Mailinglist Archive: opensuse-security (605 mails)
| < Previous | Next > |
Re: [suse-security] Am I hacked???
- From: Eric Whiting <ewhiting@xxxxxxxx>
- Date: Thu, 11 Oct 2001 22:33:46 -0600
- Message-id: <3BC672AA.84C7C27F@xxxxxxxx>
Is there a chance that this wtmp entry:
xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
1) Is caused by a 2.4.x kernel or system issue? or
2) Is a half-failed login attempt?
3) An artifact of hitting the OOM wall and my kernel and killing the
box?
I know it certainly looks like a hacker is logged in and trying to patch
up wtmp, but I can't find other signs of trouble.
I have several suse 7.0 and 6.x boxes (various place in networks) that
don't have this sign of problems. The person who first pointed this
symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other
person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2.
I did a check of all /usr/bin /bin/ /sbin files. They all still have
the same checksum as these files on a box in another safer world. (I
used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual
scp/diff of netstat/ps/ls/strings.
I did a tcpdump for 12hrs and checked all the packets. I don't see odd
stuff. I'll start another tcpdump.
This box is behind a firewall set to deny all but 22,25,80.
It is a farily new install and I ran YOU when it was first installed
(Sep 1) and installed all security patches for 7.2.
eric
Boris Lorenz wrote:
>
> Yup,
>
> On 11-Oct-01 Stefan Suurmeijer wrote:
> > Disconnect it from the internet, but don't wipe it until you are sure what
> > happened. I wouldn't even power it down until you have checked it for
> > running daemons etc. Check
> > http://www.cert.org/tech_tips/root_compromise.html for steps to take to find
> > out if you were indeed hacked.
>
> yeah, I agree with you, first the analysis, then the scratching. But think of
> this: Would this post "Am I hacked???" appear in this list if the sender had
> skills in forensic-/post mortem system analysis? I guess not.
>
> > Those wtmp entries are indeed strange. Are you logging failed attempts as
> > well (lastb)? If so do you see strangeness there as well?
> > As for the connect from root@ etc: those are not local users, those are the
> > remote users connecting to your system.
> > Oct 8 10:56:13 main in.ftpd[17131]: connect from root@xxxxxxxxxxxxx
> > (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp
> > port. As you obviously don't know this machine, this may have been an
> > attempt to gain illegal access, but from the log entries you provide we
> > can't see if it was successful.
> > Once you've found out exactly what happened, THEN wipe the machine. If you
> > re-install without knowing how (and if) they got in, chances are you will
> > leave the same hole open again and they will just get back on after you've
> > reinstalled.
>
> A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more
> complicated process than ANY secure installation of a Linux system could ever
> be. It takes YEARS for professional analysts before they're able to do their
> work properly, so personally I would not recommend that to a
> newbieish-to-security lifeform ;) (NO puns intended!)...
>
> On the other hand, securely installing a Linux box is no trivial, but
> manageable task; install, switch off any unwanted services, install all
> relevant security patches, firewall it, go online, and keep up-to-date with the
> latest vulnerabilites. One finds a helluva lot more info about that than about
> system analysis, for obvious reasons.
>
> However, the link you provided to CERT's got-root'ed tips really is a good
> place to start; I have put a more compact version of this topic into the SuSE
> FAQ at http://www.susesecurity.com/faq ("One of my servers has been cracked
> open and overtaken by intruders. What now?") as well.
>
> Sorry for my rant ;)
>
> Happy hunting!
>
> > HTH
> >
> > Stefan
>
> Boris Lorenz <bolo@xxxxxxx>
> ---
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
1) Is caused by a 2.4.x kernel or system issue? or
2) Is a half-failed login attempt?
3) An artifact of hitting the OOM wall and my kernel and killing the
box?
I know it certainly looks like a hacker is logged in and trying to patch
up wtmp, but I can't find other signs of trouble.
I have several suse 7.0 and 6.x boxes (various place in networks) that
don't have this sign of problems. The person who first pointed this
symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other
person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2.
I did a check of all /usr/bin /bin/ /sbin files. They all still have
the same checksum as these files on a box in another safer world. (I
used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual
scp/diff of netstat/ps/ls/strings.
I did a tcpdump for 12hrs and checked all the packets. I don't see odd
stuff. I'll start another tcpdump.
This box is behind a firewall set to deny all but 22,25,80.
It is a farily new install and I ran YOU when it was first installed
(Sep 1) and installed all security patches for 7.2.
eric
Boris Lorenz wrote:
>
> Yup,
>
> On 11-Oct-01 Stefan Suurmeijer wrote:
> > Disconnect it from the internet, but don't wipe it until you are sure what
> > happened. I wouldn't even power it down until you have checked it for
> > running daemons etc. Check
> > http://www.cert.org/tech_tips/root_compromise.html for steps to take to find
> > out if you were indeed hacked.
>
> yeah, I agree with you, first the analysis, then the scratching. But think of
> this: Would this post "Am I hacked???" appear in this list if the sender had
> skills in forensic-/post mortem system analysis? I guess not.
>
> > Those wtmp entries are indeed strange. Are you logging failed attempts as
> > well (lastb)? If so do you see strangeness there as well?
> > As for the connect from root@ etc: those are not local users, those are the
> > remote users connecting to your system.
> > Oct 8 10:56:13 main in.ftpd[17131]: connect from root@xxxxxxxxxxxxx
> > (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp
> > port. As you obviously don't know this machine, this may have been an
> > attempt to gain illegal access, but from the log entries you provide we
> > can't see if it was successful.
> > Once you've found out exactly what happened, THEN wipe the machine. If you
> > re-install without knowing how (and if) they got in, chances are you will
> > leave the same hole open again and they will just get back on after you've
> > reinstalled.
>
> A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more
> complicated process than ANY secure installation of a Linux system could ever
> be. It takes YEARS for professional analysts before they're able to do their
> work properly, so personally I would not recommend that to a
> newbieish-to-security lifeform ;) (NO puns intended!)...
>
> On the other hand, securely installing a Linux box is no trivial, but
> manageable task; install, switch off any unwanted services, install all
> relevant security patches, firewall it, go online, and keep up-to-date with the
> latest vulnerabilites. One finds a helluva lot more info about that than about
> system analysis, for obvious reasons.
>
> However, the link you provided to CERT's got-root'ed tips really is a good
> place to start; I have put a more compact version of this topic into the SuSE
> FAQ at http://www.susesecurity.com/faq ("One of my servers has been cracked
> open and overtaken by intruders. What now?") as well.
>
> Sorry for my rant ;)
>
> Happy hunting!
>
> > HTH
> >
> > Stefan
>
> Boris Lorenz <bolo@xxxxxxx>
> ---
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
| < Previous | Next > |