac.id Fri Mar 8 15:47 - 15:48 (00:01) ftp ftpd21984 cof.sdust.edu.cn Fri Mar 8 14:13 still logged in ftp ftpd20105 200-204-154-232. Wed Mar 6 15:36 still logged in ftp ftpd19430 209.82.62.47 Wed Mar 6 03:12 still logged in ftp ftpd18595 198.59.140.200 Tue Mar 5 19:51 still logged in ftp ftpd16517 216.140.202.200 Mon Mar 4 08:56 still logged in ftp ftpd10062 cdm-66-116-113-j Sat Mar 2 01:16 still logged in ----------------------------------------------------------------------------- /var/log/secure Mar 4 08:48:36 diamond in.ftpd[16512]: connect from 216.140.202.200 Mar 4 08:49:58 diamond in.ftpd[16514]: connect from 216.140.202.200 Mar 4 08:56:19 diamond in.ftpd[16517]: connect from 216.140.202.200 Mar 4 12:03:07 diamond in.telnetd[16607]: connect from 209.60.14.178 Mar 5 09:47:18 diamond in.telnetd[18056]: connect from 209.60.14.178 Mar 5 13:30:55 diamond in.telnetd[18321]: connect from 209.60.14.178 Mar 5 15:51:09 diamond in.telnetd[18438]: connect from 209.60.14.178 Mar 5 19:46:54 diamond in.ftpd[18591]: connect from 198.59.140.200 Mar 5 19:48:11 diamond in.ftpd[18592]: connect from 198.59.140.200 Mar 5 19:51:49 diamond in.ftpd[18595]: connect from 198.59.140.200 Mar 6 03:11:50 diamond in.ftpd[19430]: connect from 209.82.62.47 Mar 6 13:34:44 diamond in.ftpd[20006]: connect from 151.26.55.112 Mar 6 15:36:39 diamond in.ftpd[20105]: connect from 200.204.154.232 Mar 7 18:45:10 diamond in.ftpd[21064]: connect from 195.58.186.187 Mar 8 20:31:59 diamond in.ftpd[22281]: connect from 193.218.215.98 Mar 8 20:31:59 diamond ipop3d[22282]: connect from 193.218.215.98 Mar 8 09:27:51 diamond in.telnetd[21711]: connect from 209.60.14.178 Mar 8 14:12:57 diamond in.ftpd[21984]: connect from 202.194.220.11 Mar 8 15:44:27 diamond in.telnetd[22071]: connect from 203.130.250.18 Mar 8 15:45:34 diamond in.ftpd[22074]: connect from 167.205.26.28 Mar 8 15:49:14 diamond in.telnetd[22098]: connect from 203.130.250.18 Mar 8 16:08:54 diamond in.telnetd[22127]: connect from 203.130.250.18 Mar 8 21:27:16 diamond in.ftpd[22308]: connect from 216.122.57.21 Mar 8 21:28:20 diamond in.ftpd[22309]: connect from 216.122.57.21 Mar 8 21:28:56 diamond in.ftpd[22310]: connect from 216.122.57.21 Mar 8 23:00:08 diamond in.ftpd[22346]: connect from 200.68.32.185 Mar 9 02:06:08 diamond in.telnetd[22592]: connect from 203.130.254.26 Mar 9 02:10:43 diamond in.ftpd[22660]: connect from 61.222.173.226 Mar 9 13:01:18 diamond in.telnetd[23594]: connect from 203.130.250.18 ----------------------------------------------------------------------------- /var/log/xferlog Fri Mar 8 15:47:52 2002 15 gc.tf.itb.ac.id 1978 /var/lib/pgsql/term a _ i r postgres ftp 0 * c Sat Mar 9 02:12:00 2002 17 61-222-173-226.HINET-IP.hinet.net 101876 /var/lib/pgsql/wuftpd.tgz b _ i r postgres ftp 0 * c ----------------------------------------------------------------------------- /var/log/maillog Mar 8 15:48:49 diamond sendmail[22097]: PAA22090: to=bigm@st3r.biz, ctladdr=root (0/0), delay=00:00:02, xdelay=00:00:02, mailer=esmtp, relay=mxmail.register.com. [209.228.32.104], stat=Sent (ok 1015623933 qp 28229) Here, we see some process sent mail to bigm@st3r.biz, this is the same email address of the creater of the exploit package, as stated in the source code. ----------------------------------------------------------------------------- /var/log/messages Mar 4 17:30:10 diamond sshd2[4496]: connection from "195.76.30.34" Mar 4 17:30:11 diamond sshd2[4496]: connection from "195.76.30.34" Mar 4 17:30:12 diamond sshd2[16919]: DNS lookup failed for "195.76.30.34". Mar 4 17:30:12 diamond sshd2[16920]: DNS lookup failed for "195.76.30.34". Mar 4 17:30:12 diamond sshd2[16920]: FATAL ERROR: Executing ssh1 in compatibility mode failed. Mar 4 17:30:12 diamond sshd2[16919]: Local disconnected: Connection closed by remote host. Mar 4 17:30:12 diamond sshd2[16919]: connection lost: 'Connection closed by remote host.' Mar 6 01:51:53 diamond ftpd[18595]: ANONYMOUS FTP LOGIN FROM 198.59.140.200 [198.59.140.200], mozilla@ Mar 6 01:52:04 diamond ftpd[18595]: exiting on signal 11: Segmentation fault Mar 6 09:12:00 diamond ftpd[19430]: ANONYMOUS FTP LOGIN FROM 209.82.62.47 [209.82.62.47], ftp@microsoft.com Mar 6 09:12:00 diamond ftpd[19430]: exiting on signal 11: Segmentation fault Mar 8 15:44:18 diamond PAM_pwdb[22070]: password for (postgres/26) changed by ((null)/0) Mar 8 15:44:36 diamond sshd2[4496]: connection from "203.130.250.18" Mar 8 15:44:37 diamond sshd2[22073]: DNS lookup failed for "203.130.250.18". Mar 8 15:44:38 diamond sshd2[22073]: FATAL ERROR: Executing ssh1 in compatibility mode failed. Mar 8 15:46:59 diamond PAM_pwdb[22074]: authentication failure; (uid=0) -> postgres for ftp service Mar 8 15:47:00 diamond ftpd: gc.tf.itb.ac.id: connected: IDLE SPOOFED: [22074]: failed login from gc.tf.itb.ac.id [167.205.26.28] Mar 8 15:47:12 diamond ftpd: gc.tf.itb.ac.id: postgres SPOOFED: [22074]: FTP LOGIN FROM gc.tf.itb.ac.id [167.205.26.28], postgres Mar 8 15:48:20 diamond ftpd: gc.tf.itb.ac.id: postgres: QUIT SPOOFED: [22074]: FTP session closed Mar 8 20:21:34 diamond portmap[22277]: connect from 61.140.76.55 to getport(status): request from unauthorized host Mar 8 20:21:39 diamond portmap[22278]: connect from 61.140.76.55 to getport(status): request from unauthorized host Mar 8 20:31:59 diamond sshd2[4496]: connection from "193.218.215.98" Mar 8 20:32:05 diamond portmap[22284]: connect from 193.218.215.98 to dump(): request from unauthorized host Mar 8 20:32:10 diamond sshd2[22283]: DNS lookup failed for "193.218.215.98". Mar 8 20:32:10 diamond sshd2[22283]: Local disconnected: Connection closed by remote host. Mar 8 20:32:10 diamond sshd2[22283]: connection lost: 'Connection closed by remote host.' Mar 8 21:28:56 diamond ftpd[22310]: ACCESS DENIED (not in any class) TO r21-57.otak.com [216.122.57.21] Mar 8 21:28:56 diamond ftpd[22310]: FTP LOGIN REFUSED (access denied) FROM r21-57.otak.com [216.122.57.21], ftp Mar 8 21:28:57 diamond ftpd[22310]: FTP session closed Mar 8 22:15:22 diamond portmap[22334]: connect from 202.127.166.254 to getport(status): request from unauthorized host Mar 8 23:00:18 diamond ftpd[22346]: ACCESS DENIED (not in any class) TO 200.68.32.185 [200.68.32.185] Mar 8 23:00:18 diamond ftpd[22346]: FTP LOGIN REFUSED (access denied) FROM 200.68.32.185 [200.68.32.185], ftp Mar 8 23:00:19 diamond ftpd[22346]: FTP session closed Mar 9 02:08:01 diamond PAM_pwdb[22607]: password for (postgres/26) changed by ((null)/0) Mar 9 02:08:19 diamond PAM_pwdb[22608]: password for (postgres/26) changed by ((null)/0) Mar 9 02:09:00 diamond PAM_pwdb[22610]: (login) session opened for user spc by (uid=0) Mar 9 02:09:14 diamond PAM_pwdb[22634]: password for (adm/3) changed by ((null)/0) Mar 9 02:09:23 diamond PAM_pwdb[22641]: (su) session opened for user root by spc(uid=500) Mar 9 02:11:33 diamond ftpd[22660]: FTP LOGIN FROM 61-222-173-226.HINET-IP.hinet.net [61.222.173.226], postgres Mar 9 02:12:05 diamond ftpd[22660]: FTP session closed Mar 9 02:23:48 diamond PAM_pwdb[22641]: (su) session closed for user root Mar 9 02:23:49 diamond PAM_pwdb[22610]: (login) session closed for user spc Mar 9 02:33:23 diamond kernel: neighbour table overflow Mar 9 02:33:23 diamond last message repeated 9 times Mar 9 02:34:01 diamond PAM_pwdb[22724]: (su) session closed for user root Mar 9 02:34:08 diamond PAM_pwdb[22747]: authentication failure; (uid=0) -> spc for login service Mar 9 02:34:54 diamond lpd: lpd shutdown failed Mar 9 02:46:16 diamond kernel: NET: 678 messages suppressed. Mar 9 02:46:16 diamond kernel: neighbour table overflow Mar 9 02:46:16 diamond last message repeated 9 times Mar 9 02:47:13 diamond kernel: NET: 290 messages suppressed. Mar 9 02:47:13 diamond kernel: neighbour table overflow Mar 9 02:47:13 diamond last message repeated 9 times Mar 9 02:47:19 diamond kernel: NET: 1287 messages suppressed. Mar 9 02:47:19 diamond kernel: neighbour table overflow Mar 9 02:52:51 diamond PAM_pwdb[22771]: (su) session closed for user root Mar 9 02:52:53 diamond PAM_pwdb[22747]: (login) session closed for user spc Mar 9 02:54:51 diamond PAM_pwdb[22876]: (login) session opened for user spc by (uid=0) Mar 9 02:55:00 diamond PAM_pwdb[22900]: (su) session opened for user root by spc(uid=500) Mar 9 02:55:49 diamond kernel: NET: 1454 messages suppressed. Mar 9 02:55:49 diamond kernel: neighbour table overflow Mar 9 02:55:49 diamond last message repeated 9 times Mar 9 02:55:55 diamond kernel: NET: 1078 messages suppressed. Mar 9 02:55:55 diamond kernel: neighbour table overflow Mar 9 02:58:48 diamond kernel: NET: 244 messages suppressed. Mar 9 02:58:48 diamond kernel: neighbour table overflow Mar 9 02:58:48 diamond last message repeated 9 times Mar 9 02:58:54 diamond kernel: NET: 1407 messages suppressed. Mar 9 02:58:54 diamond kernel: neighbour table overflow Mar 9 03:33:33 diamond PAM_pwdb[22900]: (su) session closed for user root Mar 9 11:39:34 diamond PAM_pwdb[23500]: (su) session opened for user root by spc(uid=500) Mar 9 12:02:17 diamond PAM_pwdb[23500]: (su) session closed for user root ----------------------------------------------------------------------------- /etc/shadow (password files) adm:$1$GLWhmH4H$NLK1bGLGkuJlaAXHCHxnn1:11755:0:99999:7:-1:-1:134540196 postgres:$1$vW6JlDN1$S9xF5qdCLysf.6238/mdU0:11755:0:99999:7:-1:-1:134540372 Neither of these accounts should have a hashed password set, we saw in /var/log/messages in the PAM module when the cracker updated these accounts to be active with passwords.