Mailinglist Archive: opensuse-security (64 mails)
| < Previous | Next > |
Re: [suse-security] Help: our system has been hacked...!
- From: Thomas Bierweiler <ubpc@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Jul 1999 21:14:33 -0400
- Message-id: <379D07F9.DBFA4C21@xxxxxxxxxxxxxxxxxxx>
Hi Josef,
we had a linux box with suse 5.2 or 5.1 with a hacked imapd too.
I do not know how he came into the system, but he tried it on other
boxes as well.
He started a sniffer and another program, which forked itself 250 times
and saturated the net - so the hack was discovered immediately.
To disable you should uncomment the line
imap2 stream tcp nowait root /usr/sbin/tcpd imapd
with a # in the beginning in /etc/inetd.conf and then
kill -1 `cat inetd.pid`
to let inetd reread its config file.
That should solve the problem.
If you want you can make a
grep -i imapd /etc/rc.config
but there shouldn't be a imapd entry.
If there is one, set it to no and execute
/sbin/SuSEconfig
Furthermore you can make a
grep -i imapd /sbin/init.d
The result should be empty too.
Bye
Thomas
imapd on your box is probably not an extra service but is started
by inetd.
Josef Frohn wrote:
> Dear all,
>
> I am using Suse5.2 with the according security-patches from the Suse server.
>
> We have a valid IP, which means that our server is accessible from the Internet.
>
> The server acts as a gateway for a small company network.
>
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
>
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
>
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
>
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
>
> Any hint is appreciated!
>
> Josef
>
> BTW: I am using a different system to write this email....
>
> --
> --
> Dr. J. Frohn - S.I.S. GmbH email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100 http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
>
> --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
--
Thomas Bierweiler
CDW 406 D Box # 6034
UMassD
285 Old Westport Rd.
North Dartmouth, MA 02747
USA
mail: Thomas.Bierweiler@xxxxxx or
ubpc@xxxxxxxxxxxxxxxxxxx
http://www.uni-karlsruhe.de/~ubpc
ICQ 22953251
Tel +USA 508 910 5383
we had a linux box with suse 5.2 or 5.1 with a hacked imapd too.
I do not know how he came into the system, but he tried it on other
boxes as well.
He started a sniffer and another program, which forked itself 250 times
and saturated the net - so the hack was discovered immediately.
To disable you should uncomment the line
imap2 stream tcp nowait root /usr/sbin/tcpd imapd
with a # in the beginning in /etc/inetd.conf and then
kill -1 `cat inetd.pid`
to let inetd reread its config file.
That should solve the problem.
If you want you can make a
grep -i imapd /etc/rc.config
but there shouldn't be a imapd entry.
If there is one, set it to no and execute
/sbin/SuSEconfig
Furthermore you can make a
grep -i imapd /sbin/init.d
The result should be empty too.
Bye
Thomas
imapd on your box is probably not an extra service but is started
by inetd.
Josef Frohn wrote:
> Dear all,
>
> I am using Suse5.2 with the according security-patches from the Suse server.
>
> We have a valid IP, which means that our server is accessible from the Internet.
>
> The server acts as a gateway for a small company network.
>
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
>
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
>
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
>
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
>
> Any hint is appreciated!
>
> Josef
>
> BTW: I am using a different system to write this email....
>
> --
> --
> Dr. J. Frohn - S.I.S. GmbH email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100 http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
>
> --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
--
Thomas Bierweiler
CDW 406 D Box # 6034
UMassD
285 Old Westport Rd.
North Dartmouth, MA 02747
USA
mail: Thomas.Bierweiler@xxxxxx or
ubpc@xxxxxxxxxxxxxxxxxxx
http://www.uni-karlsruhe.de/~ubpc
ICQ 22953251
Tel +USA 508 910 5383
| < Previous | Next > |