Hi. I just got some services (mysql, postfix, cvs...) shut down, took a look at /tmp, and found a miro.tgz and a "miro" executable. On the executable you can read: .-= Backdoor made by Mironov =-. .-= Running =-. I don't know how much this attack may have compromised the system. Under /var/log/ there are no clues on how they may have entered, /var/log/messages has been deleted. Directories like /tmp or /var have changed permissions since the attack to 700 Now ssh works really slow unless connected to Internet, and I feel very unconfortable about connecting this server again to the Internet. The systen is a SuSE 8.1, I had it a little forgotten lately, tough. Doesn anybody know anything about how they may have entered the system and how can I arrange it? I'm seriously thinking about installing a SuSE 9.0, but want to know what happened before doing anything. Thaks in advance.
Manuel Balderrábano wrote:
Doesn anybody know anything about how they may have entered the system and how can I arrange it? I'm seriously thinking about installing a SuSE 9.0, but want to know what happened before doing anything.
Then poweroff (no shutdown) the box, 'dd' the harddisk somewhere, Install a new 9.0 and copy the data to the new installation. -- Have fun, Peter
Hi again. I just re-installed a SuSE 8.1 and included all patches and updates avaliable, I will now re-install all old services and its contents one by one;I hope nothing else than the system was compromised! I guess my mistake was not having all patches aplied, but my serious doubt is: I had a 2.4.23 kernel, so how could the intruder become root after the breakthrough? It is supposed to be the last 2.4 kernel avaliable, could have he used another exploit? Thanks to all for the interest. El Miércoles, 7 de Enero de 2004 12:32, Manuel Balderrábano escribió:
Hi.
I just got some services (mysql, postfix, cvs...) shut down, took a look at /tmp, and found a miro.tgz and a "miro" executable.
On the executable you can read:
.-= Backdoor made by Mironov =-. .-= Running =-.
I don't know how much this attack may have compromised the system.
Under /var/log/ there are no clues on how they may have entered, /var/log/messages has been deleted.
Directories like /tmp or /var have changed permissions since the attack to 700
Now ssh works really slow unless connected to Internet, and I feel very unconfortable about connecting this server again to the Internet.
The systen is a SuSE 8.1, I had it a little forgotten lately, tough.
Doesn anybody know anything about how they may have entered the system and how can I arrange it? I'm seriously thinking about installing a SuSE 9.0, but want to know what happened before doing anything.
Thaks in advance.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- --------------------------------------------------------------------------------- Manuel Balderrábano e-mail: garibolo@wanadoo.es ---------------------------------------------------------------------------------
Manuel Balderrábano wrote:
I guess my mistake was not having all patches aplied, but my serious doubt is: I had a 2.4.23 kernel, so how could the intruder become root after the breakthrough? It is supposed to be the last 2.4 kernel avaliable, could have he used another exploit?
Just because you were running a recent kernel doesn't mean patches for exposed services (apache, mysql, etc) aren't necessary. I would be cautious about transferring any binaries from the old server to the new installation and you might want to reset all old user passwords. It would probably be a good idea to use a package like aide or tripwire regularly and send all critical logs to an external box which alerts you (via email, pager, whatever) of any weird events.
On Wed, 7 Jan 2004, Manuel Balderrábano wrote:
Hi again. I just re-installed a SuSE 8.1 and included all patches and updates avaliable, I will now re-install all old services and its contents one by one;I hope nothing else than the system was compromised!
I guess my mistake was not having all patches aplied, but my serious doubt is: I had a 2.4.23 kernel, so how could the intruder become root after the breakthrough? It is supposed to be the last 2.4 kernel avaliable, could have he used another exploit?
Thanks to all for the interest.
El Miércoles, 7 de Enero de 2004 12:32, Manuel Balderrábano escribió:
Hi.
I just got some services (mysql, postfix, cvs...) shut down, took a look at /tmp, and found a miro.tgz and a "miro" executable.
On the executable you can read:
.-= Backdoor made by Mironov =-. .-= Running =-.
It's unlikely that the kernel was exploited. proftpd recently had a well published root exploit that lots of people were victimized by. If you're going to run a server, you must understand that the server will be a target almost from the moment it's exposed to the internet. 1) Do not run services you don't need 2) Do not allow root to login remotely 3) Do not give accounts to anyone unless you trust them 4) Do run tripwire and a rootkit detector 5) DO use a firewall 6) DO follow the advice of the bearded, belted and supendered gurus here -- -linux_lad
I don't know how much this attack may have compromised the system.
Under /var/log/ there are no clues on how they may have entered, /var/log/messages has been deleted.
Directories like /tmp or /var have changed permissions since the attack to
700
Now ssh works really slow unless connected to Internet, and I feel very unconfortable about connecting this server again to the Internet.
The systen is a SuSE 8.1, I had it a little forgotten lately, tough.
Doesn anybody know anything about how they may have entered the system and
how
can I arrange it? I'm seriously thinking about installing a SuSE 9.0, but want to know what happened before doing anything.
Thaks in advance.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- -linux_lad ICQ 115601915 pub key on request
On Wed, 2004-01-07 at 12:49, -linux_lad wrote:
It's unlikely that the kernel was exploited. proftpd recently had a well published root exploit that lots of people were victimized by. If you're going to run a server, you must understand that the server will be a target almost from the moment it's exposed to the internet.
1) Do not run services you don't need
2) Do not allow root to login remotely
3) Do not give accounts to anyone unless you trust them
4) Do run tripwire and a rootkit detector
5) DO use a firewall
6) DO follow the advice of the bearded, belted and supendered gurus here suspendered (as in holding up pants)?
-- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
participants (5)
-
-linux_lad
-
Avtar Gill
-
Kenneth Schneider
-
Manuel Balderrábano
-
Peter Wiersig