Security Incidents mailing list archives
Re: Compromised...
From: jkinney () TELLER PHYSICS EMORY EDU (Jim Kinney)
Date: Mon, 7 Feb 2000 21:46:43 -0500
Sorry to hear about the breakin. They can be ulcer causing events. To shorten your reloading problem, since you have rpm capabilities, the command "rpm -Va >verify.txt" will give you a listing of all the files that have changed their md5 checksum from the original rpm database. Of course, programs loaded without rpm will not be noticed. ADMROCKS is a tell-tale sign of a bind exploit. It's difficult to keep track of all the updates when sys-admin is only part of the job description. There is, however, a very useful tool for rpm-based systems called "autorpm". Essentially, it will look at a known, or given, ftp site and automatically download any rpm's that are updates to your system. It can be configured to check the md5checksum, signatures and auto-install or add them to a que for later install. It also emails you to tell you what it got and what it needs you to do about it. I expect it will become a standard RedHat package soon. They ship now with "up2date". It works well, but lacks the automatic aspect of autorpm. Jim Kinney On Mon, 7 Feb 2000, Steve Logan wrote:
This morning I tried to ssh to a domain I host on one of my boxes. I soon realized the domain wasn't resolving. I then ssh'd to the ip of the box. I discovered that named wasn't running. I restarted it. I was curious to find out why it had died. I started looking through the logs and I soon realized my machine had been broken into. Several binaries had been replaced. (ps, ls, netstat, ...). I replaced the ps and ls and found some interesting things. There was a process running called in,telnetd (notice the comma). I found this in "/usr/ /": rwxr-xr-x 2 root root 4096 Feb 6 21:41 . drwxr-xr-x 20 root root 4096 Feb 6 21:38 .. -rw-r--r-- 1 root root 39 Feb 6 21:38 .l -rw-r--r-- 1 root root 44 Feb 6 21:38 .n -rw-r--r-- 1 root root 31 Feb 6 21:40 .p -rws--x--x 1 root root 281416 Feb 6 21:38 .tt -rwxr-xr-x 1 root root 373176 Feb 6 21:38 .ttb -rw-r--r-- 1 root root 698 Feb 6 21:38 .ttf -rwxr-xr-x 1 root root 7860 Feb 6 21:38 in,telnetd -rw-r--r-- 1 root root 2518030 Feb 7 10:52 sniff.log After running strings on these files it appears they are a shell program and password files. The in,telnetd is logging all network traffic to sniff.log. All of the log files had been modified. History was modified. wtmp was modified. inetd.conf was changed. Several other things were also changed. There was a directory called ADMROCKS in /var/named. Has anyone else experienced this? How did they get in? At this point I'm pretty sure it was through named. How should I go about cleaning it up? Right now I think I'll just reinstall the RPM's off of the cd. Will this be enough (along with upgrading BIND)? If anyone could share any useful information please do so. Thanks, Steve Logan
Current thread:
- Re: DoS Trojan on Solaris, (continued)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)
- Re: Compromised... Derek Vadala (Feb 14)