Security Incidents mailing list archives
Re: Machine compromised
From: Jan van Rensburg <jan.van.rensburg () epiuse com>
Date: Tue, 15 Jan 2002 13:24:22 +0200
Hi again, Thanks to everyone that replied. In fact so many replied with helpful suggestions that I can't say thanks to everyone individually. To quickly respond to a few questions:So why do I get 'Operation not permitted' when I try to do anything to the files?As the majority of you replied this is due to ext2's extended attributes. The fix was this: # cd /usr/bin # lsattr ssh2d lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 s---ia-- ssh2d # chattr -i ssh2d chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 # lsattr ssh2d lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 s----a-- ssh2d # mv ssh2d ssh2d_hack mv: cannot move `ssh2d' to `ssh2d_hack': Operation not permitted # chattr -a ssh2d chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 # mv ssh2d ssh2d_hack # ls -la ssh2* -rwxr-xr-x 1 root root 205288 Jan 5 14:43 ssh2d_hackConsidering that I couldn't find any info of how oldUW-IMAP-1.5.1 is(e.g. http://freshmeat.net/branches/11037/ lists only some"2000x" and"2001y" versions)Yes, sorry I realised my mistake afterwards. It was in fact 2000c. The release 1.5.1 was RedHat's release (as per RPM info).Secondly, if your machine is compromised you cannot trustthe output ofe.g. lsmod.Yes, I realize this is a problem. Like I said the server is about 7000 miles from us, so we can't immediately reinstall as we'd like to. However in the meantime people on that continent really depend on the server to be able to continue doing business. So what I did in the meantime was upgrade everything on the machine, and copied a trusted version of lsof to the machine to try and verify that there's no backdoors. So far it looks ok, but I realize one can't be 100% sure. In any case we're monitoring everything very closely.(And you should not scorn the importance of security updates although you have services blocked by firewall!)Very good point! At this stage I suspect either exim-2.x or ssh-1.2.26 (even though it was host based firewalled). I looked at the ssh situation when all the advisories came out last year, but decided the firewall should be enough. I didn't want to be in a position where I upgraded ssh remotely and something goes wrong. But yesterday I decided to bite the bullet and do it, and it worked fine. Thanks again to everyone who responded. And also thanks to Security Focus and The Honeynet Project who are invaluable resources at times like this. Regards, Jan-----Original Message----- From: Jan van Rensburg [mailto:jan.van.rensburg () epiuse com] Sent: 09 January 2002 07:03 To: incidents () securityfocus com Subject: Machine compromised Hi, One of our servers that's literally on the other side of the globe has been compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it has to be either exim (early 2.x version), University of Washington IMAP/POP v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26, although this is supposed to be firewall filtered, so I doubt it. The base machine is RedHat-5.2, but a lot has been changed since the original install about 3 years ago. ...
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Machine compromised Jan van Rensburg (Jan 09)
- Re: Machine compromised Gamble (Jan 09)
- Re: Machine compromised Petrus Repo (Jan 09)
- <Possible follow-ups>
- RE: Machine compromised dlaumann (Jan 09)
- Re: Machine compromised Jan van Rensburg (Jan 15)