Security Incidents mailing list archives
Re: RH6 boxes cracked
From: "Osvaldo J. Filho" <ojaneri () UOL COM BR>
Date: Thu, 4 Jan 2001 18:07:51 -0500
On Wed, 3 Jan 2001, D. Scott Barninger wrote:
Hello, I am still trying to determine all that has been done but here is what I know at the moment. If anyone has seen similar attacks please let me know what to look for. For starters there appears to be a trojanized su binary installed. When calling su there is a delay of approximately 6-8 seconds after entering the root password before a shell prompt is returned. A log message indicates that "call_pam_xauth" successfully forked a child (returned 1). At that point a check on the /dev directory shows most everything has altered user/group and/or permissions. The tty from which the su command was issued is now owned by my user rather than root as well as /dev/hdb. /dev/tty* is now writeable by group etc. Reinstalling the dev and sh-utils packages corrects things until the next time su is run. The same is true on 2 other boxes from which I typically rlogin over the internal network (primary box is a MASQ gateway). About 2 days prior to discovering this I got port-scanned and logged rejected packets on a netbios port (I did have netbios service exposed for remote connections). Any insights would be greatly appreciated. Scott
This kind of attack is basically a common one. Looks like the attacker scanned a large block of IPs looking for something vulnerable, and then some hours laters (or days) it exploited the machines that had a flaw (unfortunately yours were one of these) and installed a root kit to keep access for him. Try a # rpm --verify -a to check on your RPM database all files that were changed. You will have a good look on whats missing/changed. Check the RPM manual to see what the output means (SUM/Date/Size/etc altered, missing, etc) Try installing lsof (if installed, install from a secure source) and checking all binded ports, may be a DDoS Agent running or a Bind Shell. # lsof -i tcp # lsof -i udp Any further help, please contact me at email. --- Osvaldo J. Filho Unix Security Specialist ojaneri () proteus com br Proteus Security Systems http://www.proteus.com.br / http://www.proteus-sec.com ---
Current thread:
- RH6 boxes cracked D. Scott Barninger (Jan 03)
- Re: RH6 boxes cracked Osvaldo J. Filho (Jan 03)
- <Possible follow-ups>
- Re: RH6 boxes cracked Tansey, Don (Jan 03)