Mailinglist Archive: opensuse-security (64 mails)
| < Previous | Next > |
Re: [suse-security] Help: our system has been hacked...!
- From: Samartha <samarthax@xxxxxxxxx>
- Date: Tue, 27 Jul 1999 02:16:44 -0600
- Message-id: <3.0.5.32.19990727021644.00927590@xxxxxxxxxxxx>
Hi Josef,
You may have to face that if the intruder knew what s/he was doing,
your system may be hosed securitywise and you don't even see it and
you may not find out what exactly happened unless you establish
logs and see it happening again.
Look at:
http://www.cert.org/tech_tips/root_compromise.html
for recovery hints.
If s/he planted trojan programs described below, it's the best to
isolate the machine, save the harddisk as evidence and
reinstall from the last backup on a new disk.
Log the time and material you use to clean up, estimate the damage,
find out who the bastards are and sue them for damages!
I was lucky discovering some files the intruder left around by stupidity and
was able to somehow reconstruct what happened.
If the wtmp has not been tampered with, you may use the last command and
look at
login activity with IP numbers. But the IP numbers may be from other
machines which
are compromised too and used as a relay to hide identities.
The original breakin could have happened long time - perhaps month ago.
In my case, they must have gotten in by using bufferoverflow with ftp or nsf.
log entries may look like this, if they have not been erased:
>>
>>Mar 20 10:47:43 pcst001 mountd[134]: Unauthorized access by NFS client
>>204.174.19.18.
>>Mar 20 10:47:44 pcst001 mountd[134]: [truncated] Blocked attempt of
>>204.174.19.18 to mount
>>^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
>P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
>>Mar 20 10:48:44 pcst001 in.telnetd[2108]: connect from xxx.174.19.18
>>Mar 20 10:48:49 pcst001 login[2109]: no shadow password for `moof' on
>>`ttyp7' from `xxx.174.19.18'
>>Mar 20 10:48:49 pcst001 login[2109]: ILLEGAL ROOT LOGIN on `ttyp7' from
>>`xxx.174.19.18'
>
I fixed the machine back up (it was SuSE 5.3) - this time disallowing root
logins (it appeared to have been the default to allow it ) over the net,
using wuftp security patches, brought it up again after a couple of weeks
(I used another machine in the meantime) and it took 20 minutes and another
guy broke in, got root access again and established a root account but then
was not able anymore to log on as root (that's the log above).
Here is what the first intruder did:
>The person installed a toolkit called lrk4 on my machine in a hidden
>directory with the name "/var/yp/...".
>
>The toolkit replaced about 15 essential programs with trojans, ls, du,
>find, top, passwd etc. etc, here is the cut out if the make file:
>
>/usr/bin/chfn
>/usr/bin/chsh
>/bin/login
>/bin/ls
>/bin/du
>/usr/bin/passwd
>/bin/ps
>/usr/bin/top
>/usr/sbin/in.rshd
>/bin/netstat
>/sbin/ifconfig
>/usr/sbin/syslogd
>/usr/sbin/inetd
>/usr/sbin/tcpd
>/usr/bin/killall
>/usr/bin/pidof
>/usr/bin/find
>
>The programs were altered to hide information.
>For example, the ls and du would not display the "..." directory nor
>account for it's size. The programs are significantly larger the
>the originals but the checksum is fixed to match the original and
>maybe also the original program size is displayed by the trojan
>programs - I have not had the time to check.
>
>There are hard coded username(s?) "rewt" in the programs which were used
>from different IP numbers to get in.
>
>A machine which has this package installed is totally hosed securitywise
>and has all doors open for intrusion and hidden activity.
>
>Once the person got in, a progam nscan was run which spawns 100+ children
>to go after other sites and gives info like this (leftover files
>from the first hacker):
>
>xxx.207.198.192: VULN: linux box vulnerable to named overflow.
>xxx.142.207.7: VULN: linux box vulnerable to named overflow.
>xxx.179.207.151: VULN: a bread fearing bastard of a mountd'er.
The problem with a system compromised like this is that you don't see anything
about the cloaked user unless you mount the disk from a clean system and look
around.
I just hope this did not happen at your system.
What I would do now when having a permanent internet connection is:
1.) router/firewall up front connected to
2.) outer machine which looks at every packet coming in and decides
if it's allowed or denied and logs everything,
3.) outer machine connected to inner network thru separate network card
Good luck,
Sam
You may have to face that if the intruder knew what s/he was doing,
your system may be hosed securitywise and you don't even see it and
you may not find out what exactly happened unless you establish
logs and see it happening again.
Look at:
http://www.cert.org/tech_tips/root_compromise.html
for recovery hints.
If s/he planted trojan programs described below, it's the best to
isolate the machine, save the harddisk as evidence and
reinstall from the last backup on a new disk.
Log the time and material you use to clean up, estimate the damage,
find out who the bastards are and sue them for damages!
I was lucky discovering some files the intruder left around by stupidity and
was able to somehow reconstruct what happened.
If the wtmp has not been tampered with, you may use the last command and
look at
login activity with IP numbers. But the IP numbers may be from other
machines which
are compromised too and used as a relay to hide identities.
The original breakin could have happened long time - perhaps month ago.
In my case, they must have gotten in by using bufferoverflow with ftp or nsf.
log entries may look like this, if they have not been erased:
>>
>>Mar 20 10:47:43 pcst001 mountd[134]: Unauthorized access by NFS client
>>204.174.19.18.
>>Mar 20 10:47:44 pcst001 mountd[134]: [truncated] Blocked attempt of
>>204.174.19.18 to mount
>>^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
>P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
>>Mar 20 10:48:44 pcst001 in.telnetd[2108]: connect from xxx.174.19.18
>>Mar 20 10:48:49 pcst001 login[2109]: no shadow password for `moof' on
>>`ttyp7' from `xxx.174.19.18'
>>Mar 20 10:48:49 pcst001 login[2109]: ILLEGAL ROOT LOGIN on `ttyp7' from
>>`xxx.174.19.18'
>
I fixed the machine back up (it was SuSE 5.3) - this time disallowing root
logins (it appeared to have been the default to allow it ) over the net,
using wuftp security patches, brought it up again after a couple of weeks
(I used another machine in the meantime) and it took 20 minutes and another
guy broke in, got root access again and established a root account but then
was not able anymore to log on as root (that's the log above).
Here is what the first intruder did:
>The person installed a toolkit called lrk4 on my machine in a hidden
>directory with the name "/var/yp/...".
>
>The toolkit replaced about 15 essential programs with trojans, ls, du,
>find, top, passwd etc. etc, here is the cut out if the make file:
>
>/usr/bin/chfn
>/usr/bin/chsh
>/bin/login
>/bin/ls
>/bin/du
>/usr/bin/passwd
>/bin/ps
>/usr/bin/top
>/usr/sbin/in.rshd
>/bin/netstat
>/sbin/ifconfig
>/usr/sbin/syslogd
>/usr/sbin/inetd
>/usr/sbin/tcpd
>/usr/bin/killall
>/usr/bin/pidof
>/usr/bin/find
>
>The programs were altered to hide information.
>For example, the ls and du would not display the "..." directory nor
>account for it's size. The programs are significantly larger the
>the originals but the checksum is fixed to match the original and
>maybe also the original program size is displayed by the trojan
>programs - I have not had the time to check.
>
>There are hard coded username(s?) "rewt" in the programs which were used
>from different IP numbers to get in.
>
>A machine which has this package installed is totally hosed securitywise
>and has all doors open for intrusion and hidden activity.
>
>Once the person got in, a progam nscan was run which spawns 100+ children
>to go after other sites and gives info like this (leftover files
>from the first hacker):
>
>xxx.207.198.192: VULN: linux box vulnerable to named overflow.
>xxx.142.207.7: VULN: linux box vulnerable to named overflow.
>xxx.179.207.151: VULN: a bread fearing bastard of a mountd'er.
The problem with a system compromised like this is that you don't see anything
about the cloaked user unless you mount the disk from a clean system and look
around.
I just hope this did not happen at your system.
What I would do now when having a permanent internet connection is:
1.) router/firewall up front connected to
2.) outer machine which looks at every packet coming in and decides
if it's allowed or denied and logs everything,
3.) outer machine connected to inner network thru separate network card
Good luck,
Sam
| < Previous | Next > |