Security Incidents mailing list archives

Re: RH6.1/IPChains box hacked

From: mtinberg () MADISON TEC WI US (Mark Tinberg)
Date: Mon, 24 Apr 2000 11:22:51 -0500


It looks like a copy of your RPM database.  Possibly the cracker edited and rebuilt your RPM database to hide his/her 
tracks.  Try running a 'rpm --verify --all' and comparing the output to 'rpm --verify 
/path/to/cdrom/RPMS/packagename.rpm' or 'rpm --verify ftp://ftp.redhat.com/path/to/RPMS/pachagename.rpm&apos; (using a 
known, trusted copy of the RPM executable of course.)  This will compare checksumms from the RPM database and then from 
the actual package files you have installed, they should match (you should be able to trust that your CDROM or 
ftp.redhat.com is OK.)  If not then not only are your executables trojaned/backdoored/etc. but your RPM database is 
suspect as well.  Probably a good idea to always verify off trusted media as opposed to trusting the RPM database 
hasn't been altered.

"J. J. Horner" <jhorner () KNOXLUG ORG> 04/21/00 16:22 PM >>>

FYI:

I was hacked last week throught Bind 8.2.2_P3.  If anyone can look at my
logs and tell me some thoughts it would be good.  The intruder erased all
of the logs (/var/log/mesages*) on my box, but didn't notice or didn't
check to see that all logging was duplicated to another machine (*.*
@JJ1) in /etc/syslog.conf.

Here is what I have at the time around the hack.

I also have some files in my /var/lib/anaconda-rebuilddb955643425/
directory:

[jhorner@gateway anaconda-rebuilddb955643425]$ ls -la
total 204
drwxr-xr-x    2 root     root         4096 Apr 13 16:30 .
drwxr-xr-x   17 root     root         4096 Apr 13 16:30 ..
-rw-r--r--    1 root     root            0 Apr 13 16:30 conflictsindex.rpm
-rw-r--r--    1 root     root        16384 Apr 13 16:31 groupindex.rpm
-rw-r--r--    1 root     root        24576 Apr 13 16:31 nameindex.rpm
-rw-r--r--    1 root     root        40960 Apr 3 16:31 providesindex.rpm
-rw-r--r--    1 root     root        98304 Apr 13 16:31 requiredby.rpm
-rw-r--r--    1 root     root        16384 Apr 13 16:31 triggerindex.rpm

None of these are real RPMS, so I don't know what to do with them.

Any ideas?

Current thread:

Re: RH6.1/IPChains box hacked Mark Tinberg (Apr 24)
- Re: RH6.1/IPChains box hacked Rory Savage (Apr 24)
- Weird traceroutes Donald McLachlan (Apr 26)
- <Possible follow-ups>
- Re: RH6.1/IPChains box hacked J. J. Horner (Apr 24)