Re: No Security is Bad Security:

[ecx () PARADIGM PANGEA CA (ecx)]

On Tue, 2 Feb 1999, John "E.R." Jasen wrote:

> I immediately logged into the offending machine, and investigated what
> evidence the cracker had left behind. The first thing discovered was
> trojan'ed copies of rshd, telnetd, and ftpd, in a supposedly hidden ...
> directory. Much to my annoyance, I also found out that /usr/bin/ls was
> trojan'ed, at least not to list ... and '. ' files. Switching to
> /usr/ucb/ls, which the cracker missed, a rootkit trojan script was
> discovered, which replaced several executables in /usr/bin and /usr/sbin.
> I believe that the network services were manually trojan'ed.
>
> The logs looked 'too clean', causing me to suspect that they had been
> sanitised in some fashion.
>
> As an offhand guess, we think that ftpd was compromised, in early January,
> but lack concrete evidence.
>
> My general opinion is that we most likely were dealing with what a friend
> of mine calls a 'script kiddie.' However, he did a few things that struck
> me as somewhat abnormal for a standard kiddie [namely the apparent manual
> replacement of the rshd, et al], and I felt it prudent to continue to the
> next step: the machine was sentenced to death -- unplugged from the
> network, backed up, formatted and reinstalled. While we were at it, we

Unfortunately rootkits have progressed to the point were they can be
installed with makefiles, and other assorted scripts, and are very
easily to attain.  This brings serious problems to administration, as
this now allows `script-kiddiez', eg) individuals with a low
level of intelligence that are generally out to own irc atop your
corporations T1, to easily modify the underlying operating system to
their benefit.  This can add to the time it takes for them to be detected,
and in some cases allow them to penetrate other machines on your network.
Failed rootkit installations can also render the system useless.

There are a few things that can make it more difficult for an attacker
to trojan services/binaries on your system, and alert you when they do:

1) Use the chflags/chattr command.  Most of the time, sadly, the people
using these rootkits are not aware of file flags.

2) Use software such as tripwire, or some other cryptographic file
scanner.

3) Operating systems such as FreeBSD/OpenBSD come setup with scripts run
daily to detect file changes in setuid binaries, as well as others that
may be specified.

4) Dont only check for changes in binaries, often service configuration
files are modified.

5) Stopping rootkit installation is neccesary, discouraging
attackers, often making them use less hidden points of access, revealing
themselves.

-------- -------------------------- ---
ecx        /       ecx () PARADIGM PANGEA CA
---------;