Attack Log from 2010-02-08

Collection of evidence related to attack on SocalLinux.org server on 2010-02-08

Evidence of port-scanning (multiple times) using nmap tool, as well as attempts to obtain user account & password information & to obtain write privileges to a mailman HTML page.

All times GMT.

1. The httpd access.log file

Here are some selected entries (the linked file contains the complete list). Feb 5 entries are from a port scan. Feb 8 entries show attempts from the host at the IP address 67.52.151.102 (ns2.itkinetix.com) attempting to gain elevated privileges or access to protected information (like the /etc/passwd file) Note: even though the httpd server returned code 200, the mailman CGI script returned a default response, and did not give out the /etc/passwd file.

The entries starting with POST are attempts to find a password that could be used to change properties of a mailing list.

These POST entries to the '/edithtml/ CGI script are either an attempt to try using a default password or to find if there is a specific exploit that would allow the CGI caller to write nefarious content.

There is no reason why any valid user would be calling these CGI's in this fashion.

These are intentional (non-accidental) and malicious in nature.

67.52.151.102 - - [08/Feb/2010:11:10:15 +0000] "GET /cgi-bin/mailman/listinfo/linuxusers.../....///.../..../// HTTP/1.1" 200 906 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"
67.52.151.102 - - [08/Feb/2010:11:10:44 +0000] "GET /cgi-bin/mailman/listinfo/linuxusers.../....///.../....///.../....////etc/passwd HTTP/1.1" 200 906 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"
67.52.151.102 - - [08/Feb/2010:11:10:46 +0000] "GET /cgi-bin/mailman/listinfo/linuxusers.../....///.../....///.../....////etc/passwd HTTP/1.1" 200 906 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"

67.52.151.102 - - [08/Feb/2010:11:10:51 +0000] "GET /cgi-bin/mailman/listinfo/linuxusers/.../....///.../....///.../....////etc/passwd HTTP/1.1" 200 2291 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"

67.52.151.102 - - [08/Feb/2010:11:11:02 +0000] "GET /cgi-bin/mailman/listinfo/linuxusers/.../....///.../....///.../....////etc/passwd HTTP/1.1" 200 2291 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"

67.52.151.102 - - [08/Feb/2010:11:13:47 +0000] "GET /cgi-bin/mailman/edithtml/tests/listinfo.html?html_code=%3Cs%3E HTTP/1.1" 200 214 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"
67.52.151.102 - - [08/Feb/2010:11:13:56 +0000] "GET /cgi-bin/mailman/edithtml/linuxinfo/listinfo.html?html_code=%3Cs%3E HTTP/1.1" 200 217 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"
67.52.151.102 - - [08/Feb/2010:11:14:01 +0000] "GET /cgi-bin/mailman/edithtml/linuxusers/listinfo.html?html_code=%3Cs%3E HTTP/1.1" 200 1105 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"
67.52.151.102 - - [08/Feb/2010:11:14:15 +0000] "POST /cgi-bin/mailman/edithtml/linuxusers/listinfo.html?html_code=%3Cs%3E HTTP/1.1" 200 1140 "http://socallinux.org/cgi-bin/mailman/edithtml/linuxusers/listinfo.html?html_code=%3Cs%3E" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.280.0 Safari/532.8"
67.52.151.102 - - [08/Feb/2010:11:14:17 +0000] "POST /cgi-bin/mailman/edithtml/linuxusers/listinfo.html?html_code=%3Cs%3E HTTP/1.1" 200 1140 "http://socallinux.org/cgi-bin/mailman/edithtml/linuxusers/listinfo.html?html_code=%3Cs%3E" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-U

2. The mail.log file.

You'll see some of these, which is a typical NMAP scan against the POP SSL port. The linked file contains the complete list.

Feb  5 19:30:50 rs1 ipop3d[24125]: pop3s SSL service init from 67.52.151.102
Feb  5 19:30:50 rs1 ipop3d[24125]: Unable to accept SSL connection, host=ns2.itkinetix.com [67.52.151.102]
Feb  5 19:30:50 rs1 ipop3d[24125]: SSL error status: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
...
Feb  5 19:31:04 rs1 ipop3d[24134]: Unexpected client disconnect, while reading line user=??? host=ns2.itkinetix.com [67.52.151.102]

You'll see some of these, which is the NMAP scan against SMTP.
Feb 5 19:30:52 rs1 postfix-socallinux/smtpd[23984]: connect from ns2.itkinetix.com[67.52.151.102] Feb 5 19:30:52 rs1 postfix-socallinux/smtpd[23984]: lost connection after UNKNOWN from ns2.itkinetix.com[67.52.151.102] Feb 5 19:30:52 rs1 postfix-socallinux/smtpd[23984]: disconnect from ns2.itkinetix.com[67.52.151.102]

3. The auth.log file

These entries for a scan from ns2.itkinetix.com (67.52.151.102) show an nmap scan discovering an sshd port. On Jan 21, Nmap tries to send HTTP GET request which causes an error.

Jan 19 19:57:19 rs1 sshd[17972]: Did not receive identification string from 67.52.151.102
Jan 19 19:57:43 rs1 sshd[17991]: Protocol major versions differ for 67.52.151.102: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NmapNSE_1.0
Jan 19 19:57:43 rs1 sshd[17996]: Protocol major versions differ for 67.52.151.102: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-Nmap-SSH1-Hostkey

Jan 21 02:54:28 rs1 sshd[2979]: Bad protocol version identification 'GET / HTTP/1.0' from 67.52.151.102
Jan 21 03:07:55 rs1 sshd[3128]: Did not receive identification string from 67.52.151.102

Feb  5 19:30:39 rs1 sshd[24113]: Did not receive identification string from 67.52.151.102
Feb  5 19:31:03 rs1 sshd[24129]: Protocol major versions differ for 67.52.151.102: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NmapNSE_1.0
Feb  5 19:31:03 rs1 sshd[24131]: Protocol major versions differ for 67.52.151.102: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-Nmap-SSH1-Hostkey

4. IRCD log file entries

You'll notice the same hostname for 2 IRC connections, once from a user named nmap, once from a user that named Viss

Mon Feb  8 10:43:54 2010 (  0:00:00): adtlnfbrr!~nmap@ns2.itkinetix.com 0/0
Mon Feb  8 10:48:20 2010 (  0:08:46): No!~Viss@ns2.itkinetix.com 3/0

5. Firewall Log entries

The kern.log file is available for download. It is 3.9Mb large. This file was created by scanning all kern.log files in the server archive with the grep tool, searching for the offending IP address.

Here are a select few entries - out of a total of 16,169 TCP port open attempts
This is the start of today's scan (2010-02-08) and they go after various ports such as 22 (ssh), 445,135 (microsoft RPC/CIFS), 21 (ftp), 3306 (mysql), as well a many other ports. Our server has never offered these ports as open - not for any user at any time.

Feb  8 10:42:56 rs1 kernel: [6262345.992437] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=40 TOS=0x00 PREC=0x40 TTL=39 ID=50229 PROTO=ICMP TYPE=13 CODE=0
Feb  8 10:42:57 rs1 kernel: [6262346.808324] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=60230 DF PROTO=TCP SPT=1358 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.812546] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=59732 DF PROTO=TCP SPT=1073 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.812600] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=21882 DF PROTO=TCP SPT=1195 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.812644] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=18786 DF PROTO=TCP SPT=2238 DPT=1025 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.812689] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=22071 DF PROTO=TCP SPT=1148 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.812734] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=61017 DF PROTO=TCP SPT=2684 DPT=199 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.812780] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=60931 DF PROTO=TCP SPT=2952 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.816389] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=5913 DF PROTO=TCP SPT=1950 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.816459] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=40303 DF PROTO=TCP SPT=2156 DPT=554 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.854460] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=53526 DF PROTO=TCP SPT=2636 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:57 rs1 kernel: [6262346.860188] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=44918 DF PROTO=TCP SPT=1495 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.740052] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=27954 DF PROTO=TCP SPT=2156 DPT=554 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.744045] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=38180 DF PROTO=TCP SPT=2238 DPT=1025 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.744235] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=6755 DF PROTO=TCP SPT=2684 DPT=199 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.744286] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=43267 DF PROTO=TCP SPT=1950 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.752581] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=21348 DF PROTO=TCP SPT=1195 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.752637] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=56135 DF PROTO=TCP SPT=1073 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.752691] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=4883 DF PROTO=TCP SPT=2952 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  8 10:42:58 rs1 kernel: [6262347.752736] IN=eth0 OUT= MAC=40:40:b4:80:d0:c1:00:24:97:60:15:bf:08:00 SRC=67.52.151.102 DST=174.143.149.197 LEN=64 TOS=0x00 PREC=0x40 TTL=244 ID=60210 DF PROTO=TCP SPT=1148 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0

Corresponding Information:

The host IP address 67.52.151.102 matches the FQDN and Reverse DNS:

dk@spot:log20100208$ host 67.52.151.102
102.151.52.67.in-addr.arpa domain name pointer ns2.itkinetix.com.

Following the ARIN whois records to find the NetBlock and abuse information: dk@spot:log20100208$ whois -h whois.arin.net 67.52.151.102 OrgName: Road Runner HoldCo LLC OrgID: RCWE Address: 13241 Woodland Park Road City: Herndon StateProv: VA PostalCode: 20171 Country: US ReferralServer: rwhois://ipmt.rr.com:4321 NetRange: 67.52.0.0 - 67.53.255.255 CIDR: 67.52.0.0/15 NetName: RR-COMMER-CENTRAL-3 NetHandle: NET-67-52-0-0-1 Parent: NET-67-0-0-0-0 NetType: Direct Allocation NameServer: NS1.BIZ.RR.COM NameServer: NS2.BIZ.RR.COM NameServer: DNS4.RR.COM Comment: RegDate: 2003-06-25 Updated: 2006-04-07 OrgAbuseHandle: ABUSE10-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-703-345-3416 OrgAbuseEmail: abuse@rr.com OrgTechHandle: IPTEC-ARIN OrgTechName: IP Tech OrgTechPhone: +1-703-345-3416 OrgTechEmail: abuse@rr.com # ARIN WHOIS database, last updated 2010-02-07 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www.arin.net/whois_tou.html Found a referral to ipmt.rr.com:4321. %rwhois V-1.5:003fff:00 cdptpa-ipmt-rwhois-01.cdptpa.rr.com (by Network Solutions, Inc. V-1.5.9.6) network:Class-Name:network network:ID:NETBLK-ISRC-67.52.128.0/19 network:Auth-Area:67.52.151.96/29 network:Network-Name:IT-KINETIX-67.52.151.96 network:IP-Network:67.52.151.96/29 network:IP-Network-Block:67.52.151.96 - 67.52.151.103 network:Organization;I:IT-KINETIX network:Tech-Contact;I:ipaddreg@rr.com network:Admin-Contact;I:IPADD-ARIN network:AbuseEmail:dan@itkinetix.com network:Created:20100208 network:Updated:20100208 network:Updated-By:ipaddreg@rr.com network:Class-Name:network network:ID:NETBLK-ISRC-67.52.128.0/19 network:Auth-Area:67.52.128.0/19 network:Network-Name:ISRC-67.52.128.0 network:IP-Network:67.52.128.0/19 network:IP-Network-Block:67.52.128.0 - 67.52.159.255 network:Organization;I:Road Runner Commercial network:Tech-Contact;I:ipaddreg@rr.com network:Admin-Contact;I:IPADD-ARIN network:Created:20100208 network:Updated:20100208 network:Updated-By:ipaddreg@rr.com %ok