I logged on to my site tonight and looked at the last log:
adm1n pts/0 87.68.83.90.cabl Mon Jul 27 13:00 - 13:06 (00:06)
There is no one shell access but me. This user appears out of nowhere and
was actually logged in for 6 minutes.
I went looking around, wondering were did he come from. I found in the
/var/messages file:
Jul 27 13:00:23 www sshdfilt[3451]: DB:ACCEPT: user=adm1n, ip=87.68.83.90
Jul 27 13:00:23 www sshd[3452]: Accepted password for adm1n from 87.68.83.90
port 3980 ssh2
Jul 27 13:06:47 www sshd[3452]: Received disconnect from 87.68.83.90: 11:
Disconnect requested by Windows SSH Client.
What?
Looking further, I find this:
Jul 27 12:56:17 www cced(smd)[31615]: client 0:[48:12626]: AUTH to "admin"
(5) succeeded
Jul 27 12:59:50 www cced(smd)[32605]: client 5:[48:12627]: CREATE "User"
"fullName" "=" "adm1n" "capLevels" "=" "&adminUser&controlPower&ipPooling&"
"sortName" "=" "" "name" "=" "adm1n" "password" "=" xxx
Jul 27 12:59:51 www cced(smd)[32618]: client [0:32617] has admin rights
Jul 27 12:59:51 www cced(smd)[32619]: client [0:32617] has admin rights
Jul 27 12:59:51 www cced(smd)[32620]: client [0:32617] has admin rights
Jul 27 12:59:52 www cced(smd)[32605]: client
5:handlers/base/user/handle_user.pl: SET 592 crypt_password = jmwF3dh6W7Dnw
md5_password = "$1$zQXnTCKc$8D7b.1yw.vKBalO/rKA340"
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/user/handle_user.pl: SET succeeded
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/user/updateCapabilities.pl: SET 592 capabilities =
"&modifyEmail&modifySnmp&modifyFtp&modifyServerSWUpdate&destroySWUpdateServe
r&destroyPackage&createPackage&modifyTelnet&siteAdmin&modifyAsp&modifyPackag
e&modifyArkeia&modifySystemTime&modifyNetBackup&siteFrontpage&modifyHttpd&ad
minBlueLinq&ipPooling&controlPower&scanDetection&siteAnonFTP&createSWUpdateS
erver&serverBackup&dnsAdmin&siteSSL&systemMonitor&modifyDNS&webServices&admi
nUser&overflow&networkServices&modifyJava&modifyNetWorker&modifySWUpdateServ
er&siteShell&serverConfig&"
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/user/updateCapabilities.pl: SET succeeded
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/email/apop_pw.pl: SET 592 . APOP apop_password = "陵摸楊"
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/email/apop_pw.pl: SET succeeded
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/user/reserve_email.pl: CREATE EmailAlias fqdn = "" site =
"" action = adm1n alias = adm1n
Jul 27 12:59:53 www cced(smd)[32605]: client
5:handlers/base/user/reserve_email.pl: CREATE succeeded
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: CREATE succeeded
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: SET 592 . Disk
"quota" "=" "20"
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: SET succeeded
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: SET 592 .
RootAccess "enabled" "=" "1"
Jul 27 12:59:54 www cced(smd)[32605]: client
5:handlers/base/user/root_access.pl: CREATE ProtectedEmailAlias local_alias
= 1 action = adm1n alias = "root-adm1n"
Jul 27 12:59:54 www cced(smd)[32605]: client
5:handlers/base/user/root_access.pl: CREATE succeeded
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: SET succeeded
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: SET 592 . Shell
"enabled" "=" "1"
Jul 27 12:59:54 www cced(smd)[32605]: client 5:[48:12627]: SET succeeded
Jul 27 13:00:01 www cced(smd)[316]: client [0:32764] has admin rights
Jul 27 13:00:02 www cced(smd)[316]: client 0:[0:32764]: SET 17 . DNS
lastChange = 1248714002 currentState = G currentMessage =
"[[base-dns.amStatusOK]]"
Jul 27 13:00:02 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . SMTP
lastChange = 1248714003 currentState = G currentMessage =
"[[base-email.amSMTPStatusOK]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . POP3
lastChange = 1248714003 currentState = G currentMessage =
"[[base-email.amPOP3StatusOK]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . IMAP
lastChange = 1248714003 currentState = G currentMessage =
"[[base-email.amIMAPStatusOK]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . Email
lastChange = 1248714003 currentState = G currentMessage =
"[[base-email.amEmailGreen]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . Memory
lastChange = 1248714003 currentState = G currentMessage =
"[[base-am.amMemWarning_light]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www proftpd[439]: www.uhostme.com (127.0.0.1[127.0.0.1]) -
FTP session opened.
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . FTP
lastChange = 1248714003 currentState = G currentMessage =
"[[base-ftp.amStatusOK]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . CPU
lastChange = 1248714003 currentState = G currentMessage =
"[[base-am.amCPUWarning_light]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www proftpd[439]: www.uhostme.com (127.0.0.1[127.0.0.1]) -
FTP session closed.
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET 17 . Apache
lastChange = 1248714003 currentState = G currentMessage =
"[[base-apache.amStatusOK]]"
Jul 27 13:00:03 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:03 www cced(smd)[461]: client [0:459] has admin rights
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET 9 refresh =
1248714003
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
9 used = 34132 total = 1035660
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET 12 refresh =
1248714003
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
12 used = 2004880 total = 6190692
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET 11 refresh =
1248714003
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
11 used = 390312 total = 4127108
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET 10 refresh =
1248714003
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
10 used = 22356616 total = 102885720
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET 8 refresh =
1248714003
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
8 used = 78833 total = 101086
Jul 27 13:00:03 www cced(smd)[461]: client 0:handlers/base/disk/df.pl: SET
succeeded
Jul 27 13:00:03 www cced(smd)[461]: client 0:[0:459]: SET succeeded
Jul 27 13:00:04 www cced(smd)[485]: client [0:482] has admin rights
Jul 27 13:00:04 www cced(smd)[502]: client [0:459] has admin rights
Jul 27 13:00:04 www cced(smd)[503]: client [0:459] has admin rights
Jul 27 13:00:04 www cced(smd)[316]: client 0:[0:32764]: SET 17 . Disk
lastChange = 1248714004 currentState = G currentMessage =
"[[base-disk.amDiskOk]]"
Jul 27 13:00:04 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:04 www cced(smd)[316]: client 0:[0:32764]: SET 17 . Network
lastChange = 1248714004 currentState = G currentMessage =
"[[base-network.amNetworkOK]]"
Jul 27 13:00:04 www cced(smd)[316]: client 0:[0:32764]: SET succeeded
Jul 27 13:00:23 www PAM_pwdb[585]: (sshd) session opened for user adm1n by
(uid=0)
Jul 27 13:00:58 www kernel: IN=eth0 OUT=
MAC=00:11:09:2c:88:5e:00:d0:bc:ed:40:34:08:00 SRC=208.77.151.18
DST=208.77.219.98 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=12563 DF PROTO=TCP
SPT=3268 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 27 13:01:01 www kernel: IN=eth0 OUT=
MAC=00:11:09:2c:88:5e:00:d0:bc:ed:40:34:08:00 SRC=208.77.151.18
DST=208.77.219.98 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=12566 DF PROTO=TCP
SPT=3268 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 27 13:01:07 www kernel: IN=eth0 OUT=
MAC=00:11:09:2c:88:5e:00:d0:bc:ed:40:34:08:00 SRC=208.77.151.18
DST=208.77.219.98 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=12568 DF PROTO=TCP
SPT=3268 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 27 13:06:47 www PAM_pwdb[585]: (sshd) session closed for user adm1n
Jul 27 13:06:55 www cced(smd)[1778]: client 5:[48:31636]: DESTROY 592
Jul 27 13:06:55 www cced(smd)[1778]: client
5:handlers/base/user/reserve_email.pl: DESTROY 656
Jul 27 13:06:55 www cced(smd)[1778]: client
5:handlers/base/user/reserve_email.pl: DESTROY succeeded
Jul 27 13:06:55 www cced(smd)[1778]: client
5:handlers/base/user/root_access.pl: DESTROY 657
Jul 27 13:06:56 www cced(smd)[1778]: client
5:handlers/base/user/root_access.pl: DESTROY succeeded
Jul 27 13:06:56 www cced(smd)[1778]: client 5:[48:31636]: DESTROY succeeded
He created an account using cced, gave himself root access and then deleted
his account. That is NOT good.
In and out, from root level access to deleted account in six minutes.
Has anyone else heard of any root-level exploits on BQ lately? I am fully
yummed up.