Dear all, I am using Suse5.2 with the according security-patches from the Suse server. We have a valid IP, which means that our server is accessible from the Internet. The server acts as a gateway for a small company network. Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages: ---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 -------------------------- I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well. Besides that I can't see any further changes to the system. How did slovaka/r00t enter my system? How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole? Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) Any hint is appreciated! Josef BTW: I am using a different system to write this email.... -- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275 --
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) You'll have to look into /etc/inetd.conf for the line containing the impad-daemon and coment it out by putting a # on the beginning of the line. (Personally I think of imapd as a real great danger to your systems security as it is not that developed as pop3 is:)
There are many ways to enter a system and because most hackers now what they are doing (okay, there are many who are just poking around with some tools they found somewhere ..) they normally clean the logs of everything of how they got into the system. Try and test your system with a security scanner (I think the best available in the moment is nessus at http://www.nessus.org) to find out the holes you got. Good luck for the future
On Tue, 27 Jul 1999, jochen mader wrote:
There are many ways to enter a system and because most hackers now what they
Sorry, can't let this one go. You mean Crackers, *NOT* hackers. cog -- ,------------------------------, ================| S H U N A N T I O N L I N E |================ ================'------------------------------'================ == David M. Webster ++ aka cogNiTioN ++ cognition@bigfoot.com == ================================================================ == My New Domain <cognite.net> should be up and running soon. == ================================================================ == I use Linux every day to up my productivity - so up yours! == ================================================================
cognition you dumb ass, get back to dc-stuff :) flea At 07:47 PM 7/27/99 +0000, cogNiTioN wrote:
On Tue, 27 Jul 1999, jochen mader wrote:
There are many ways to enter a system and because most hackers now what they
Sorry, can't let this one go. You mean Crackers, *NOT* hackers.
cog -- ,------------------------------, ================| S H U N A N T I O N L I N E |================ ================'------------------------------'================ == David M. Webster ++ aka cogNiTioN ++ cognition@bigfoot.com == ================================================================ == My New Domain <cognite.net> should be up and running soon. == ================================================================ == I use Linux every day to up my productivity - so up yours! == ================================================================
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
What services were you running? Did you configure /etc/hosts.allow & /etc/hosts.deny ? Did you make sure the services you were running were properly configured and updated? What kernal were you running? zaire On Mon, 26 Jul 1999, Josef Frohn wrote:
Dear all,
I am using Suse5.2 with the according security-patches from the Suse server.
We have a valid IP, which means that our server is accessible from the Internet.
The server acts as a gateway for a small company network.
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
Besides that I can't see any further changes to the system.
How did slovaka/r00t enter my system?
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
Any hint is appreciated!
Josef
BTW: I am using a different system to write this email....
-- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
--
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Josef Frohn <frohn@sis-gmbh.com> writes:
I am using Suse5.2 with the according security-patches from the Suse server.
So you installed for example the most up-to-date wuftp-client?
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
Check "/etc/inetd.conf". Comment out ALL services you don't need. Maybe you don't need ANY at all. I commented out all entries. Later I've added ftp, telnet, and nntp. You can further restrict access by using "/etc/hosts.allow", "/etc/hosts.deny" and by setting up firewall rules.
Any hint is appreciated!
You should also concider taking legal action or at least inform the admin of the remote server that is being used to access your system. Hope that helps. BTW: Sometimes it's really scary if you check <http://www.rewebber.de/> and click "Was weiß der Rewebber über mich?" <http://www.anonymizer.com/> "You don't have to tell us, we already know all about YOU" might be interesting as well. -- Mark Lutz Accept: German, English
Hi Josef, we had a linux box with suse 5.2 or 5.1 with a hacked imapd too. I do not know how he came into the system, but he tried it on other boxes as well. He started a sniffer and another program, which forked itself 250 times and saturated the net - so the hack was discovered immediately. To disable you should uncomment the line imap2 stream tcp nowait root /usr/sbin/tcpd imapd with a # in the beginning in /etc/inetd.conf and then kill -1 `cat inetd.pid` to let inetd reread its config file. That should solve the problem. If you want you can make a grep -i imapd /etc/rc.config but there shouldn't be a imapd entry. If there is one, set it to no and execute /sbin/SuSEconfig Furthermore you can make a grep -i imapd /sbin/init.d The result should be empty too. Bye Thomas imapd on your box is probably not an extra service but is started by inetd. Josef Frohn wrote:
Dear all,
I am using Suse5.2 with the according security-patches from the Suse server.
We have a valid IP, which means that our server is accessible from the Internet.
The server acts as a gateway for a small company network.
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
Besides that I can't see any further changes to the system.
How did slovaka/r00t enter my system?
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
Any hint is appreciated!
Josef
BTW: I am using a different system to write this email....
-- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
--
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Thomas Bierweiler CDW 406 D Box # 6034 UMassD 285 Old Westport Rd. North Dartmouth, MA 02747 USA mail: Thomas.Bierweiler@gmx.de or ubpc@rz.uni-karlsruhe.de http://www.uni-karlsruhe.de/~ubpc ICQ 22953251 Tel +USA 508 910 5383
Hi guys, the imap and pop3 demons are well known to be vulnarable against stack overflow exploits for more than one year. Even with the versions from SuSE 5.3 it is childishly simple to gain root access from the internet if you offer these services in /etc/inet.conf. A very good patch against stack overflow exploits ist available at http://www.false.com/security/linux/ Best regards -- ---------------------------------- UNIVERSITAS - - Thomas Finteis _|\ /|_ - - Institut fuer Experimentalphysik |||O O||| - - Universitaet des Saarlandes ||| V ||| - - Postfach 151150 ||| ||| - - D-66041 Saarbruecken ||| ||| - - Tel.: 0681/302-2247 |/|___|\| - - Fax : 0681/302-2947 A A - ---------------------------------- SARAVIENSIS -
Thomas Bierweiler wrote:
Hi Josef,
we had a linux box with suse 5.2 or 5.1 with a hacked imapd too.
Me too :)
I do not know how he came into the system, but he tried it on other boxes as well. He started a sniffer and another program, which forked itself 250 times and saturated the net - so the hack was discovered immediately.
To disable you should uncomment the line imap2 stream tcp nowait root /usr/sbin/tcpd imapd with a # in the beginning in /etc/inetd.conf and then kill -1 `cat inetd.pid` to let inetd reread its config file.
That should solve the problem. ...
The attack on our system went a bit further. The cracker installed several additional tools and services in various places, f.e. he copied in.telnetd to ip0p3d in /usr/sbin and entered it as a new service in /etc/inetd.conf on port pop3d (40005), which was appended to /etc/services. He further installed some (BTW fairly useful) tools in /dev/shadow like linsniffer and tcpdump. Several other modifications were made to the system, most of them by scripts. In short, you should thoroughly verify _every_ active service in /etc/inetd.conf and check all files involved for integrity. A port scanner like strobe (or exscan) might be useful as well. Of course, you should also make sure to remove all references to imapd and copies thereof or you might be hit by this silly buffer overflow exploit again. Our system was (ab)used to compile eggdrop and kick innocent users out of mp3 related IRC channels... Best Regards, --Cyrill PS: Sorry if I didn't get the details right but this all happened about a year ago... ----- *** *** *** Hi! I'm a .signature virus! *** *** *** Copy me into your .signature file to help me spread!
Hi Josef, You may have to face that if the intruder knew what s/he was doing, your system may be hosed securitywise and you don't even see it and you may not find out what exactly happened unless you establish logs and see it happening again. Look at: http://www.cert.org/tech_tips/root_compromise.html for recovery hints. If s/he planted trojan programs described below, it's the best to isolate the machine, save the harddisk as evidence and reinstall from the last backup on a new disk. Log the time and material you use to clean up, estimate the damage, find out who the bastards are and sue them for damages! I was lucky discovering some files the intruder left around by stupidity and was able to somehow reconstruct what happened. If the wtmp has not been tampered with, you may use the last command and look at login activity with IP numbers. But the IP numbers may be from other machines which are compromised too and used as a relay to hide identities. The original breakin could have happened long time - perhaps month ago. In my case, they must have gotten in by using bufferoverflow with ftp or nsf. log entries may look like this, if they have not been erased:
Mar 20 10:47:43 pcst001 mountd[134]: Unauthorized access by NFS client 204.174.19.18. Mar 20 10:47:44 pcst001 mountd[134]: [truncated] Blocked attempt of 204.174.19.18 to mount ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Mar 20 10:48:44 pcst001 in.telnetd[2108]: connect from xxx.174.19.18 Mar 20 10:48:49 pcst001 login[2109]: no shadow password for `moof' on `ttyp7' from `xxx.174.19.18' Mar 20 10:48:49 pcst001 login[2109]: ILLEGAL ROOT LOGIN on `ttyp7' from `xxx.174.19.18'
I fixed the machine back up (it was SuSE 5.3) - this time disallowing root logins (it appeared to have been the default to allow it ) over the net, using wuftp security patches, brought it up again after a couple of weeks (I used another machine in the meantime) and it took 20 minutes and another guy broke in, got root access again and established a root account but then was not able anymore to log on as root (that's the log above). Here is what the first intruder did:
The person installed a toolkit called lrk4 on my machine in a hidden directory with the name "/var/yp/...".
The toolkit replaced about 15 essential programs with trojans, ls, du, find, top, passwd etc. etc, here is the cut out if the make file:
/usr/bin/chfn /usr/bin/chsh /bin/login /bin/ls /bin/du /usr/bin/passwd /bin/ps /usr/bin/top /usr/sbin/in.rshd /bin/netstat /sbin/ifconfig /usr/sbin/syslogd /usr/sbin/inetd /usr/sbin/tcpd /usr/bin/killall /usr/bin/pidof /usr/bin/find
The programs were altered to hide information. For example, the ls and du would not display the "..." directory nor account for it's size. The programs are significantly larger the the originals but the checksum is fixed to match the original and maybe also the original program size is displayed by the trojan programs - I have not had the time to check.
There are hard coded username(s?) "rewt" in the programs which were used from different IP numbers to get in.
A machine which has this package installed is totally hosed securitywise and has all doors open for intrusion and hidden activity.
Once the person got in, a progam nscan was run which spawns 100+ children to go after other sites and gives info like this (leftover files from the first hacker):
xxx.207.198.192: VULN: linux box vulnerable to named overflow. xxx.142.207.7: VULN: linux box vulnerable to named overflow. xxx.179.207.151: VULN: a bread fearing bastard of a mountd'er.
The problem with a system compromised like this is that you don't see anything about the cloaked user unless you mount the disk from a clean system and look around. I just hope this did not happen at your system. What I would do now when having a permanent internet connection is: 1.) router/firewall up front connected to 2.) outer machine which looks at every packet coming in and decides if it's allowed or denied and logs everything, 3.) outer machine connected to inner network thru separate network card Good luck, Sam
Dear all,
I am using Suse5.2 with the according security-patches from the Suse server.
We have a valid IP, which means that our server is accessible from the Internet.
The server acts as a gateway for a small company network.
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
Besides that I can't see any further changes to the system.
How did slovaka/r00t enter my system?
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup
You may wish to look into to packages, SWATCH and COPS. They monitor you system and will let you know of file changes. Scott ----- Original Message ----- From: Josef Frohn <frohn@sis-gmbh.com> To: <suse-security@suse.com> Sent: Monday, July 26, 1999 10:12 AM Subject: [suse-security] Help: our system has been hacked...! scripts (can I just remove the imp<#> lines from /etc/services?)
Any hint is appreciated!
Josef
BTW: I am using a different system to write this email....
-- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407
96275
--
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* smorris@mindspring.com (smorris@mindspring.com) [27.07.99 09:14]:
You may wish to look into to packages, SWATCH and COPS. They monitor you system and will let you know of file changes.
By now I would say it´s too late to do this. If it was not only a script-kiddy (perhaps even then) he changed files on your system, installed some backdoors or root-kits and will be able to get into your box every time he wants - even without using an imap-exploit... You should get the machine off the net (if possible) and reinstall it (perhaps with a newer version). Balu PS: A fast (but not really secure) check of your system-files could be done with rpm using the verify-Option... (A "rookie" told me some time ago about this ;). PPS: Perhaps you should try to catch the hacker logged in and just ask him, how he did it. I did this some time ago and was surprised what a nice guy he was (and excused me for getting him off the machine right now ;)
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
There is a known exploit for IMAP. Security postings/patches were sent out for RedHat and SuSE quite some time ago. You can also check bugtraq - www.netspace.org or Rootshell - www.rootshell.com. M
Hello, On 26 Jul 99, at 15:12, Josef Frohn wrote:
How did slovaka/r00t enter my system?
I think he used a security bug in "imapd" to enter your system.
Nobody uses imap in our group. Wouldn't it be best to stop imapd?
Of course. Everyone should disable all services and daemons which are not needed. Why? The more services someone is running on his system the more security holes may be open. This can be used by crackers to enter the system.
I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
You should have a look at "/etc/inetd.conf". There you can disable (comment out the line) many services which are started by the "inetd" (internet super daemon). I suggest to disable all services wich you and your users don't need. Bye, Steffen
On Mon, Jul 26, 1999 at 03:12:24PM +0100, Josef Frohn wrote:
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
Besides that I can't see any further changes to the system.
How did slovaka/r00t enter my system?
Hi Josef, I am not familiar with the actual state of the security patches for SuSE 5.2. The latest one was released around 30June1998 (from the list at www.suse.de) There have been important security patches released for 5.3, that were not made available for 5.2 and I remember having used some 5.3 patches for some 5.2 machines as a fast solution before I could upgrade the whole system. If I remember correctly, these were especially the ugly "mountd" vulnerability and the wu-ftpd one, too.
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
That depends on the capabilities of the hackers. There are rootkits around that modify system binaries within seconds, such that new backdoors are installed. You might try a "rpm -Va" to verify all installed files against the rpm database and have to check all listed items. (This of course requires the rpm-database to be unmodified, of course).
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
That depends on the question, whether backdoors where installed. My final recommondation to colleagues in this situtation is: reinstall from scratch and make sure to have the latest version with all patches installed! That's the only way to be sure.
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
As other already pointed out: you have to modify /etc/inetd.conf. Additionally check the possibilities of tcpd with man hosts.allow, hosts.deny. COMPLAINT TO SuSE: Why do you ship systems wide open and I have to shut everything down. In times like these, and they won't get better anymore, just worse, you should ship the system "as closed as possible" and when I want to open it, well, than its up to me. I know that other distributions are not necessarily better and that's the way UNIX was delivered from vendors, but the times are changing.
BTW: I am using a different system to write this email.... Good hint, but people might feel challenged to try it even then :-)
Sorry, no better news, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
* Lutz Jaenicke (Lutz.Jaenicke@aet.TU-Cottbus.DE) [27.07.99 12:59]:
COMPLAINT TO SuSE: Why do you ship systems wide open and I have to shut everything down. In times like these, and they won't get better anymore, just worse, you should ship the system "as closed as possible" and when I want to open it, well, than its up to me. I know that other distributions are not necessarily better and that's the way UNIX was delivered from vendors, but the times are changing.
The harden_suse-Script of 6.1 is a nice start to do this... Balu
Hi,
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Unfortunetaley, it will be hard to find out if he can connect again. Even if you have removed all his accounts, he might have installed trojaned programs like login and so forth. You might check the packages containing those files with rpm --verifiy to see if the signature is ok, or best check your installation with tripwire if you've installed it. Now, if you can bear the idea that some programs *might* be trojaned (without being sure no trojan remain but all seems ok), you can disable all connections from unstrusted IPs : just say ALL:ALL in /etc/hosts.deny and edit /etc/hosts.allow and authorize, service by service the trusted IP to connect (e.g. : in.telnetd : 192.54.67.89,....). However, if you plan to make a thorough search of what he could have done, i guess you'll spend more time doing this than backing up your users directories, re-install the system (maybe upgrade it to a SuSE 6.1) and restore the users dir. S.G. http://icps.u-strasbg.fr/~genaud
First, unplug the network cable and make a backup of the whole system to study the intrusion. Second, install the system from CD. To study the intruder, check /var/log/messages, the command 'last', /var/log/maillog,/var/log/secure, /var/log/warn, etc. Install tcpwrappers. Install nessus, saint or some tools like that to check the security of your network. Create a MD5 checksum of your files (daily) and compare this to the one of the day before. Read "Know your enemy" (http://www.enteract.com/~lspitz/enemy.html) and other security related papers. Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE BUGTRAQ Lastname, Firstname to subscribe to bugtraq, a security mailing list. (BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.) Send an email to or call the administrator of that network where the intruder came from. Maybe this system is cracked, too. -- Martin Peikert Technical University Berlin mp@tetm36.ee.tu-berlin.de On Mon, 26 Jul 1999, Josef Frohn wrote:
Dear all,
I am using Suse5.2 with the according security-patches from the Suse server.
We have a valid IP, which means that our server is accessible from the Internet.
The server acts as a gateway for a small company network.
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well.
Besides that I can't see any further changes to the system.
How did slovaka/r00t enter my system?
Study your system logs!
How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id...
I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole?
Where from do you know that the intruder entered the system within seconds?
Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?)
Disable _any_ service in /etc/inetd.conf that you don't know/need and restart inetd (kill -1 PID-of-inetd). Read man-pages, HOWTOs, especially the Security-HOWTO.
Any hint is appreciated!
Josef
BTW: I am using a different system to write this email....
-- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275
--
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Dear all,
I am using Suse5.2 with the according security-patches from the Suse server.
We have a valid IP, which means that our server is accessible from the Internet.
The server acts as a gateway for a small company network.
Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages:
---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 --------------------------
I had a machine hacked running SuSE 5.3, although I wasn't running IMAP. In conjunction with all the advice from others here, have you checked your running processes? Make sure you don't have any rogue scripts running or hacked daemons. My advice, and I say this not fully understanding your environment, is to sentence the machine to death. Re-install. It's just about the only way to be sure that you've gotten everything. If this isn't an option, or you don't have an extra machine, then the other advice offered here will help I'm sure... Take care and good luck! Ken Hughes
participants (18)
-
cogNiTioN -
Cyrill D. Schneider -
flea -
jochen mader -
Josef Frohn -
Ken Hughes -
Lutz Jaenicke -
Mark Lutz -
Martin P. Peikert -
Mr. M -
Samartha -
smorris@mindspring.com -
Steffen Moser -
Stéphane Genaud -
Thomas 'Balu' Walter -
Thomas Bierweiler -
Thomas Finteis -
zaire@ebola.ondrugz.com