68.50.70.187 is the attackers' IP.

Leif Nixon wrote:
> Adam Hubscher <offbeatadam (at) gmail (dot) com [email concealed]> writes:
>
>> These servers run cPanel and have been updated to the following
>> specs:
>>
>> 2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386
>> GNU/Linux
>
> This seems vulnerable to CVE-2009-3547 and CVE-2009-2695. If SELinux is
> enabled, you can trivially get root on these machines if you can run
> commands as a logged in user.
>
> I would start by looking very hard at all successful ssh logins the
> hours before the known intrusion. It is very possible that some of them
> are performed using stolen ssh keys.
>
>> I have logs from these servers, if you need other information to
>> possibly help track this down that is possible. I'm having a hard time
>> finding the vector for this attack though...
>
> If you could share the IP number of the attacking host, that could be
> useful. Does /root/.bash_history contain anything interesting? Is there
> anything suspicious in /dev/shm? (There won't be, if the machine has
> been rebooted after the intrusion.)
>
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ? 0?ä0?M 
6ÒôÞ???
?æªëÓlX0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090706143647Z
100706143647Z0G10UThawte Freemail Member1$0" *?H?÷


offbeatadam (at) gmail (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

¶@èç¦í0{ ²Í?bî:?R¥¹½^áheJ±C.ðUÞj&?å̝P0> ÓвéîíÍ;ÂkxL£<hê (À$Ó+³äâ?B°«A¼Ú<óQ??~Sëb8³qi)»Â껵ïWÑGù²½??1Dc\?
ÁËwËb Ô¨?
ìòQC0 ¤%;unϸÿK
«ïY;{?¨Ûªa©?a¯#³Ù¼]W½LF?ó??¡;uÓÝ[r1?bÙ?î4Æì?Ô??3~[âUdÜÑ-/á8Øè²¼×ÞQ5Wá?@þ¿ÂlêÏ´j/Ñ}T­
+bc°FCÌ?ÌsC%

£2000 U0offbeatadam (at) gmail (dot) com0 [email concealed]U

ÿ00
 *?H?÷


;Ýí:ä#r¥??¢w.;¬À×Wñ!=ÊT??õâ"~ßé¥%?Mr$óÆàõ0??¶Pv\³ú?±ò??î?2
û³Mu)EÀíø>H?'æoùy
÷áÞV4R+ø?ÒÞå~ºYÓ °qBI_÷⁏??[fÛ3d>ë0?ä0?M 
6ÒôÞ???
?æªëÓlX0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090706143647Z
100706143647Z0G10UThawte Freemail Member1$0" *?H?÷


offbeatadam (at) gmail (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

¶@èç¦í0{ ²Í?bî:?R¥¹½^áheJ±C.ðUÞj&?å̝P0> ÓвéîíÍ;ÂkxL£<hê (À$Ó+³äâ?B°«A¼Ú<óQ??~Sëb8³qi)»Â껵ïWÑGù²½??1Dc\?
ÁËwËb Ô¨?
ìòQC0 ¤%;unϸÿK
«ïY;{?¨Ûªa©?a¯#³Ù¼]W½LF?ó??¡;uÓÝ[r1?bÙ?î4Æì?Ô??3~[âUdÜÑ-/á8Øè²¼×ÞQ5Wá?@þ¿ÂlêÏ´j/Ñ}T­
+bc°FCÌ?ÌsC%

£2000 U0offbeatadam (at) gmail (dot) com0 [email concealed]U

ÿ00
 *?H?÷


;Ýí:ä#r¥??¢w.;¬À×Wñ!=ÊT??õâ"~ßé¥%?Mr$óÆàõ0??¶Pv\³ú?±ò??î?2
û³Mu)EÀíø>H?'æoùy
÷áÞV4R+ø?ÒÞå~ºYÓ °qBI_÷⁏??[fÛ3d>ë0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?q0?m

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA6ÒôÞ???
?æªëÓlX0 + ?
Ð0 *?H?÷

1 *?H?÷


0 *?H?÷

1
091113170850Z0# *?H?÷

1¦¨®7?ôs§öU,Å?Oâ.õÃq>0_ *?H?÷

1R0P0 `?H
e
0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0? +

?71x0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA6ÒôÞ???
?æªëÓlX0?*?H?÷

1x v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA6ÒôÞ???
?æªëÓlX0
 *?H?÷



?
f?ÂñbZ1<Ê>3tvÀ¤râ°~e
-ûæO.ÃA<höÇ·«~$²iMBY®^n?îL¤Eñ¾ð¢7ôÞ­)9?Þozå]¿»?p:y.VK?ÒA.±æÏC*ZWj
?»n!½Ø
¯_m?&åÕ?nà(è
?ö]2?ßH?<Â
ê¼_Oz£?DëàꦏI"qhWsÄ?;ãOð{?ÄÅn?nAËàXÈ?eWδ?Æ?2okCX{?ñ¤fB}{ã??¤µa±
?l0ÇèPß~q»:ïôQ×WÞõPA>¨<¾Ï ÒÎMÍ6)IÖÍëzo?uwûOx?xº

[ reply ]