Mailinglist Archive: opensuse-security (64 mails)

["Martin P. Peikert" <mp@xxxxxxxxxxxxxxxxxxxxxx>]

First, unplug the network cable and make a backup of the whole system to
study the intrusion. Second, install the system from CD.

To study the intruder, check /var/log/messages, the command 'last',
/var/log/maillog,/var/log/secure, /var/log/warn, etc. 

Install tcpwrappers. Install nessus, saint or some tools like that to
check the security of your network. Create a MD5 checksum of your files
(daily) and compare this to the one of the day before. 

Read "Know your enemy" (http://www.enteract.com/~lspitz/enemy.html) and
other security related papers. Send an e-mail message to
LISTSERV@xxxxxxxxxxxxxxxxx with a message body of:
  SUBSCRIBE BUGTRAQ Lastname, Firstname
to subscribe to bugtraq, a security mailing list. (BugTraq is a full
disclosure moderated mailing list for the *detailed* discussion and
announcement of computer security vulnerabilities: what they are, how to
exploit them, and how to fix them.)  

Send an email to or call the administrator of that network where the
intruder came from. Maybe this system is cracked, too.

--
Martin Peikert
Technical University Berlin
mp@xxxxxxxxxxxxxxxxxxxxxx

On Mon, 26 Jul 1999, Josef Frohn wrote:

> Dear all,
> 
> I am using Suse5.2 with the according security-patches from the Suse server.
> 
> We have a valid IP, which means that our server is accessible from the Internet.
> 
> The server acts as a gateway for a small company network. 
> 
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
> 
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
> 
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
> 
> Besides that I can't see any further changes to the system.
> 
> How did slovaka/r00t enter my system?

Study your system logs!

 
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... 
> 
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
 
Where from do you know that the intruder entered the system within
seconds?

> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)

Disable _any_ service in /etc/inetd.conf that you don't know/need and
restart inetd (kill -1 PID-of-inetd). Read man-pages, HOWTOs, especially
the Security-HOWTO.

> Any hint is appreciated!
> 
> Josef 
> 
> BTW: I am using a different system to write this email....
> 
> --
> --
> Dr. J. Frohn - S.I.S. GmbH      email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100                  http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY    T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
> 
> --
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>