[BlueOnyx:03720] Re: Possible breach of server - assistance appreciated

Christoph Schneeberger cschnee at box.telemedia.ch
Mon Mar 1 05:36:20 -05 2010 

Richard Morgan wrote:
> Hi
>
> I hope someone can point me in the right direction because this is a little 
> stressful (to say the least).
>
> We've been sent a message, via the abuse team in the data centre we use, 
> that indicates port scans or something malicious is originating from our 
> server.  It's actually the third time now.
>
> The message is below, but my problem is I don't have enough familarity with 
> Linux security to dig in and know what I'm looking for.  Therefore any 
> pointers in the right direction would be appreciated.
>
> Thanks, Richard
>
> The message received was as follows:
> --------------------------------------
>
> This is an automated message from Columbia University IT Security.  You are
> receiving it because you are listed as the abuse contact for the machine
> referred to below.  This machine attempted to gain unauthorized
> access to one or more machines at Columbia University.
>
> Details are provided below.  Please take all necessary
> steps to mitigate such attacks.
>
> If you have received this message in error, or if this incident
> reported is inappropriate, please contact security at columbia.edu
> so that we can update our procedures.  Please include the entire
> body of this message.
>
> Thank You.
>
> Columbia University IT Security
> security at columbia.edu
>
> Name:     s1.XXXXXX.net
> Address:  217.112.XX.XX
>
> Incident type: 6000/tcp
> First attempt: 27-feb-2010 05:50:00 GMT-0500
> Last attempt: 27-feb-2010 05:50:00 GMT-0500
> Total attempts: 131061
>
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.14:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.40:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.45:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.46:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.48:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.81:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.67:6000
> 6 48
>
> There was lots more, all of a simalar nature. 
>
>   
Some completely uneducated guesses, please take with a grain of salt...:

This looks as if your machine is trying to find a open/wildcard-exported
X-Display within that subnet and tries to run a rogue program there
(like i.e. a keylogger). You might also want to check if the process
doing that is visible for netstat -anp:

netstat -anp | egrep "6000|62518"

This could give you further insight on locating the script doing it,
(given the attack is still ongoing and the attacker didn't replace
netstat or placed a rootkit that hides the process).

If you are facing an advanced attacker and no simple minded script
kiddie you probably have no chance than taking the box down and
checking/examining it from another bootable media (i.e. bootable cdrom,
knoppix, backtrack linux, whatever).

Hope this helps,
Christoph

More information about the Blueonyx mailing list