Re: SSH Attempts: Link to RedHat?

[jon schatz <jon () divisionbyzero com>]

On Mon, 2001-12-17 at 15:50, Gregg Sperling wrote:
> Surprisingly, I have had several pleasant exchanges with the individual who 
> runs the server.  He has offered to allow me access
> into his server with root access. 

you're kidding me. 

> Besides checking the standard /var/log/messages log, are there any 
> suggestions as to where I should check for possible breaches
> in this individual's system?

i'd check the integrity of the installed rpms:

        [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done

i'd also look for recent additions in /dev (which seems to be the
directory of choice for rootkits):

        [jon@devotchka /dev]$ ls -tla|more

in fact, you could check file mod times on the whole system to be
totally sure. 

i'd also check what ports were open on the local machine, who was
currently connected, and what actual processes were responsible for
those ports:

        [jon@devotchka /dev]$ netstat -na --inet
        [jon@devotchka /dev]$ lsof |grep LISTEN

now the bigger problem is that someone who admins a public linux box
would offer root access to a (basically) complete stranger from the
interweb. you stated that he had ftp + telnet open (amongst others). RH
hasn't enabled telnet by default in a while (i believe ssh has been the
default since 7.0). So we're most likely looking at a box running
outdated software run by an inexperienced admin. not a particularly hard
target from a script kiddie pov. then again, maybe you'll find the
fabled openssh2 remote exploit...

hope this helps.

-jon
 
-- 
jon () divisionbyzero com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

Attachment: _bin
Description: