Security Incidents mailing list archives
Re: Linux-box hacked, ls, ps, login modified
From: rickt () UNIXLABS NET (Rick Tait)
Date: Thu, 23 Mar 2000 00:50:17 -0500
It's times and incidents like this that remind me of the power of [ch,ls]attr & friends. Why not setup your box as you want it, then chattr +i all the binaries that could potentially be trojaned - and then *remove* the ability from the running kernel to remove the +i bit? That way - no binary can be modified *at* all. End result: no trojans! cf: [root@sigsegv sbin]# cp /tmp/install.log /bin/login cp: overwrite `/bin/login', overriding mode 0755? y cp: cannot create regular file `/bin/login': Permission denied Someone gave me a perl script (syscapset) to do this last week and it works fabulously. AFAIK, one can't undo the removal of the immutable bit after using syscapset until you reboot. And John Q. Cracker is unlikely to do this due to the rather large suspicion quotient involved. I've tested this and it *does* work. Of course, moving the script to a secured box after using it, thus not leaving it lying around for prying eyes would be a good thing. :) Anyone who's interested in said script, let me know. Rick. On Wed, 22 Mar 2000, Frank Derichsweiler wrote:
Hi list, Anybody seen this? The process for gl0ck is running as root on a red hat box. /bin/bincp/glox.su: gl0ck 3.2 [icmp/tcp/udp/frag+rand ID] by ip, this copy is registred to s3phz usage: Cancer <ip#1,ip#2,...> [options] -F <type> : i=icmp s=syn u=udp f=fragbomb [i=icmp] -I <addr> : Use <addr> as source [random] -p <port> : Destinationport in syn/udp flood -s <size> : Payload size in bytes(always 0 in synflood) [0] -c <count> : Only send <count> packets [endless] -m <count> : Multiple packets(<count>) in each packetburst [1] -d <delay> : Microsec(s) delay between bursts [0] -t <min> : Floodtimeout in min(s) [30] -l <port> : CancerServer, listen for cmd's on <port> -f <hostfile> : Flood using CancerServers in <hostfile> -q : Quiet mode ~ Further investigation shoed shat /bin/ls /bin/ps /bin/login were replaced byx trojaned ones. Luckily I found a source file with code for an exploit. Unfortunately I cannont transfer it from "\xeb \x38 ..." to a readalby form. Any ideas? TIA Frank -- Frank Derichsweiler Please *NO* CC: I read the mailing list !
-- main(v, c)char**c;{for(v[c++]="Rick Tait <rickt () unixlabs net>\n)";(!!c)[* c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}
Current thread:
- Re: Cracked by the Brazilians, (continued)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
- Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)
- Re: Cracked by the Brazilians Ralf Spenneberg (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- link-local IPs (Was "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)") Richard Johnson (Mar 30)
- unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
- Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
- 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
- sgi-dgl scanning Michael Stone (Mar 27)
- unusual mail file Donald McLachlan (Mar 28)
- Re: unusual mail file Ryan Hilton (Mar 28)
- Front Page Extensions vventura () SIA PT (Mar 28)
- Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
- Syn attacks ? Klavs Klavsen (Mar 28)
- Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)