Bugtraq mailing list archives
Re: No Security is Bad Security:
From: ecx () PARADIGM PANGEA CA (ecx)
Date: Thu, 4 Feb 1999 11:11:05 -0600
On Tue, 2 Feb 1999, John "E.R." Jasen wrote:
I immediately logged into the offending machine, and investigated what evidence the cracker had left behind. The first thing discovered was trojan'ed copies of rshd, telnetd, and ftpd, in a supposedly hidden ... directory. Much to my annoyance, I also found out that /usr/bin/ls was trojan'ed, at least not to list ... and '. ' files. Switching to /usr/ucb/ls, which the cracker missed, a rootkit trojan script was discovered, which replaced several executables in /usr/bin and /usr/sbin. I believe that the network services were manually trojan'ed. The logs looked 'too clean', causing me to suspect that they had been sanitised in some fashion. As an offhand guess, we think that ftpd was compromised, in early January, but lack concrete evidence. My general opinion is that we most likely were dealing with what a friend of mine calls a 'script kiddie.' However, he did a few things that struck me as somewhat abnormal for a standard kiddie [namely the apparent manual replacement of the rshd, et al], and I felt it prudent to continue to the next step: the machine was sentenced to death -- unplugged from the network, backed up, formatted and reinstalled. While we were at it, we
Unfortunately rootkits have progressed to the point were they can be installed with makefiles, and other assorted scripts, and are very easily to attain. This brings serious problems to administration, as this now allows `script-kiddiez', eg) individuals with a low level of intelligence that are generally out to own irc atop your corporations T1, to easily modify the underlying operating system to their benefit. This can add to the time it takes for them to be detected, and in some cases allow them to penetrate other machines on your network. Failed rootkit installations can also render the system useless. There are a few things that can make it more difficult for an attacker to trojan services/binaries on your system, and alert you when they do: 1) Use the chflags/chattr command. Most of the time, sadly, the people using these rootkits are not aware of file flags. 2) Use software such as tripwire, or some other cryptographic file scanner. 3) Operating systems such as FreeBSD/OpenBSD come setup with scripts run daily to detect file changes in setuid binaries, as well as others that may be specified. 4) Dont only check for changes in binaries, often service configuration files are modified. 5) Stopping rootkit installation is neccesary, discouraging attackers, often making them use less hidden points of access, revealing themselves. -------- -------------------------- --- ecx / ecx () PARADIGM PANGEA CA ---------;
Current thread:
- No Security is Bad Security: John \ (Feb 02)
- More oshare testing. C.J. Oster (Feb 02)
- Re: More oshare testing. Jeff Roberson (Feb 03)
- Re: No Security is Bad Security: com-nospam () CCRAIG ORG (Feb 04)
- Re: More oshare testing. Alan Cox (Feb 04)
- Re: More oshare testing. Cristiano Lincoln Mattos (Feb 05)
- Re: More oshare testing. Dariusz Zmokly (Feb 04)
- Re: More oshare testing. Jeff Roberson (Feb 03)
- Re: No Security is Bad Security: Kevin Day (Feb 02)
- Re: No Security is Bad Security: Jan B. Koum (Feb 03)
- Re: No Security is Bad Security: Russell Fulton (Feb 04)
- Re: No Security is Bad Security: Jan B. Koum (Feb 03)
- Re: No Security is Bad Security: ecx (Feb 04)
- Update on w00w00 article (bug report) Shok (Feb 04)
- <Possible follow-ups>
- Re: No Security is Bad Security: Donald Moore (Feb 04)
- Re: No Security is Bad Security: der Mouse (Feb 04)
- Re: No Security is Bad Security: Taral (Feb 04)
- Re: No Security is Bad Security: Scott (Feb 04)
- More oshare testing. C.J. Oster (Feb 02)