Security Incidents mailing list archives

Re: RH6 boxes cracked

From: "Osvaldo J. Filho" <ojaneri () UOL COM BR>
Date: Thu, 4 Jan 2001 18:07:51 -0500

On Wed, 3 Jan 2001, D. Scott Barninger wrote:

Hello,

I am still trying to determine all that has been done but here is what I
know at the moment. If anyone has seen similar attacks please let me
know what to look for. For starters there appears to be a trojanized su
binary installed. When calling su there is a delay of approximately 6-8
seconds after entering the root password before a shell prompt is
returned. A log message indicates that "call_pam_xauth" successfully
forked a child (returned 1). At that point a check on the /dev directory
shows most everything has altered user/group and/or permissions. The tty
from which the su command was issued is now owned by my user rather than
root as well as /dev/hdb. /dev/tty* is now writeable by group etc.
Reinstalling the dev and sh-utils packages corrects things until the
next time su is run. The same is true on 2 other boxes from which I
typically rlogin over the internal network (primary box is a MASQ
gateway). About 2 days prior to discovering this I got port-scanned and
logged rejected packets on a netbios port (I did have netbios service
exposed for remote connections).

Any insights would be greatly appreciated.

Scott

This kind of attack is basically a common one. Looks like the attacker
scanned a large block of IPs looking for something vulnerable, and then
some hours laters (or days) it exploited the machines that had a flaw
(unfortunately yours were one of these) and installed a root kit to keep
access for him.

Try a
# rpm --verify -a

to check on your RPM database all files that were changed. You will have a
good look on whats missing/changed. Check the RPM manual to see what the
output means (SUM/Date/Size/etc altered, missing, etc)

Try installing lsof (if installed, install from a secure source) and
checking all binded ports, may be a DDoS Agent running or a Bind Shell.
# lsof -i tcp
# lsof -i udp

Any further help, please contact me at email.

---
Osvaldo J. Filho
Unix Security Specialist
ojaneri () proteus com br

Proteus Security Systems
http://www.proteus.com.br / http://www.proteus-sec.com
---

Current thread:

RH6 boxes cracked D. Scott Barninger (Jan 03)
- Re: RH6 boxes cracked Osvaldo J. Filho (Jan 03)
- <Possible follow-ups>
- Re: RH6 boxes cracked Tansey, Don (Jan 03)