Topic: SME Server hacked - log file check

[jonroberts]

Guys,

A client with an SME server changed their admin password to something 'easier to remember' without telling me.  As I had allowed remote access so that I could get in (OK I know I'm at fault there) it has led to a hack into the system as Admin.

As far as I can see, they were in for a couple of minutes & changed one user password (which I've corrected)& then shutdown the server.

However I would appreciate it if someone better informed than I would take a look over the logfile just to confirm this.

The logile is posted at:

http://www.westcountrybusiness.com/wba/westcountrybusiness/westcountrybusinesswebsite.nsf/OpenSection?OpenAgent&Section=9.9

There was also the following amin e-mail this morning, but the server doesn't use procmail & the user name is wrong.

From: Cron Daemon [mailto:root@[domain removed]]
Sent: 20 August 2004 10:00
To: root@[domain removed]
Subject: Cron <root@gateway> /etc/startmail


procmail: Insufficient privileges
procmail: Unknown user "k.o_neill"

I've checked the cron files and the startmail file and all looks OK.  

Any ideas / tips would be helpful.

Thanks

Jon

[cc_skavenger]

I would start here:

Search results for: 81.196.69.167


OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    Singel 258
Address:    1016 AB
City:       Amsterdam
StateProv:
PostalCode:
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   81.0.0.0 - 81.255.255.255
CIDR:       81.0.0.0/8
NetName:    81-RIPE
NetHandle:  NET-81-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:
Updated:    2004-03-16

That is the ip that the hack originated from.

It looks like they changed a user password for nina, deleted nina and readded the username, messed with /etc/named.conf aka bind, ssh, qmailr, groups, slapd, local hosts, smbd, imap mailboxes database, and not sure what else.  Looks like they were trying to gain e-mail use for spam, imho.  I personally would re-do the box with different usernames and a stronger admin password.  I would create a username for the person who is going to administer the box and set them up through the user-manager, so they do not use the admin account.

Just my 2cents.

HTH marco

[shanen]

Reinstall and charge the client for your time...
Keep the original hard drive as it would be interesting to know how they "broke" the password
Then explain to them that this is why you are here to help them and keep their network secure and they are lucky to have you...