Found file in /dev: "h"
Hello, I found a normal file in /dev: "h" on one of my servers: # ls -al /dev/h -rw-r--r-- 1 root root 446 Feb 19 14:17 /dev/h It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system Is this from a rootkit or normal to SuSE 9.0? Thank you for an answer. Manfred
On Tuesday 29 June 2004 07:47, Manfred Rebentisch wrote:
Hello, I found a normal file in /dev: "h" on one of my servers: # ls -al /dev/h -rw-r--r-- 1 root root 446 Feb 19 14:17 /dev/h
It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system
Is this from a rootkit or normal to SuSE 9.0?
Don't know, but 446 is exactly the root sector loader size without partition table, and is definitely not found on pristine installations! Keep us informed about your research... Pete
Hello, Am Dienstag, 29. Juni 2004 09:29 schrieb Hans-Peter Jansen:
On Tuesday 29 June 2004 07:47, Manfred Rebentisch wrote:
Hello, I found a normal file in /dev: "h" on one of my servers: # ls -al /dev/h -rw-r--r-- 1 root root 446 Feb 19 14:17 /dev/h
It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system
Is this from a rootkit or normal to SuSE 9.0?
Don't know, but 446 is exactly the root sector loader size without partition table, and is definitely not found on pristine installations! Keep us informed about your research...
Pete
I found two entries in the log-file: Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=80.180.181.211 DST=217.224.35.218 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=63936 PROTO=TCP SPT=1085 DPT=22 WINDOW=4096 RES=0x00 SYN URGP=0 Feb 19 10:52:45 oexs8 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=80.180.181.211 DST=217.224.35.218 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=64011 DF PROTO=TCP SPT=3103 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Die dig-Abfrage: oexs8:/var/log # dig 80.180.181.211 ; <<>> DiG 9.2.2 <<>> 80.180.181.211 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64063 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;80.180.181.211. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2004062800 1800 900 604800 86400 The server has an open ssh-port, available from internet via dyndns.org. Using DSL with t-online.de. Manfred
Hi,
I found a normal file in /dev: "h" on one of my servers: It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system
This should not be there. It might be part of a rootkit hooking before kernel-loading.
The server has an open ssh-port, available from internet via dyndns.org. Using DSL with t-online.de.
Not only available from dyndns.org. You can connect the IP always from everywhere. The portscan could be faked, the packet log may be misleading. 1. Remove the file, better move it to another location. 2. Reboot. If the system does not start -> it was hacked, this file was an active chainloader 3. load chkrootkit, do a make sense, check the system. If possible use /bin from CD or another machine (NFS, Samba, whatever). 4. If you find anything confirmed (an identified rootkit), shutdown, reinstall after formatting OR (the dangerous way) 5. Install another machine with same distribution, same patchlevel, and tripwire the disk against it. Replace changed files manually. This may result in a unusuable system, or you miss some infected files. Ciao, Dieter
Hallo Dieter, thank you for your answer. I have had a look to different things and found in /boot/grub/ : -rw-r--r-- 1 root root 103434 Feb 19 17:38 stage2 a file from Feb 19 and in /boot/ -rw-r--r-- 1 root root 512 Feb 19 14:24 backup_mbr On Februar 15 I did install the server (SuSE 9.0) on new disks. In the following days I have make many installations, but I have no documentation about our activity on the 19th. But we had a mistake in grub/menu.lst associated with a disk "hdX" (hde or hdc was mispelled as h0 or something like this). May be, that the file "/dev/h" was created in this context by the boot-process. May also be a result of a unsuccessful test with lilo by my trainee. I did run chkrootkit and do some other checks. I cannot find a rootkit at all. I think too, if a hacker had attack the server, he would eliminate ALL entries in authd.log and message.log. So I will be alert next time, watch tcp-connection and have a look for unknown rootkits. Hackers going on to make the internet unusable. Manfred
Hello, Manfred Rebentisch wrote:
Hackers going on to make the internet unusable.
I cannot agree: Open your door at home and wait until the thiefes come in - so, is the way to your house unusable 'cause someone could use it to come in? No. You lock the door to keep them out (I think you do) and so you should do with your IT environment. Lock the door. IMHO poorly written programs and unpatched clients make the internet unusable. Do you remember SQL-Slammer? The patch was published about 184 days before the worm hit the internet. Sasser? 17 days before, IIRC. It our turn to patch and secure our systems instead of blaming others. Just my 2eurocents GTi P.S.: There's a difference between 'hacker' and 'cracker', see http://www.netlingo.com/right.cfm?term=cracker and http://www.netlingo.com/right.cfm?term=hacker
Hello, Am Mittwoch, 30. Juni 2004 16:23 schrieb list@nolog.org:
Hello,
Manfred Rebentisch wrote:
Hackers going on to make the internet unusable.
I cannot agree: Open your door at home and wait until the thiefes come in - so, is the way to your house unusable 'cause someone could use it to come in? No. You lock the door to keep them out (I think you do) and so you should do with your IT environment. Lock the door.
IMHO poorly written programs and unpatched clients make the internet unusable. Do you remember SQL-Slammer? The patch was published about 184 days before the worm hit the internet. Sasser? 17 days before, IIRC.
It our turn to patch and secure our systems instead of blaming others.
Just my 2eurocents
GTi P.S.: There's a difference between 'hacker' and 'cracker', see http://www.netlingo.com/right.cfm?term=cracker and http://www.netlingo.com/right.cfm?term=hacker
Ok, thats right. I only angry about the crackers (yes, an important difference!). But you know, it is nearly imposible to make a system invulnerable - or better: I believe it. Manfred -- COMPARAT Software-Entwicklungs-GmbH Mobile Voice Solutions Prießstr. 16, 23558 Lübeck Tel: 0451/479 56 60 Fax: 0451/479 56 62 http://www.comparat.de http://www.mobile-voice.de http://www.address-server.de http://www.adr3000.de
Ok, thats right. I only angry about the crackers (yes, an important difference!). But you know, it is nearly imposible to make a system invulnerable - or better: I believe it.
Depends on how dumb or wise someone setups a box: - no uneccessary services - neccessary services run as unser and not as root, if impossible your a wrapper or better chroot them - whisely choose the daemons you run - no weak passwords - update your system to up2date files - run ids (file and network ids) software and often parse the logfiles - write your own scripts to parse logfiles with important notes only and often parse them - get proven root-kit-detection-scripts - if you have more than one server let all servers take a specific role (e.g.: db-server, dhcp-server&firewall, webserver, corporate syslog-server) - if you got a bigger network build two firewalls with one in front of the internet and one in front of your network connected to each other (minimal system with own kernel and no network services activated), build in the first one a dmz and a honeypod that logs all activity - subscribe to different security mailinglists and follow the threads - don't overprotect a system so it's a challenge for some persons (there are enough weak servers on the net, so most kiddies search the more vulnerable ones) - some experience is needed as well, but much can be read on the net or you get help of more familliar persons on the net Most intrusions come from: - weak passwords - old service-daemons - unsecure services - unsatisfied employees - the own network - careless operation with data/data-security To get behind an intrusion: - leave system as is and don't change any data, otherwise no later forensic investigation will be possible - backup the system and run a forensic analysis on a trusted machine (you get data-patterns on the net and useful free software for that purpose as well) - unplug system from network - exchange system agains honeypod and log activities With the last thing you can find what's going on and trace the intruders back to their origin. Philippe
Hello Philippe, one question to your great mail: Am Mittwoch, 30. Juni 2004 23:41 schrieb Philippe Vogel: [...]
- exchange system agains honeypod and log activities
With the last thing you can find what's going on and trace the intruders back to their origin.
Can you explain "honeypod"? I understand, that it is an exchange for the harmed machine, but how do you build a "honeypod"? Thank you in advance Manfred
torsdagen den 1 juli 2004 10.43 skrev Manfred Rebentisch:
Can you explain "honeypod"? I understand, that it is an exchange for the harmed machine, but how do you build a "honeypod"?
Philippe probably means "honeypot". A honeypot is a machine which claims to run a service but instead logs and monitors all activity on that port. It is not uncommon to use honeypots for port 25 (SMTP) to detect infected computers which erroneously connect to that port. If you google for honeypot you will find more information. Just my 0.02 SEK ;) -- Mats Folke Avd. Datalogi och Div. of Computer Science Datorkommunikation and Networking Inst. för Systemteknik Dept. of Computer Science Luleå tekniska universitet and Electrial Engineering Luleå University of Techology Sweden tel: 0920 49 3065 telephone: +46 920 493065
Hi, Manfred Rebentisch wrote:
Can you explain "honeypod"? I understand, that it is an exchange for the harmed machine, but how do you build a "honeypod"?
that's a typo: Honeypot. A honeypot is part of a honeynet ;) Take a look at http://honeynet.org/ and especially http://honeynet.org/papers/honeynet/index.html GTi
-----Original Message----- From: list@nolog.org [mailto:list@nolog.org] Sent: 01 July 2004 10:41 To: suse-security@suse.com Subject: Re: [suse-security] Found file in /dev: "h"
Hi,
Manfred Rebentisch wrote:
Can you explain "honeypod"? I understand, that it is an exchange for the harmed machine, but how do you build a "honeypod"?
that's a typo: Honeypot. A honeypot is part of a honeynet ;)
I was assuming it's a new type of honeypot! Some sort of modular system or something.... Tom.
Hi, I forget to put the entry from auth.log in my last mail: Feb 19 10:52:46 oexs8 sshd[19670]: Did not receive identification string from ::ffff:80.180.181.211 Manfred
participants (7)
-
Dieter Kirchner -
Hans-Peter Jansen -
list@nolog.org -
Manfred Rebentisch -
Mats Folke -
Philippe Vogel -
Tom Knight