-----Ursprüngliche Nachricht----- Von: Togan Muftuoglu [mailto:toganm@turk.net] Gesendet: Samstag, 10. Februar 2001 11:55 An: suse-security@suse.com Betreff: Re: [suse-security] server-check
On Sat, Feb 10, 2001 at 11:14:17AM +0100, Raffy wrote: Hey,
Port State Service 22/tcp open ssh 25/tcp open smtp 37/tcp open time
Are you sure you need this??? I am using ssh and smtp=20 Then you should close down "time" to the local network
12345/tcp open NetBus 12346/tcp open NetBus 31337/tcp open Elite
Nice. As reported earlier on this list. Unplug your machine from the net. Very possible you were hacked!!!!
Now I need more than aspirin
Check what is running behind 12345 with lsof and netstat=A8!!!
nothing
I did fuser -n 12345 fuser -n 12346
netstat -aenp
There is nothing running for these or am I running these command wrong
No, it's just your binaries are swapped with those from the root-kit, and these hide themselves... Get those binaries from a safe machine (better CD-ROM) into a temporary directory (for forensic analysis, do not overwrite any binaries nor reboot the machine!), and try it again with those safe binaries. You may also do an "rpm --verify -a > /tmp/some/file" to check the md5-hashes of all installed packages, to see if and which binaries on your sytem have been replaced by the attacker's root-kit. Regards, Thomas
Thomas Lamy wrote:
No, it's just your binaries are swapped with those from the root-kit, and these hide themselves... Get those binaries from a safe machine (better CD-ROM) into a temporary directory (for forensic analysis, do not overwrite any binaries nor reboot the machine!), and try it again with those safe binaries. You may also do an "rpm --verify -a > /tmp/some/file" to check the md5-hashes of all installed packages, to see if and which binaries on your sytem have been replaced by the attacker's root-kit.
(SH...T) Ok can I run these tools from my laptop connected to my the f....ed machine via ethernet. ( I can use the live CD so those binaries on the laptop machine will not have the possibility to be hacked
Regards, Thomas
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Togan Muftuoglu
On Sat, 10 Feb 2001, Togan Muftuoglu wrote:
Thomas Lamy wrote:
No, it's just your binaries are swapped with those from the root-kit, and these hide themselves... Get those binaries from a safe machine (better CD-ROM) into a temporary directory (for forensic analysis, do not overwrite any binaries nor reboot the machine!), and try it again with those safe binaries. You may also do an "rpm --verify -a > /tmp/some/file" to check the md5-hashes of all installed packages, to see if and which binaries on your sytem have been replaced by the attacker's root-kit.
(SH...T)
Ok can I run these tools from my laptop connected to my the f....ed machine via ethernet. ( I can use the live CD so those binaries on the laptop machine will not have the possibility to be hacked
On this point I'm curious. Could a 'root kit' propogate itself to uninfected hosts on a LAN after it infects the initial victim host? Protection inside a LAN is commonly lax, especially with everyone relying on firewalls to protect them. Are viruses like those seen in MSWorld the next thing? All along I've been smug telling my Windows using friends that I don't have these virus problems because Unix/Linux has accecss control. How long til that dish of crow gets served up? best regards, Gerard Bras
Hello Gerard Bras! On Sat, Feb 10, 2001 at 07:56:24PM +0100, Gerard Bras wrote:
On this point I'm curious. Could a 'root kit' propogate itself to uninfected hosts on a LAN after it infects the initial victim host? Protection inside a LAN is commonly lax, especially with everyone relying on firewalls to protect them.
That is an old story: Attack the other machines on the LAN by the same means which led to the compromise of the initial victim. The probability is high that they are running the same vulnerable software version. (BTW, this kind of program or set of programs is called a worm.)
Are viruses like those seen in MSWorld the next thing? All along I've been smug telling my Windows using friends that I don't have these virus problems because Unix/Linux has accecss control.
The Unix access control mechanisms cannot prevent virus infection. An infected program can infect any other binary the user running the infected program has write-access to. So all you have to do ist wait for root to come along... Regards Johannes
On Sat, 10 Feb 2001, Johannes Geiger wrote:
Hello Gerard Bras!
On Sat, Feb 10, 2001 at 07:56:24PM +0100, Gerard Bras wrote:
On this point I'm curious. Could a 'root kit' propogate itself to uninfected hosts on a LAN after it infects the initial victim host? Protection inside a LAN is commonly lax, especially with everyone relying on firewalls to protect them.
That is an old story: Attack the other machines on the LAN by the same means which led to the compromise of the initial victim. The probability is high that they are running the same vulnerable software version. (BTW, this kind of program or set of programs is called a worm.)
Are viruses like those seen in MSWorld the next thing? All along I've been smug telling my Windows using friends that I don't have these virus problems because Unix/Linux has accecss control.
The Unix access control mechanisms cannot prevent virus infection. An infected program can infect any other binary the user running the infected program has write-access to. So all you have to do ist wait for root to come along... Who should never execute binaries from users. Additionaly there is the file-flag mechanism in BSD or linux which even forbids root-processes to modify /bin /usr/bin etc. if set properly. The UNIX fs is a quite good wall for viruses, but the best is that in every unix system things are different. :)
bye, Sebastian
Regards
Johannes
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (5)
-
Gerard Bras -
Johannes Geiger -
Sebastian Krahmer -
Thomas Lamy -
Togan Muftuoglu