Mailinglist Archive: opensuse-security (64 mails)
| < Previous | Next > |
Re: [suse-security] Help: our system has been hacked...!
- From: smorris@xxxxxxxxxxxxxx
- Date: Mon, 26 Jul 1999 22:08:22 -0400
- Message-id: <002101bed7d4$e7e2ed80$0501a8c0@smorris>
You may wish to look into to packages, SWATCH and COPS. They monitor you
system and will let you know of file changes.
Scott
----- Original Message -----
From: Josef Frohn <frohn@xxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Monday, July 26, 1999 10:12 AM
Subject: [suse-security] Help: our system has been hacked...!
> Dear all,
>
> I am using Suse5.2 with the according security-patches from the Suse
server.
>
> We have a valid IP, which means that our server is accessible from the
Internet.
>
> The server acts as a gateway for a small company network.
>
> Now it looks as if our system has been hacked. I had several imapd reports
during the last time and it ended up with the following sequence in my
/var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on
`ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the
user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
>
> How can I find out what he did? The numerical uid of him was the same as
my personal account (500), so I can't use the id...
>
> I deleted those accounts and forced all users to change their passwords.
But who enters the system within seconds once, will be able to do it a 2nd
time as well, so how can I close this hole?
>
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find
no entry in rc.config and I don't know how to remove it from the startup
scripts (can I just remove the imp<#> lines from /etc/services?)
>
> Any hint is appreciated!
>
> Josef
>
> BTW: I am using a different system to write this email....
>
> --
> --
> Dr. J. Frohn - S.I.S. GmbH email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100 http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407
96275
>
> --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
system and will let you know of file changes.
Scott
----- Original Message -----
From: Josef Frohn <frohn@xxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Monday, July 26, 1999 10:12 AM
Subject: [suse-security] Help: our system has been hacked...!
> Dear all,
>
> I am using Suse5.2 with the according security-patches from the Suse
server.
>
> We have a valid IP, which means that our server is accessible from the
Internet.
>
> The server acts as a gateway for a small company network.
>
> Now it looks as if our system has been hacked. I had several imapd reports
during the last time and it ended up with the following sequence in my
/var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on
`ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the
user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
>
> How can I find out what he did? The numerical uid of him was the same as
my personal account (500), so I can't use the id...
>
> I deleted those accounts and forced all users to change their passwords.
But who enters the system within seconds once, will be able to do it a 2nd
time as well, so how can I close this hole?
>
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find
no entry in rc.config and I don't know how to remove it from the startup
scripts (can I just remove the imp<#> lines from /etc/services?)
>
> Any hint is appreciated!
>
> Josef
>
> BTW: I am using a different system to write this email....
>
> --
> --
> Dr. J. Frohn - S.I.S. GmbH email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100 http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407
96275
>
> --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
| < Previous | Next > |