Re: RedHat compromise

["Michael H. Warfield" <mhw () WITTSEND COM>]

On Mon, Feb 19, 2001 at 03:43:47PM -0600, Jim Roland wrote:
> I have a customer who had one RH61 system compromised.

        RedHat 6.1?  Was it kept up to date?  That was one of the
network OSs from hell.  It had numerous security advisories including
pop3 and imap and dns and various ftp and a host of others.

> Symptoms:
> Unable to telnet to the box nor acquire a POP3 connection (drops
        connection) from outside.  You can telnet to the box from the
        locally attached subnet w/o problem.

        You should NOT be using telnet.  If you have entered any user
ids and passwords you can now consider them his.

> Known files modified:
>     /etc/inetd.conf:  Line added "smbd2    stream    tcp    nowait
                                        root    /usr/sbin/in.smb    in.smb"
>     /etc/services:    Line added "smbd2    54321/tcp    # Samba"

        Ouch!  Backdoor.

>     crontab table for root:  executes /usr/sbin/init every 5 minutes
                (the init program resides on /sbin/init and was untouched)

        Strange...  That one makes no sense to me.

> No Samba/SMB services were installed on this system by me and it's NAMED
        server (bind) was current as per RedHat.  From the remote network,
        I am able to telnet to port 54321 and get a telnet prompt on the
        box.  Further investigation shows that all TCP connections are denied.

        Probably trapped to trigger on specific IP addresses and/or ports
and/or login id and password.  You might find out more from that in.smb
file, but you need to use a trusted Linux base to save it off first.

> No IP addresses are reflected in /var/log/messages nor /var/log/secure,
        and I am unable to determine from where the attack came, but
        date/time stamp on the files shows it occured on Feb 19, at
        05:05 localtime.  How can I find where it came from?

        You've been rooted to the core.  I wouldn't be surprised to
discover stealth kernel modules hiding backdoor and rootkit processes.

        If you can, you need to get the latest bootable CD Rom and boot
the system off that and dump all the partitions to tape or some other
storage for forensic analysis.  Then reinstall.  I can't see any hope
of recovering a system that's that far out of date and compromised to
the level that this one has been.  Just get the data off and rebuild it
and save yourself a lot of grief.

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jim Roland, RHCE (RedHat Certified Engineer)
> Owner, Roland Internet Services
>     "Never settle with words what you can settle with a flamethrower"
>           -- Anonymous
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!