Mailinglist Archive: opensuse-security (64 mails)
| < Previous | Next > |
Re: [suse-security] Help: our system has been hacked...!
- From: Lutz Jaenicke <Lutz.Jaenicke@xxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Jul 1999 09:07:09 +0200
- Message-id: <19990727090709.A3554@xxxxxxxxxxxxxxxxxxxxxx>
On Mon, Jul 26, 1999 at 03:12:24PM +0100, Josef Frohn wrote:
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
Hi Josef,
I am not familiar with the actual state of the security patches for SuSE 5.2.
The latest one was released around 30June1998 (from the list at www.suse.de)
There have been important security patches released for 5.3, that were not
made available for 5.2 and I remember having used some 5.3 patches for some
5.2 machines as a fast solution before I could upgrade the whole system.
If I remember correctly, these were especially the ugly "mountd" vulnerability
and the wu-ftpd one, too.
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
That depends on the capabilities of the hackers. There are rootkits around
that modify system binaries within seconds, such that new backdoors are
installed.
You might try a "rpm -Va" to verify all installed files against the
rpm database and have to check all listed items. (This of course requires
the rpm-database to be unmodified, of course).
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
That depends on the question, whether backdoors where installed.
My final recommondation to colleagues in this situtation is: reinstall
from scratch and make sure to have the latest version with all patches
installed! That's the only way to be sure.
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
As other already pointed out: you have to modify /etc/inetd.conf.
Additionally check the possibilities of tcpd with man hosts.allow, hosts.deny.
COMPLAINT TO SuSE: Why do you ship systems wide open and I have to shut
everything down. In times like these, and they won't get better anymore,
just worse, you should ship the system "as closed as possible" and when
I want to open it, well, than its up to me.
I know that other distributions are not necessarily better and that's the
way UNIX was delivered from vendors, but the times are changing.
> BTW: I am using a different system to write this email....
Good hint, but people might feel challenged to try it even then :-)
Sorry, no better news,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@xxxxxxxxxxxxxxxxx
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
Hi Josef,
I am not familiar with the actual state of the security patches for SuSE 5.2.
The latest one was released around 30June1998 (from the list at www.suse.de)
There have been important security patches released for 5.3, that were not
made available for 5.2 and I remember having used some 5.3 patches for some
5.2 machines as a fast solution before I could upgrade the whole system.
If I remember correctly, these were especially the ugly "mountd" vulnerability
and the wu-ftpd one, too.
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
That depends on the capabilities of the hackers. There are rootkits around
that modify system binaries within seconds, such that new backdoors are
installed.
You might try a "rpm -Va" to verify all installed files against the
rpm database and have to check all listed items. (This of course requires
the rpm-database to be unmodified, of course).
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
That depends on the question, whether backdoors where installed.
My final recommondation to colleagues in this situtation is: reinstall
from scratch and make sure to have the latest version with all patches
installed! That's the only way to be sure.
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
As other already pointed out: you have to modify /etc/inetd.conf.
Additionally check the possibilities of tcpd with man hosts.allow, hosts.deny.
COMPLAINT TO SuSE: Why do you ship systems wide open and I have to shut
everything down. In times like these, and they won't get better anymore,
just worse, you should ship the system "as closed as possible" and when
I want to open it, well, than its up to me.
I know that other distributions are not necessarily better and that's the
way UNIX was delivered from vendors, but the times are changing.
> BTW: I am using a different system to write this email....
Good hint, but people might feel challenged to try it even then :-)
Sorry, no better news,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@xxxxxxxxxxxxxxxxx
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
| < Previous | Next > |