Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] Re: Getting weird FETCHMAIL-DAEMON messages...
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Sun, 28 Jan 2001 21:13:20 -0700
  • Message-id: <005a01c089a9$d0e63500$ca00030a@xxxxxxxxxxxx>
Once an attacker has root it is time to reinstall the OS from trusted media. As
for fiddling login banner, tcp_wrappers will do so nicely.

http://www.securityportal.com/closet/closet20001115.html

Kurt Seifried, seifried@xxxxxxxxxxxxxxxxxx
Securityportal - your focal point for security on the 'net



----- Original Message -----
From: "Matthew" <matthew@xxxxxxxxxxxxxxx>
To: "Michael Chletsos" <mpchlets@xxxxxxxxxxxxxxx>; <suse-security@xxxxxxxx>
Sent: Sunday, January 28, 2001 9:10 PM
Subject: Re: [suse-security] Re: Getting weird FETCHMAIL-DAEMON messages...


Oh its updated :-). Its an addiction of mine....This time a good one. Checked
logs, nthing out of the ordinary, whic. Now is the time for me to change the
pop, smtp banners and others too.

Maybe make a banner that is a totally different OS? How is that acclomplished?

Thanks for everyones insights.

Matt


On Sunday 28 January 2001 07:38 pm, Michael Chletsos wrote:
> Along with all that was said below, a good place to look for compromises
> is in /var/log/messages
> This is were your system logs all sorts of things. But if the people who
> attacked you are good, (just because you are compromised, does not mean
> that the people are good) they will destroy this information. Look for
> out of the ordinary things, like weird user logins and wierd sshd attempts
> or something of that sort.
> Also, just check your lastlog, they may not have been able to remove their
> entry from it.
> I say to check these things, a. because it is a good idea to check on your
> system and b. if they are sending mail you mail from their domain, it
> probably means that they are not that good. But it also might mean that
> josswin is compromised.
> Another good thing to do is get a good book on security. Sometimes they
> seem overwhelming, but there are some basic things you need to do if you
> want to secure a system on the network. Especially if you have a permanent
> connection (i.e. DSL). And try not to give out too much information about
> your server. I noticed that you advertise on your website that you are
> run by Suse 7.0. Which is a great ad for suse, but bad for you. By
> advertising your distribution, you advertise all known security flaws with
> it. Especially if you are not use to updating your system.
>
> enjoy,
> michael
>
> On Mon, 29 Jan 2001, Nix wrote:
> > Look if someone can break in an replace the sendmail.cf file, it means
> > that you have been compromised in some way to root level.
> > ie. You have been OWNED!
> > Don't take this lightly, you may even want to get the police involved as
> > it IS an offense. Meantime, do not connect your machine to the internet.
> > If this was my machine I would be rebuilding it from CD, and install ALL
> > security patches before connecting it back to the internet.
> > You MUST also use entirely new passwords, and you have to assume that
> > a sniffer as well as a ssh/sshd backdoor has been installed. This means
> > that any machines that you have connected from or to this machine may
> > also be compromised. DO NOT TAKE THIS LIGHTLY.
> > Unless you are SURE that you are better than the people who attacked you,
> > (and No offense intended, but if you were you would not have been broken
> > into in the manner) and know the files on your system intimately AND run
> > something like Tripwire or Aide, then you HAVE to assume the worst.
> >
> > I spent several days last week tracking an intrusion through a financial
> > institution.
> > (ie. I do this stuff for a living) so please take me seriously...
> >
> > Regards
> >
> > Nix
> >
> > At 02:08 PM 29/01/2001, you wrote:
> > >I will e-mail josswin, as he maybe compromised.
> > >
> > >I am using Postfix, what should I look for on the server? Not sure if I
> > > have been broken into, but its certainly shaken me up (and its best to
> > > assume that I have been compromised, better safe than sorry).
> > >
> > >Now checking through Nix's website, nice to have a rescource like that!
> > >
> > >Matt
> > >
> > >On Sunday 28 January 2001 05:53 pm, Nix wrote:
> > > > At 12:40 PM 29/01/2001, you wrote:
> > > > >Dear All
> > > > >
> > > > > > Here is the contents of that e-mail:
> > > > > >
> > > > > > From: FETCHMAIL-DAEMON@xxxxxxxxxxxx
> > > > > > To: matthew@xxxxxxxxxxxxxxx
> > > > > > Date: Mon, 29 Jan 2001 07:04:08 +0900
> > > > >
> > > > >I've been getting these for a few days. Not sure where from ?
> > > > >
> > > > >On Thursday night at midnight my net facing box was broken into and
> > > > >someone replaced sendmail.cf with another one. What this meant was
> > > > >that when my box downloaded mail it then forwarded ti to many people
> > > > >on the internet. I discovered this and replaced sendmail.cf before
> > > > >any damage was done.
> > > > >
> > > > >Tonight I was about to reply to this e-mail at about midnight and
> > > > >someone broke in and destroyed my Pine 4.32 mail app. That meant
> > > > > that I couldn't send this mail either.
> > > > >
> > > > >So, what's going on ? I don't know either.
> > > >
> > > > Mate,
> > > > Unplug the box from the net. If it has been broken into you don't
> > > > know what has been compromised
> > > > Please email me back privately if you need help. I will be
> > > > contactable for the next 8hrs or so
> > > > by email. (I am ducking out to grab some lunch now, but will be back
> > > > in 20min..)
> > > >
> > > > Cheers
> > > >
> > > >
> > > > ---
> > > > Nix - nix@xxxxxxxxxxxxxxxx
> > > > http://www.susesecurity.com
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > > > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > >For additional commands, e-mail: suse-security-help@xxxxxxxx
> >
> > ---
> > Nix - nix@xxxxxxxxxxxxxxxx
> > http://www.susesecurity.com
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx



< Previous Next >
Follow Ups