Hi out there... I've got a big problem... A few folders disappeared from my samba-dir (unfortunately they where the importantest i ever had :( ). Well that's not the real problem. After this I've checked /var/log/messages and got the following: Sep 5 22:18:21 monika sshd[2616]: Did not receive ident string from 62.225.211.70. Sep 5 22:18:23 monika sshd[2623]: Did not receive ident string from 62.225.211.70. Sep 5 22:18:26 monika in.ftpd[2615]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika in.telnetd[2617]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika in.fingerd[2618]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika popper[2619]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika popper[2619]: error: cannot execute /usr/sbin/popper: No such file or directory Sep 5 22:18:26 monika fingerd[2618]: getpeername: Transport endpoint is not connected Sep 5 22:18:26 monika ftpd[2615]: getpeername (in.ftpd): Transport endpoint is not connected Sep 5 22:18:31 monika in.ftpd[2622]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:33 monika in.telnetd[2624]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:34 monika telnetd[2624]: ttloop: peer died: EOF Sep 5 22:18:36 monika in.fingerd[2625]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:38 monika popper[2626]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:38 monika popper[2626]: error: cannot execute /usr/sbin/popper: No such file or directory When I'm not wrong, this says that someone was very interested about my router. Unfortunately there wasn't any firewall and no good protection (what was I stupid...) How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl? Thanks for any help! Max --- I'm securing my system now...
On Thu, 6 Sep 2001 12:05:07 +0200 (CEST)
Max Lindner
Hi out there... I've got a big problem... A few folders disappeared from my samba-dir (unfortunately they where the importantest i ever had :( ).
Well that's not the real problem. After this I've checked /var/log/messages and got the following:
Sep 5 22:18:21 monika sshd[2616]: Did not receive ident string from 62.225.211.70. Sep 5 22:18:23 monika sshd[2623]: Did not receive ident string from 62.225.211.70. Sep 5 22:18:26 monika in.ftpd[2615]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika in.telnetd[2617]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika in.fingerd[2618]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika popper[2619]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika popper[2619]: error: cannot execute /usr/sbin/popper: No such file or directory Sep 5 22:18:26 monika fingerd[2618]: getpeername: Transport endpoint is not connected Sep 5 22:18:26 monika ftpd[2615]: getpeername (in.ftpd): Transport endpoint is not connected Sep 5 22:18:31 monika in.ftpd[2622]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:33 monika in.telnetd[2624]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:34 monika telnetd[2624]: ttloop: peer died: EOF Sep 5 22:18:36 monika in.fingerd[2625]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:38 monika popper[2626]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:38 monika popper[2626]: error: cannot execute /usr/sbin/popper: No such file or directory
When I'm not wrong, this says that someone was very interested about my router.
That is what a standard tcp portscan will look like in logs..
Unfortunately there wasn't any firewall and no good protection (what was I stupid...)
I also looks like pop3 was misconfigured :-(
How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?
Thanks for any help!
Max
--- I'm securing my system now...
You might want to check out http://www.susesecurity.com/faq/ If you think your system has been compromised, and you are not 100% sure you know more than every hacker out there you should rebuild your machine from clean media (CD/DVD) I would give that box up as a lesson, and learn how to configure a new one securely. Have a read through the FAQ, then post again with anymore questions you may have. We will help you. -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On Thu, 6 Sep 2001, Max Lindner wrote:
Unfortunately there wasn't any firewall and no good protection (what was I stupid...) yes, kinda :-)
How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?
not sure whether the deletion of your folders is a related thing, real crackers usely do not want to be detected, deleting some folders is a nice way to get some attention indeed. There are various internet sources on how to detect a breakin, try securityfocus, securityportal, and cert sites. Maybe just google for 'detecting breakin linux' Good luck! Dirk
Max Lindner
How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?
Every rootkit will hide the cracker's activities - you can't trust ps, ls, top and others on your system any longer. If you want to detect a rootkit, try http://www.chkrootkit.org/ HTH Martin -- martin.peikert@innominate.com if you want to send mail to me, please encrypt - key info: http://blackhole.pca.dfn.de:11371/pks/lookup?op=index&search=0x7FF37EA8 key fingerprint: ABF9 ADC3 B761 5386 7F15 9C31 C2D0 844B 7FF3 7EA8
Hi Martin! On Thu, 06 Sep 2001, Martin Peikert wrote:
Max Lindner
wrote: How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?
Every rootkit will hide the cracker's activities - you can't trust ps, ls, top and others on your system any longer. If you want to detect a rootkit, try http://www.chkrootkit.org/
there is still a kind-of-ok source of information, namely the proc file system. but indeed, you need a tool to systematicaly check for intrusion, and not make guesses. -- teodor
On Thu, 6 Sep 2001 14:28:45 +0300 teo@gecadsoftware.com wrote:
Hi Martin! On Thu, 06 Sep 2001, Martin Peikert wrote:
Max Lindner
wrote: How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?
Every rootkit will hide the cracker's activities - you can't trust ps, ls, top and others on your system any longer. If you want to detect a rootkit, try http://www.chkrootkit.org/
there is still a kind-of-ok source of information, namely the proc file system.
but indeed, you need a tool to systematicaly check for intrusion, and not make guesses.
-- teodor
The /proc filesystem will not be correct with some of the newer kernel module based rootkits... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
* Max Lindner wrote on Thu, Sep 06, 2001 at 12:05 +0200:
How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?
Of course. For instance, an attacker could replace ps with some trojaned ps. This can be detected. copy the ps binary to some other host and do a md5sum compare or a cmp. Of course this other machines need exactly the same distro/installation. Well, even this could be faked (the trojaned system could deliver the original ps on reads, but executes a trojaned ps on exec), I don't know it this is a common practise. Second, you could use rpm -V <package>. "ps" is in "ps" (rpm -qf `which ps`), so you can check "rpm -V ps". But of course RPM and it's database could be trojaned, too, at least theoritical, but I've not heard about such things. I suggest to boot from some rescue CD, mount / ro,noexec and do your checks after that. The CD system cannot be trojaned (AFAIK :)), so you can trust md5sum, cmp, strings or whatever you need to check. But it's difficult, since it's not clear for what to look. Maybe start checking /etc/inetd.conf and the boot scripts /etc/rc.d/*. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Steffen Dettmer wrote:
Of course. For instance, an attacker could replace ps with some trojaned ps. This can be detected. copy the ps binary to some other host and do a md5sum compare or a cmp. Of course this other machines need exactly the same distro/installation. Well, even this could be faked (the trojaned system could deliver the original ps on reads, but executes a trojaned ps on exec), I don't know it this is a common practise. Second, you could use rpm -V <package>. "ps" is in "ps" (rpm -qf `which ps`), so you can check "rpm -V ps". But of course RPM and it's database could be trojaned, too, at least theoritical, but I've not heard about such things.
another posibility was to set up a tar file with self compiled binary's of the most important tools (ps, netstat etc.) and use this to check the system. But that can't work if somebody installed a kernel module. So i recommend to install all serversystems or permanently to the internet connected maschines without modules support. Also md5checking (tripwire etc) is a good start. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
participants (7)
-
dirk janssen
-
Martin Peikert
-
Max Lindner
-
Peter Nixon
-
Steffen Dettmer
-
Sven Michels
-
teo@gecadsoftware.com