Mailinglist Archive: opensuse-security (64 mails)
| < Previous | Next > |
Re: [suse-security] Help: our system has been hacked...!
- From: <zaire@xxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Jul 1999 16:43:31 -0600 (MDT)
- Message-id: <Pine.LNX.4.05.9907261641280.13739-100000@xxxxxxxxxxxxxxxxx>
What services were you running?
Did you configure /etc/hosts.allow & /etc/hosts.deny ?
Did you make sure the services you were running were properly configured
and updated?
What kernal were you running?
zaire
On Mon, 26 Jul 1999, Josef Frohn wrote:
> Dear all,
>
> I am using Suse5.2 with the according security-patches from the Suse server.
>
> We have a valid IP, which means that our server is accessible from the Internet.
>
> The server acts as a gateway for a small company network.
>
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
>
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
>
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
>
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
>
> Any hint is appreciated!
>
> Josef
>
> BTW: I am using a different system to write this email....
>
> --
> --
> Dr. J. Frohn - S.I.S. GmbH email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100 http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
>
> --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
Did you configure /etc/hosts.allow & /etc/hosts.deny ?
Did you make sure the services you were running were properly configured
and updated?
What kernal were you running?
zaire
On Mon, 26 Jul 1999, Josef Frohn wrote:
> Dear all,
>
> I am using Suse5.2 with the according security-patches from the Suse server.
>
> We have a valid IP, which means that our server is accessible from the Internet.
>
> The server acts as a gateway for a small company network.
>
> Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
>
> ----------------------------
> Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1>
> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2>
> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3'
> from `pool051-max3.ds36-ca-us.dialup.<some-net>
> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3
> --------------------------
>
> I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
>
> Besides that I can't see any further changes to the system.
>
> How did slovaka/r00t enter my system?
>
> How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
>
> I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
>
> Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
>
> Any hint is appreciated!
>
> Josef
>
> BTW: I am using a different system to write this email....
>
> --
> --
> Dr. J. Frohn - S.I.S. GmbH email: frohn@xxxxxxxxxxxx
> Kaiserstr. 100 http:\\www.sis-gmbh.com
> 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
>
> --
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
| < Previous | Next > |