Hi, yesterday, strange things happened but let me start form the beginning: I'm running a PC under SuSE7.3 and kernel 2.4.16(preempt-patch). openssh-2.9.9p2-74 is the only service listening to the outer world. Well, I returned home yesterday, switched on the monitor and noticed, that the network in our LAN (which itself is connected to the internet) seemed to be down. As this happens quite often, I wasn't that amazed, but when I tried to switch on kwintv via remote-control (lirc) nothing happened. A further mouse-click freezed the screen immediately, one of the harddrives became busy for approx. 15sec. I managed to reboot the computer via the magic sysrq-keys and when it was back again, there popped up an error message about the dcopserver (perhaps he didn't like it to be killed). Everything seemed to work fine, but nevertheless I was heavily puzzled! I looked into my logfiles and found out that there had not been any sign of life for the last hour i.e. no MARK, ippl, snort, xntpd entries at all! The last message was produced by fetchmail and even there everything seemed to be ok. I feared, that somebody had made it into my system and I had disturbed him while placing a rootkit, so the hd activity was due to his sudden cleanup. I looked for rootkits (chkrootkit-0.35) but found nothing of interest and posted my experiences to a newsgroup. A few hours later I found Feb 6 22:48:23 nephilim kernel: Packet log: input DENY eth0 PROTO=1 212.60.6.125:8 134.169.145.147:0 L=84 S=0x60 I=0 F=0x4000 T=45 (#113) Feb 6 22:48:29 nephilim last message repeated 5 times Feb 6 22:49:38 nephilim sshd[11226]: Connection closed by 212.60.6.125 in my syslog and became even more anxious. But I found out, that if you try to login to my box but give ssh a Ctrl-C instead of a password, exactly this message will be produced. Perhaps somebody read my posting and felt curious enough to drop in for a second. After that I changed the "Protocol" in sshd_config to 2 (was 2,1 before), even though it is said here, that this ssh-version is as secure as openssh-3.0. Additionally, I searched for directories beginning with ..* but found nothing. I did an "rpm --verify" on each installed packet and lo got e.g. for openssh S.5....T c /etc/pam.d/sshd S.5....T c /etc/ssh/ssh_config SM5....T c /etc/ssh/sshd_config .M...... /usr/bin/ssh my guesses: pam.d/sshd was changed when activating md5 passwords (>8 characters) ssh*_config were changed by myself ssh hmmm... as one can change file permissions (easy,local,secure), is it possible, that after an installation default permissions and groups are overriden by a script that sets the chosen values? The other packets only showed md5-failures in connection with configuration files, but there were quite a lot with M and G (see my last guess above) So what do you think what could have happened? What should be done next? How can I check, whether new users/groups were created? How can I verify files on my discs against RPMs and not against a potentially corrupted rpm-database? Could this be also explained in a way, that KDE or X had an internal problem, perhaps due to some network errors within our LAN (it does not work that perfect now) and made my system freeze? What will happen, if the dhclient does not get appropriate data form the server (or even does not find him)? Could this confuse other programs? Really confused greetings Torsten
I looked into my logfiles and found out that there
had not been any sign of life for the last hour i.e. no MARK, ippl, snort, xntpd entries at all! The last message was produced by fetchmail and even there everything seemed to be ok. I feared, that somebody had made it into my system and I had disturbed him while placing a rootkit, so the hd activity was due to his sudden cleanup.
So what ? You wrote your system crashed - the logfile was not closed properly.
I looked for rootkits (chkrootkit-0.35) but found nothing of interest and posted my experiences to a newsgroup. A few hours later I found
Feb 6 22:48:23 nephilim kernel: Packet log: input DENY eth0 PROTO=1 212.60.6.125:8 134.169.145.147:0 L=84 S=0x60 I=0 F=0x4000 T=45 (#113) Feb 6 22:48:29 nephilim last message repeated 5 times Feb 6 22:49:38 nephilim sshd[11226]: Connection closed by 212.60.6.125
in my syslog and became even more anxious. But I found out, that if you try to login to my box but give ssh a Ctrl-C instead of a password, exactly this message will be produced. Perhaps somebody read my posting and felt curious enough to drop in for a second.
ACK - thatswhy you should mask your ip even when you post logs into a list
After that I changed the "Protocol" in sshd_config to 2 (was 2,1 before), even though it is said here, that this ssh-version is as
Too late !
secure as openssh-3.0. Additionally, I searched for directories beginning with ..* but found nothing. I did an "rpm --verify" on each installed packet and lo got e.g. for openssh
S.5....T c /etc/pam.d/sshd S.5....T c /etc/ssh/ssh_config SM5....T c /etc/ssh/sshd_config .M...... /usr/bin/ssh
my guesses: pam.d/sshd was changed when activating md5 passwords (>8 characters) ssh*_config were changed by myself ssh hmmm... as one can change file permissions (easy,local,secure), is it possible, that after an installation default permissions and groups are overriden by a script that sets the chosen values?
My guesses for ssh - you installed an update with rpm -i instead of of rpm -u or a script such as harden_suse changed attributes. By the way - its ssh not sshd. An attacker would exchange the daemon to get in.
So what do you think what could have happened? What should be done next? How can I check, whether new users/groups were created? How can I verify files on my discs against RPMs and not against a potentially corrupted rpm-database? Could this be also explained in a way, that KDE or X had an internal problem, perhaps due to some network errors within our LAN (it does not work that perfect now) and made my system freeze? What will happen, if the dhclient does not get appropriate data form the server (or even does not find him)? Could this confuse other programs?
If you think its not only paranoia thank check this url 4 forensic analysis. http://project.honeynet.org/challenge/results/submissions/roessler/evidence.... This docs describes techniques methods to seek hidden information post mortem You may want to see other examples 2 http://project.honeynet.org/challenge/results/index.html#rankings See the winners :O) Michael Appeldorn
Michael Appeldorn schrieb am Donnerstag, 7. Februar 2002 13:35:
So what ? You wrote your system crashed - the logfile was not closed properly.
The system crashed when I tried to open an xterm but not an hour ago. I'm running ext3 and imho if there were messages they should have found their way onto the hd, shouldn't they?
ACK - thatswhy you should mask your ip even when you post logs into a list ^^^^^^^^^^^^^^^^^^^^^^^
Well that was really a bad idea, but as long as the name of my computer is listed in the news header (nntp-posting-host) people will have an address to connect to. So should I manipulate my header so that it will show something else?
After that I changed the "Protocol" in sshd_config to 2 (was 2,1 before), even though it is said here, that this ssh-version is as
Too late !
So all comments about how secure openssh2.9.9p2-74 is are nonsense?
My guesses for ssh - you installed an update with rpm -i instead of of rpm -u or a script such as harden_suse changed attributes.
I used YOU to get the most (what SuSE calls it) up-to-date packages. Whenever I update an rpm-package manually, I use the -u option. Hopefully, YOU does the same...
By the way - its ssh not sshd. An attacker would exchange the daemon to get in.
Yes, that's clear. I first checked openssh.rpm as the sshd is part of this package.
If you think its not only paranoia thank check this url 4 forensic analysis.
Is it a question of paranoia? Are there no ways to ensure that the system is clean while keeping it alive? In evidence.txt they checked the md5sums of the installed packages. Which database do they use as reference? When I check all binaries as recently described, there is still the possibility, that the rpm-database is corrupted itself, isn't it? Or is the result, that the md5sums of all the binaries were ok sufficient to declare this system being clean? Greetings Torsten
If you think its not only paranoia thank check this url 4 forensic analysis.
Is it a question of paranoia? Are there no ways to ensure that the system is clean while keeping it alive?
You'll destroy attackers marks.
In evidence.txt they checked the md5sums of the installed packages. Which database do they use as reference?
the original database of the attacked machine rpm -V -a --root=`pwd`/mnt/ | grep ^..5 When I check all binaries as recently described, there is
still the possibility, that the rpm-database is corrupted itself, isn't it?
Yep
Or is the result, that the md5sums of all the binaries were ok sufficient to declare this system being clean?
Nope --ö-- But,Me meant the ways to examine yours system 4 attackes marks, e.g. grabbing the whole drive via >dd /dev/hdX | grep "part of date" as shown in the document. Read the whole doc to see all possibilities. And examine the files as ps/ifconfig/lsof 2. E.g. you can use /proc to seek suspicous processes, if not any kernel-modules are injected. Michael Appeldorn
participants (2)
-
Michael Appeldorn
-
Torsten Wolf