[nsp-sec] compromised unix systems
Rolf Gartmann
rolf.gartmann at switch.ch
Wed Aug 26 01:44:06 EDT 2009
Hello nsp-sec,
based on an incident report from one of our customers,
there is a C&C at 69.163.33.101 port 8080 (yes Team Cymru,
feel free to add it ;) there are some additional systems to check for:
oak-145564-root!~x249369 at 75.54.190.33 PRIVMSG #prophecy[.exec.]
Preforming uname -n (0)^M
group-93320-www-data!www-data at 24.215.7.163 PRIVMSG #prophecy[.exec.]
Preforming uname -n (0)^M
luxuria-39743-root!~x43319 at www.polai.hr PRIVMSG #prophecy[.exec.]
Preforming uname -n (0)^M
bose1-42-58014-http!~x194460 at bose1-42.chntva1-dc2.cscehub.com PRIVMSG
#prophecy[.exec.] Preforming uname -n (0)^M
teller-77954-apache!~x333052 at 192.33.115.12 PRIVMSG #prophecy[.exec.]
Preforming uname -n (0)^M
group-58116-root!root at group.lpi.org PRIVMSG #prophecy[.exec.]
Preforming uname -n (0)^M
falcon-128272-www-data!~x155037 at h246.c18.b96.tor.eicat.ca PRIVMSG
#prophecy[.exec.] Preforming uname -n (0)^M
nebula-37522-apache!~x334151 at nebula.dnv.cooketech.net PRIVMSG
#prophecy[.exec.] Preforming uname -n (0)^M
oak-158842-apache!~x187199 at oak.walden3d.com PRIVMSG #prophecy[.exec.]
Preforming uname -n (0)^M
225 | 192.33.115.12 | VIRGINIA-AS - University of Virginia
1785 | 66.213.168.25 | AS-PAETEC-NET - PaeTec Communications, Inc.
1810 | 128.167.142.47 | CSC-300-AS1810-AS1815 - CSC
2108 | 161.53.47.55 | CARNET-AS Croatian Acad and Research Network
7132 | 75.54.190.33 | SBIS-AS - AT&T Internet Services
7132 | 75.54.190.33 | SBIS-AS - AT&T Internet Services
14366 | 24.215.7.163 | MTNCABLE - Mountain Cablevision LTD.
14366 | 24.215.7.163 | MTNCABLE - Mountain Cablevision LTD.
30528 | 66.96.18.246 | EICAT - E. I. Catalyst
Timerange of information: 08/20 - 08/21
possible way of break-in seen so far:
- exploitation of vulnerable twiki
- root escalation via wunderbar_emporium
(Linux 2.x kernel sock_sendpage() local root exploit)
hth,
cheers
Rolf
--
SWITCH
Serving Swiss Universities
--------------------------
Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
http://www.switch.ch/cert/
More information about the nsp-security
mailing list