************************* new developments already: I just checked a windows box that the linux box masquerades for: and under networking configuration there is no longer a NIC installed! It looks like I'm getting hit there to. Now I'm afraid to reboot that one too! Some slowdown in performance as well. I don't see any processes running there that shouldn't be! Just a few questions. blackbox is the server name, and 192.168.0.2 is a remote computer on my network. I have thousands of these in my /var/log/messages file. What's going on? Every 2 or 3 seconds this entry appears. Aug 6 09:51:18 blackbox popper[2803]: connect from 192.168.0.2 Aug 6 09:51:19 blackbox popper[2804]: connect from 192.168.0.2 Aug 6 09:56:21 blackbox popper[2805]: connect from 192.168.0.2 Aug 6 09:56:22 blackbox popper[2806]: connect from 192.168.0.2 Aug 6 10:01:24 blackbox popper[2831]: connect from 192.168.0.2 Aug 6 10:01:25 blackbox popper[2832]: connect from 192.168.0.2 Aug 6 10:06:27 blackbox popper[2834]: connect from 192.168.0.2 Aug 6 10:06:28 blackbox popper[2835]: connect from 192.168.0.2 Aug 6 10:11:30 blackbox popper[2836]: connect from 192.168.0.2 Aug 6 10:11:31 blackbox popper[2837]: connect from 192.168.0.2 Also was this a successful logon? (below) or an attempt. Aug 5 20:24:21 blackbox login[1195]: ILLEGAL ROOT LOGIN on `ttyp0' from `192.168.0.2' I was looking through the log files because when i ran YAST, no settings were retrieved. Hostname showed as blank, no ethernet cards or IP addresses, everything. (naturally this concerned me) Now I'm afriad to reboot! My rc.config looks perfectly normal though. Where else should I look for some possible foulplay? [5 minutes later] I just rechecked rc.config. (it was fine ten minutes ago) now it's pretty much gone. this is all that is left: LANGUAGE="english" START_INETD="yes" START_PORTMAP="yes" NFS_SERVER="yes" yes that's it. definately not a good time to reboot! as far as I can tell, I'm [root] the only user logged on.
I think you should unplug your ethernet cable! *************************** * Doug Gray * * dag@umr.edu * * http://www.umr.edu/~dag * *************************** On Fri, 6 Aug 1999, Stephen Smith wrote:
************************* new developments already: I just checked a windows box that the linux box masquerades for: and under networking configuration there is no longer a NIC installed! It looks like I'm getting hit there to. Now I'm afraid to reboot that one too! Some slowdown in performance as well.
I don't see any processes running there that shouldn't be!
Just a few questions.
blackbox is the server name, and 192.168.0.2 is a remote computer on my network. I have thousands of these in my /var/log/messages file. What's going on? Every 2 or 3 seconds this entry appears.
Aug 6 09:51:18 blackbox popper[2803]: connect from 192.168.0.2 Aug 6 09:51:19 blackbox popper[2804]: connect from 192.168.0.2 Aug 6 09:56:21 blackbox popper[2805]: connect from 192.168.0.2 Aug 6 09:56:22 blackbox popper[2806]: connect from 192.168.0.2 Aug 6 10:01:24 blackbox popper[2831]: connect from 192.168.0.2 Aug 6 10:01:25 blackbox popper[2832]: connect from 192.168.0.2 Aug 6 10:06:27 blackbox popper[2834]: connect from 192.168.0.2 Aug 6 10:06:28 blackbox popper[2835]: connect from 192.168.0.2 Aug 6 10:11:30 blackbox popper[2836]: connect from 192.168.0.2 Aug 6 10:11:31 blackbox popper[2837]: connect from 192.168.0.2
Also was this a successful logon? (below) or an attempt.
Aug 5 20:24:21 blackbox login[1195]: ILLEGAL ROOT LOGIN on `ttyp0' from `192.168.0.2'
I was looking through the log files because when i ran YAST, no settings were retrieved. Hostname showed as blank, no ethernet cards or IP addresses, everything. (naturally this concerned me) Now I'm afriad to reboot! My rc.config looks perfectly normal though. Where else should I look for some possible foulplay?
[5 minutes later] I just rechecked rc.config. (it was fine ten minutes ago) now it's pretty much gone. this is all that is left:
LANGUAGE="english"
START_INETD="yes"
START_PORTMAP="yes"
NFS_SERVER="yes"
yes that's it. definately not a good time to reboot! as far as I can tell, I'm [root] the only user logged on.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I unplugged my hub immediately when I saw that. Now I'm at a standalone computer with a dial-up connection. I do have partial back-ups of critical files. (including rc.config) but do you think it is safe to restore these over a hacked system? I assume some back-doors have been left wide open and I'm not so sure I can find them? I have some good firewall rules set-up. (i'd cut and paste, but I'm not connected to the linux box). I think maybe I should try a standalone module in addition. Any recommendations? I also have some rules not only in my Linux server, but in my router as well. Alowing ONLY very specific port traffic through using NAT tables.Anything else should be denied by the router before it ever sees my linux box. (port 22, 23, 80, 8080, and just a few others..ftp.) ----- Original Message ----- From: Doug <dag@umr.edu> To: Stephen Smith <butch@null.net> Cc: <suse-security@suse.com> Sent: Friday, August 06, 1999 1:41 PM Subject: Re: [suse-security] uh-oh more!
I think you should unplug your ethernet cable!
*************************** * Doug Gray * * dag@umr.edu * * http://www.umr.edu/~dag * ***************************
On Fri, 6 Aug 1999, Stephen Smith wrote:
************************* new developments already: I just checked a windows box that the linux box masquerades for: and under networking configuration there is no longer a NIC installed! It looks like I'm getting hit there to. Now I'm afraid to reboot that one too! Some slowdown in performance as well.
I don't see any processes running there that shouldn't be!
Just a few questions.
blackbox is the server name, and 192.168.0.2 is a remote computer on my network. I have thousands of these in my /var/log/messages file. What's going on? Every 2 or 3 seconds this entry appears.
Aug 6 09:51:18 blackbox popper[2803]: connect from 192.168.0.2 Aug 6 09:51:19 blackbox popper[2804]: connect from 192.168.0.2 Aug 6 09:56:21 blackbox popper[2805]: connect from 192.168.0.2 Aug 6 09:56:22 blackbox popper[2806]: connect from 192.168.0.2 Aug 6 10:01:24 blackbox popper[2831]: connect from 192.168.0.2 Aug 6 10:01:25 blackbox popper[2832]: connect from 192.168.0.2 Aug 6 10:06:27 blackbox popper[2834]: connect from 192.168.0.2 Aug 6 10:06:28 blackbox popper[2835]: connect from 192.168.0.2 Aug 6 10:11:30 blackbox popper[2836]: connect from 192.168.0.2 Aug 6 10:11:31 blackbox popper[2837]: connect from 192.168.0.2
Also was this a successful logon? (below) or an attempt.
Aug 5 20:24:21 blackbox login[1195]: ILLEGAL ROOT LOGIN on `ttyp0' from `192.168.0.2'
I was looking through the log files because when i ran YAST, no settings were retrieved. Hostname showed as blank, no ethernet cards or IP addresses, everything. (naturally this concerned me) Now I'm afriad to reboot! My rc.config looks perfectly normal though. Where else should I look for some possible foulplay?
[5 minutes later] I just rechecked rc.config. (it was fine ten minutes ago) now it's pretty much gone. this is all that is left:
LANGUAGE="english"
START_INETD="yes"
START_PORTMAP="yes"
NFS_SERVER="yes"
yes that's it. definately not a good time to reboot! as far as I can tell, I'm [root] the only user logged on.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Sat, Aug 07, 1999 at 01:51:28AM -0700, butch@null.net wrote:
I unplugged my hub immediately when I saw that. Now I'm at a standalone computer with a dial-up connection. I do have partial back-ups of critical files. (including rc.config) but do you think it is safe to restore these over a hacked system? I assume some back-doors have been left wide open and I'm not so sure I can find them? I have some good firewall rules set-up. (i'd cut and paste, but I'm not connected to the linux box).
Unplugging was a good idea. I'd stay off the 'net until you get this sorted out. Ok, the first thing you should do is probably to back up your current system, so you can peruse it later to see what the attacker did. If this is not an option, keep the logs around (you can track him via the ip/DNS). The best thing to do at this point is start with a clean install because you probably got root kitted, meaning, your system is full of trojaned programs, and other nasty things to allow the malicious parties easy access to your computer on a later date. The interesting and drastic changes to rc.config lead me to believe this. If they were so kind as to leave the root kit readme and install stuff lying around, you can try to undo what he did, but don't put the box up into production unless you are absolutely _sure_ you got _everything_, because he knows what he put there, and he'll try to use all of it. These are really the only safe assumptions. You also might want to check the previous thread, there were a lot of good tips in "Recovering from a break in" ;)
I think maybe I should try a standalone module in addition. Any recommendations? I also have some rules not only in my Linux server, but in my router as well. Alowing ONLY very specific port traffic through using NAT tables.Anything else should be denied by the router before it ever sees my linux box. (port 22, 23, 80, 8080, and just a few others..ftp.)
Good. Very good. Keep up the good work here. Good luck. -- Jeff -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/M/>P d-(pu) s+:- a17>? C++(++++) L+++ UL++(+++)@>++++$ P+ E W++@ N+ o? K- w--- O? M V- PS+ PE(--)@ Y++@ PGP t+ 5 X++@ R++@ !tv@ b++ DI++++ D- G e- h! r++ y? ------END GEEK CODE BLOCK------
butch@null.net :said
I unplugged my hub immediately when I saw that. Now I'm at a standalone computer with a dial-up connection. I do have partial back-ups of critical files. (including rc.config) but do you think it is safe to restore these over a hacked system? I assume some back-doors have been left wide open and I'm not so sure I can find them? I have some good firewall rules set-up. (i'd cut and paste, but I'm not connected to the linux box).
you're right, it's probably (never) not a good idea to restore various files on a cracked system. It looks to me like you need to 1) back up your user data. 2) Kill the system. 3) Reformat your drives. 4) Do a compleate new installation from the origional (clean) media. 5) Make any apropriate modifications to tighten up your system (see suse-security, Bugtraq, CIAC, CERT etc.) 6) Install Tripwire, or another MD5-based file integritry system. 7) Restore your user data. 8) Bring the system back on line. and finally 9) Try to analyse the attack to figure out what went wrong. Oh yes, and nail the SOB. Scott -------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now ? [ OK ]
On Sat, 7 Aug 1999 butch@null.net wrote:
I unplugged my hub immediately when I saw that. Now I'm at a standalone computer with a dial-up connection. I do have partial back-ups of critical files. (including rc.config) but do you think it is safe to restore these over a hacked system? I assume some back-doors have been left wide open and I'm not so sure I can find them? I have some good firewall rules set-up. (i'd cut and paste, but I'm not connected to the linux box).
Re-install your system from a CD (format the Partitions), you can leave the /home, but tell your users (if existing) to check everything there. After this, you can re-install the back-ups, but check every file whether it is already "damaged". -- \ markus schaber -- http://www.schabi.de/ -- ICQ# 22042130 / ---------------------------------------------------------- \ Warum umständlich, es geht doch auch kompliziert! / \ (Eva Maria Schaber) --------------------------------
Take a look at COPS and SWATCH. They may be able to help you before this happens. they will let you know what files get changed. I have not used them in a while, but they are worth the look. Scott ----- Original Message ----- From: Markus Schaber <markus.schaber@student.uni-ulm.de> To: <butch@null.net> Cc: Doug <dag@umr.edu>; <suse-security@suse.com> Sent: Sunday, August 08, 1999 4:46 PM Subject: Re: [suse-security] uh-oh more!
On Sat, 7 Aug 1999 butch@null.net wrote:
I unplugged my hub immediately when I saw that. Now I'm at a standalone computer with a dial-up connection. I do have partial back-ups of critical files. (including rc.config) but do you think it is safe to restore these over a hacked system? I assume some back-doors have been left wide open and I'm not so sure I can find them? I have some good firewall rules set-up. (i'd cut and paste, but I'm not connected to the linux box).
Re-install your system from a CD (format the Partitions), you can leave the /home, but tell your users (if existing) to check everything there. After this, you can re-install the back-ups, but check every file whether it is already "damaged".
-- \ markus schaber -- http://www.schabi.de/ -- ICQ# 22042130 / ---------------------------------------------------------- \ Warum umständlich, es geht doch auch kompliziert! / \ (Eva Maria Schaber) --------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (7)
-
butch@null.net -
Doug -
Jeff -
Markus Schaber -
Scott Sampson -
smorris@mindspring.com -
Stephen Smith