Home
About Download Documentation Wiki Forums Contribute Support
The Toolkit for Online Communities
15903 Community Members, 0 members online, 2242 visitors today 		Log In Register

Forum OpenACS Q&A: Response to Help! no SSH Telnet Access

OpenACS Home : Forums : OpenACS Q&A : Response to Help! no SSH Telnet Access : One Message

+
15: Response to Help! no SSH Telnet Access (response to 1)
Posted by MaineBob OConnor on 11/27/01 03:42 AM

Cracker found!:
I was searching through the /var/log/message file and found these entry from yesterday and today:

sshd[17126]: Disconnecting: crc32 compensation attack: network attack detected
sshd[17139]: Disconnecting: Corrupted check bytes on input.
adduser[17163]: new group: name=liq, gid=521 
adduser[17163]: new user: name=liq, uid=521, gid=521, home=/home/liq, shell=/bin/bash 
new group: name=liq1, gid=522 
new user: name=liq1, uid=0, gid=522, home=/home/liq1, shell=/bin/bash 
Accepted password for liq from 212.199.171.187 port 1214
sshd[17186]: Disconnecting: Corrupted check bytes on input.
Could not reverse map address 212.199.171.187.
PAM_unix[17297]: (system-auth) session opened for user liq by (uid=0)
PAM_unix[17322]: (system-auth) session opened for user liq1 by liq(uid=521)
adduser[17439]: new group: name=satan, gid=523 
adduser[17439]: new user: name=satan, uid=522, gid=523, home=/home/satan, shell=/bin/bash 
userdel[17467]: delete usersatan' 
userdel[17467]: remove groupsatan' 
adduser[17470]: new group: name=satan, gid=523 
adduser[17470]: new user: name=satan, uid=522, gid=523, home=/home/satan, shell=/bin/bash

A bigger excerpt is here:

www.rocnet.com/hack/crack1.html

So NOW what?
* These entries for this user are gone from group and passwd
* DNS reverse lookup turns up NOTHING for 212.199.171.187
AND

Do I really need to start over or is it possible to clean up this mess?

Expletives [*****************] here!

-Bob

This website is maintained by the OpenACS Community. Any problems, email webmaster or Submit a bug report.