telnet and su attack on my linux
Hi, today in the early morning I had something like an attack on my linux system here. After the attack, I couldn't login as root any more. I found out, that it was not possible to set a password in the "shadow password system" any more. I can use only the "normal" password mechanism. My log-files showed me some hints to the attacker (if it is any):
Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1 . . . Sep 15 06:53:14 d64s_pattr su: (to nobody) root on none
In my warn-file I found the following entry:
Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com'
How is such an attack possible and more important: how can I prevent such an intrusion? I am using a SuSE Linux 5.2 with a 2.0.33 kernel Thanks for your help in advance Gerd
gbruchhaus@makrolog.de wrote:
> today in the early morning I had something like an attack on my linux system
> here. After the attack, I couldn't login as root any more. I found out, that it
> was not possible to set a password in the "shadow password system" any more. I
> can use only the "normal" password mechanism.
> My log-files showed me some hints to the attacker (if it is any):
[...]
>
> How is such an attack possible and more important: how can I prevent such an
> intrusion?
1. Update your open Network services (as imapd, pop3, ftpd etc) regularly
2. Firewall all ports that need not to be used
3. Set up tcpwrappers for the open ports
.....
> I am using a SuSE Linux 5.2 with a 2.0.33 kernel
If you've never updated any packages, then you are vulnerable to many
attacks. You should immediately take the system off the net (if not already
done), make a backup of the complete filesystem for evidence, and reinstall
everything from scratch.
This might have not been the first intrusion, but the first you've noticed
because the cracker was not good. You might have hundreds of people with
root-Backdoors to your server. You should not trust any bit you find on it.
Contact me, if you need further help...
MfG. / Yours
Stefan Salzer
--
Qualität ist nicht was man verspricht,
sondern was man hält!
========================================================================
= Wollen Sie unseren kostenlosen Newsletter "cinNews" beziehen? =
= unter http://news.cin.de können Sie ihn abonnieren! =
= -------------------------------------------------------------------- =
= Stefan Salzer e-Mail: salt@cin.de =
= Connect Internetworking Telefon: +49 6106 8498 0 =
= Hauptstr. 139 Telefax: +49 6106 8498 299 =
= 63110 Rodgau WWW: http://www.cin.de =
= Germany =
========================================================================
Oh, and I forgot: notify the Admins (can be found via whois-llokups) of the systems you suppose were the attackers. If the attacks really originated there, those systems are most likely cracked and under enemies control, too. cya, Stefan -- Qualität ist nicht was man verspricht, sondern was man hält! ======================================================================== = Wollen Sie unseren kostenlosen Newsletter "cinNews" beziehen? = = unter http://news.cin.de können Sie ihn abonnieren! = = -------------------------------------------------------------------- = = Stefan Salzer e-Mail: salt@cin.de = = Connect Internetworking Telefon: +49 6106 8498 0 = = Hauptstr. 139 Telefax: +49 6106 8498 299 = = 63110 Rodgau WWW: http://www.cin.de = = Germany = ========================================================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, If you need to login from the console as user "root" again, boot up Linux and when you see the "LILO:" prompt, type "linux single" to logon to single user mode. Then edit the "/etc/passwd" file and disable the password for "root". Reboot your machine and you are done. Login as usual BUT without password. Install "portsentry" to disable port-scanning to your host, make sure you setup "tcp-wrapper" correctly and disable "telnet" from "/etc/inetd.conf" and use SSH instead. Get the RPM files from http://www.linux.com.sg/members and install them all. Then download the latest "Linux Administrators Security Guide" (LASG). I have the older version at http://moonshi.zone.com.sg Download it and read them. It is on a PDF format. Don't forget to update all your daemons applications and sign-up to the BUGTRAQ mailing-lists and whatever "Systems Security" lists. Hope this info helps. - -- Moonshi Mohsenruddin Editor, Singapore Linux Portal moonshi@linux.com.sg Asia/Singapore icq:2595480 http://www.linux.com.sg
-----Original Message----- From: gbruchhaus@makrolog.de [mailto:gbruchhaus@makrolog.de] Sent: Wednesday, September 15, 1999 9:42 PM To: suse-security@suse.com Subject: [suse-security] telnet and su attack on my linux
Hi,
today in the early morning I had something like an attack on my linux system here. After the attack, I couldn't login as root any more. I found out, that it was not possible to set a password in the "shadow password system" any more. I can use only the "normal" password mechanism.
My log-files showed me some hints to the attacker (if it is any):
Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1 . . . Sep 15 06:53:14 d64s_pattr su: (to nobody) root on none
In my warn-file I found the following entry:
Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com'
How is such an attack possible and more important: how can I prevent such an intrusion?
I am using a SuSE Linux 5.2 with a 2.0.33 kernel
Thanks for your help in advance
Gerd
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i
iQA/AwUBN9897mefe0TVuy5lEQL/owCfdR6DFscx/sfFyf+csvCnaGpw3N8An1v8 wV6A8JuHy9obW68B6OLwEeFr =ieKe -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It appears you are running en exploitable version of imapd. If you are actually using the IMAP protocol, update the daemon IMMEDIATELY. If not, disable IMAP. I cannot stress enough how important it is (security wise) to keep your software up to date......... Scott G. Danahy - ----- Original Message ----- From: <gbruchhaus@makrolog.de> To: <suse-security@suse.com> Sent: Wednesday, September 15, 1999 8:42 AM Subject: [suse-security] telnet and su attack on my linux
Hi,
today in the early morning I had something like an attack on my linux system here. After the attack, I couldn't login as root any more. I found out, that it was not possible to set a password in the "shadow password system" any more. I can use only the "normal" password mechanism.
My log-files showed me some hints to the attacker (if it is any):
Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1 . . . Sep 15 06:53:14 d64s_pattr su: (to nobody) root on none
In my warn-file I found the following entry:
Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com'
How is such an attack possible and more important: how can I prevent such an intrusion?
I am using a SuSE Linux 5.2 with a 2.0.33 kernel
Thanks for your help in advance
Gerd
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> iQA/AwUBN9+xs9CVCf10P+seEQIq7QCgp9HUR8OEhA/6lIILQDW/jHTzjZAAoNUU HTRXOedNgr/TgntHGBFxOF4d =F8te -----END PGP SIGNATURE-----
participants (4)
-
gbruchhaus@makrolog.de -
Moonshi Mohsenruddin -
scott -
Stefan Salzer