First, unplug the network cable and make a backup of the whole system to study the intrusion. Second, install the system from CD. To study the intruder, check /var/log/messages, the command 'last', /var/log/maillog,/var/log/secure, /var/log/warn, etc. Install tcpwrappers. Install nessus, saint or some tools like that to check the security of your network. Create a MD5 checksum of your files (daily) and compare this to the one of the day before. Read "Know your enemy" (http://www.enteract.com/~lspitz/enemy.html) and other security related papers. Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE BUGTRAQ Lastname, Firstname to subscribe to bugtraq, a security mailing list. (BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.) Send an email to or call the administrator of that network where the intruder came from. Maybe this system is cracked, too. -- Martin Peikert Technical University Berlin mp@tetm36.ee.tu-berlin.de On Mon, 26 Jul 1999, Josef Frohn wrote:
Dear all,
I am using Suse5.2 with the according security-patches from the Suse server.
We have a valid IP, which means that our server is accessible from the Internet.
The server acts as a gateway for a small company network.
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
Besides that I can't see any further changes to the system.
How did slovaka/r00t enter my system?
Study your system logs!
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Where from do you know that the intruder entered the system within seconds?
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
Disable _any_ service in /etc/inetd.conf that you don't know/need and restart inetd (kill -1 PID-of-inetd). Read man-pages, HOWTOs, especially the Security-HOWTO.
Any hint is appreciated!
Josef
BTW: I am using a different system to write this email....
-- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
--
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com