In between restoring email spool files and bringing other services back on line, I've poked around the log files from the compromised machine. There is a picture that's starting to emerge. In syslog, I found some attempts from a particular IP address (obscured in case my suspicions are wrong):
Apr 11 22:27:50 as220 telnetd[25626]: Connect from 200.x.x.x
Apr 11 22:27:51 as220 telnetd[25626]: ttloop: retrying
Apr 11 22:27:52 as220 last message repeated 10244 times
Apr 12 00:17:57 as220 telnetd[27417]: Connect from 200.x.x.x
Apr 12 00:17:57 as220 telnetd[27417]: ttloop: peer died: Invalid or
incomplete multibyte or wide character
I also found someone coming from a host within the same domain (it looks like a group of dialup or cable modem/dsl users) trying to log in as root:
Apr 12 00:45:06 as220 PAM-securetty[28448]: access denied:
tty 'pts/1' is not secure!
Apr 12 00:45:16 as220 login[28448]: FAILED LOGIN (2) on `pts/1' from
`x.X.X.X.X' FOR `root', Authentication failure
Then I found the same IP address from the first listing coming to www.as220.org from a defacement archive:
200.x.x.x - - [11/Apr/2003:23:22:52 -0400] "GET /
HTTP/1.1" 304 - "http://www.zone-h.org/defacements/onhold"
"Mozilla/5.0 (compatible; Konqueror/3; Linux)"
I'm not sure how to proceed with this information. Right now, most of our energy is (and should be) going toward getting AS220 up and running again. If anyone has advice or suggestions on interpreting these log entries, please let me know. I'd be grateful for any help.
11:59:26 AM 
|
