Security Incidents mailing list archives
Re: RedHat compromise
From: Jim Roland <jroland () ROLAND NET>
Date: Tue, 20 Feb 2001 02:56:31 -0600
I should have gotten more specific. I meant to say that I was using telnet as a client to connect to various TCP services to diagnose what was wrong ("telnet <host> 110" for accessing the POP3 server, etc). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Johan.Augustsson" <Johan.Augustsson () adm gu se> To: <INCIDENTS () SECURITYFOCUS COM> Cc: <jroland () ROLAND NET> Sent: Tuesday, February 20, 2001 2:39 AM Subject: Re: RedHat compromise
At 15:43 2001-02-19 -0600, Jim Roland wrote:I have a customer who had one RH61 system compromised. Symptoms: Unable to telnet to the box nor acquire a POP3 connection (drops connection) from outside. You can telnet to the box from the locally attached subnet w/o problem.Telnet!? Are you out of your mind? The intruder might use the cracked box as a sniffer and then you try to telnet to it? Use SSH and do not use telnet for any other systems in the same physical network as the cracked computer.Known files modified: /etc/inetd.conf: Line added "smbd2 stream tcp nowait root /usr/sbin/in.smb in.smb" /etc/services: Line added "smbd2 54321/tcp # Samba" crontab table for root: executes /usr/sbin/init every 5 minutes
(the
init program resides on /sbin/init and was untouched) No Samba/SMB services were installed on this system by me and it's NAMED server (bind) was current as per RedHat. From the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box. Further investigation shows that all TCP connections are denied.My guess is that this isn't Samba. :) Could be a backdoor or some other tool running (sniffer, portscanner). You can't trust your binaries now, get verified versions of ls, ps, lsof, netstat etc if you want to do some investigation.No IP addresses are reflected in /var/log/messages nor /var/log/secure, and I am unable to determine from where the attack came, but date/time stamp on the files shows it occured on Feb 19, at 05:05 localtime. How can I find where it came from?This is why you should send the logs to a remote syslogserver. :) The intruder has used some tools for clearing the logs. You will not find a trace of the attacker (my guess only). Have you checked the last logged in users? Probably cleared from the hackers ID but worth a try. Depending on the hackers skill you will not get so much more. I've seen scriptkiddies leaving traces lika a hurricane and other scriptkiddies that at least knew how to use the tools to cover their
trails.
You should consider this system as gone, dead, lost forever. Install an updated version of the system and then restore the vital data from backups took before the intrusion. And remember one thing. You can't use the same passwords for the users on the restored system. You don't know if the intruder took the shadowfile,
do
you? And I hope that you don't have the same password for root or any
other
users at any other boxes as the cracked one. May the penguin help you. :) Johan Augustsson~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
(Thread continues...)