Security Incidents mailing list archives

Re: Guess this is a hack attemp

From: Alvin Oga <alvin.sec () Maggie Linux-Consulting com>
Date: Sun, 22 Jul 2001 17:39:46 -0700 (PDT)


hi ya gareth

run the rootkit detectors... and see if it finds anything...
        - audit your box... ( tons of free auditing tools )

        http://www.linux-sec.net
                Audit & tracking/forensics sections

                ( search for rootkit ... easier ?? )

if they were successful...you'd see many symptoms:
        - alterred log files
        - alterred binaries
        - alterred config files
        - extra directories
        - extra files
        - extra processes running that you cannot explain
        - slow response than before
        - bounced emails to root/postmaster
        - blah...blah...

all of those are easy to identify before its becomes a problem
with a good IDS... but a properly hardened box will be even better...

        - they were "Testing" your rpc stuff... for old bugs...

        if you do NOT mount this server from other boxes...
        turn nfs off along with hundreds of other unused services/daemons 

== since you have to ask ... how can you telll...
        - the simple answer is install tripwire or aide or other ids
        and it will tell you they got in... ( which is TOOO late )

        - trick:  only install tripwire/aide/ids on a VIRGIN&Patched
        box... dont bother wasting time after its been online/[h/cr]hacked

have fun
alvin

On Sun, 22 Jul 2001, Gareth Hastings wrote:

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for
^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8
x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22
0\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\
220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\
220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\22
0\220\220

How do I know if the attempt succeded or not ? This entry is repeated
about 50 times. I checked the obvious things like hosts.allow/deny
being changed. I checked for suid root files and entries in the
inetd.conf file. Is there anything else I should look for ?

k


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ANOTHER possible Windows problem? David Bernick (Jul 21)
- Re: ANOTHER possible Windows problem? Kris Carlier (Jul 22)
- RE: ANOTHER possible Windows problem? Sander de Rijk (Jul 22)
- Guess this is a hack attemp Gareth Hastings (Jul 22)
  - RE: Guess this is a hack attemp Chip McClure (Jul 22)
  - Re: Guess this is a hack attemp Alvin Oga (Jul 22)
- <Possible follow-ups>
- RE: ANOTHER possible Windows problem? Powers, James L. (Jul 22)