The command "last" showed the following entries: ftp ftp cx441045-b.ports Tue Jun 5 00:02 - 00:02 (00:00) ftp ftp adsl-64-222-16-9 Mon Jun 4 21:35 - 21:35 (00:00)] ftp ftp 211.200.28.16 Tue Jun 5 06:33 - 06:33 (00:00) ftp ftp APerpignan-101-1 Tue Jun 5 20:18 - 20:19 (00:00) Does this look like people just accidentally got the wrong ip address when they tried to ftp somewhere??? Or has somebody actually ftp'd into this box. I'm basically ignorant when it comes to security. Thanks -- Mark Hounschell dmarkh@cfl.rr.com
On 07-Jun-01 Mark Hounschell wrote:
The command "last" showed the following entries:
ftp ftp cx441045-b.ports Tue Jun 5 00:02 - 00:02 (00:00) ftp ftp adsl-64-222-16-9 Mon Jun 4 21:35 - 21:35 (00:00)] ftp ftp 211.200.28.16 Tue Jun 5 06:33 - 06:33 (00:00) ftp ftp APerpignan-101-1 Tue Jun 5 20:18 - 20:19 (00:00)
Does this look like people just accidentally got the wrong ip address when they tried to ftp somewhere??? Or has somebody actually ftp'd into this box. I'm basically ignorant when it comes to security.
The lines above show that at least on four occasions your host has been visited via anonymous ftp, probably with some kind of ftp scanner/script because the durations of the connections seem to be less than a second. If a valid user would have had logged in you would see his/her user name in the first column of last's output. For anonymous logins (if they are permitted), user 'ftp' will be used. At least with (most) SuSE versions. Since you see valid (?) domain names in the third column, the logins had been successful. You should disable anonymous login to your ftp server, or you may shutdown the whole ftp service (by commenting out the ftp line in your /etc/inetd.conf or by stopping a running ftp demon). But chances are that these last-log anomalities are only the tip of the iceberg, that's why you should examine your log files under /var/log closely and your config and shadow pw files in /etc. Additionally, you may use tools like chrootkit, which is a root kit detector capable of finding altered binaries in your system. System crackers install these root kits after successfully entering the victim host in order to hide certain processes from being watched via the /proc file system (e. g. with ps). You can get chrootkit from http://www.chrootkit.org . If you should detect even more anomalities, secure, backup and freshly re-install your system. Take a look at the SuSE security FAQ at www.susesecurity/faq for more information.
Thanks -- Mark Hounschell dmarkh@cfl.rr.com [...]
---
Boris Lorenz
Boris Lorenz wrote:
On 07-Jun-01 Mark Hounschell wrote:
The command "last" showed the following entries:
ftp ftp cx441045-b.ports Tue Jun 5 00:02 - 00:02 (00:00) ftp ftp adsl-64-222-16-9 Mon Jun 4 21:35 - 21:35 (00:00)] ftp ftp 211.200.28.16 Tue Jun 5 06:33 - 06:33 (00:00) ftp ftp APerpignan-101-1 Tue Jun 5 20:18 - 20:19 (00:00)
Does this look like people just accidentally got the wrong ip address when they tried to ftp somewhere??? Or has somebody actually ftp'd into this box. I'm basically ignorant when it comes to security.
The lines above show that at least on four occasions your host has been visited via anonymous ftp, probably with some kind of ftp scanner/script because the durations of the connections seem to be less than a second. If a valid user would have had logged in you would see his/her user name in the first column of last's output. For anonymous logins (if they are permitted), user 'ftp' will be used. At least with (most) SuSE versions.
Since you see valid (?) domain names in the third column, the logins had been successful. You should disable anonymous login to your ftp server, or you may shutdown the whole ftp service (by commenting out the ftp line in your /etc/inetd.conf or by stopping a running ftp demon). But chances are that these last-log anomalities are only the tip of the iceberg, that's why you should examine your log files under /var/log closely
I don't see anything strange in those.
and your config and shadow pw files in /etc.
I'm not sure what to look at, or what to look for when I figure out what to look at. ??
Additionally, you may use tools like chrootkit, which is a root kit detector capable of finding altered binaries in your system. System crackers install these root kits after successfully entering the victim host in order to hide certain processes from being watched via the /proc file system (e. g. with ps). You can get chrootkit from http://www.chrootkit.org .
I'll do this asap...
If you should detect even more anomalities, secure, backup and freshly re-install your system. Take a look at the SuSE security FAQ at www.susesecurity/faq for more information.
Just read it. The only other anomalitiy I noticed, and it may be nothing, is I am using a cable modem with DHCP and they havn't forced a new IP address on me in a long time. However last weekend I disconnected the machine and connected a new one because I was doing an install for a friend who was also going to be using a cable modem/DHCP. That machine got a new/different IP address from the DHCP server. Then when I was done and reconnected MY machine I got the original IP address back and it's still the same. They used to change it every 3-4 weeks or so but I've ended up with the same one for 2-3 months now. Like I said it may be nothing, but I don't know. I'm no DHCP expert either. Thanks for the scare. I guess I need to read/learn some more about all this stuff. I'll follow the advise givin above as soon as I figure out the part about the shadow pw and config files in /etc. Thanks again.. -- Mark Hounschell dmarkh@cfl.rr.com
On 07-Jun-01 Mark Hounschell wrote:
Boris Lorenz wrote:
On 07-Jun-01 Mark Hounschell wrote:
The command "last" showed the following entries:
ftp ftp cx441045-b.ports Tue Jun 5 00:02 - 00:02 (00:00) ftp ftp adsl-64-222-16-9 Mon Jun 4 21:35 - 21:35 (00:00)] ftp ftp 211.200.28.16 Tue Jun 5 06:33 - 06:33 (00:00) ftp ftp APerpignan-101-1 Tue Jun 5 20:18 - 20:19 (00:00)
Does this look like people just accidentally got the wrong ip address when they tried to ftp somewhere??? Or has somebody actually ftp'd into this box. I'm basically ignorant when it comes to security.
The lines above show that at least on four occasions your host has been visited via anonymous ftp, probably with some kind of ftp scanner/script because the durations of the connections seem to be less than a second. If a valid user would have had logged in you would see his/her user name in the first column of last's output. For anonymous logins (if they are permitted), user 'ftp' will be used. At least with (most) SuSE versions.
[...]
But chances are that these last-log anomalities are only the tip of the iceberg, that's why you should examine your log files under /var/log closely
I don't see anything strange in those.
and your config and shadow pw files in /etc.
I'm not sure what to look at, or what to look for when I figure out what to look at. ??
There are various places to look for anomalities. First of all, start with /etc/passwd and look for any 'strange' entries like users you did not create yourself or deletions of entries you definitely put in. Pay also close attention to users with group '0' (the root group). Normal users should have group IDs >=100 (group "users" for instance has number 100). In /etc/shadow, make sure your root account has a password set. A typical line of a root user in shadow looks like this: root:i4EjeLkxsEUTlskd:10721:0:10000:::: where the part after "root:" is the password hash. An absence of this data would indicate a problem. Next, check some config files in /etc, like inetd.conf, crontab, fstab, hosts, group. If you haven't configured your system too deeply you may compare these config files against their counterparts on the installation CD. Also take a look at the init scripts in /etc/rc.d (or /sbin/init.d, respectively), and examine boot.local (which should be empty unless you have manually added something). Then, look for files set setgid/setuid: find / -user root -perm -4000 -print (setuid root) find / -group root -perm -2000 -print (setgid root) You will see lots of setgid/setuid files. Pay attention to setuid versions of /bin/sh or /bin/time, or to files with 'funny' names (wH1Ch Are wR1tTeN l1kE tH1SsS....:). Look for hidden files (files beginning with a dot "."). Normally, these files and directories are hidden from normal ls. A common cracker technique is to create directories with names like ".." or "...". You may find these with: find / -name ".." -print or find / -name ".. " -print (note the trailing space after the dots) [...]
If you should detect even more anomalities, secure, backup and freshly re-install your system. Take a look at the SuSE security FAQ at www.susesecurity/faq for more information. Just read it.
The only other anomalitiy I noticed, and it may be nothing, is I am using a cable modem with DHCP and they havn't forced a new IP address on me in a long time. However last weekend I disconnected the machine and connected a new one because I was doing an install for a friend who was also going to be using a cable modem/DHCP. That machine got a new/different IP address from the DHCP server. Then when I was done and reconnected MY machine I got the original IP address back and it's still the same. They used to change it every 3-4 weeks or so but I've ended up with the same one for 2-3 months now. Like I said it may be nothing, but I don't know. I'm no DHCP expert either.
It is not uncommon for cable modem/dsl providers to configure their dhcp server to give out leases with a lease time of a couple of weeks up to one month or so, but 2-3 months seems to be a bit overdone. You should phone up RoadRunner and ask for advice.
Thanks for the scare. I guess I need to read/learn some more about all this stuff. I'll follow the advise givin above as soon as I figure out the part about the shadow pw and config files in /etc.
Hope my tips aren't too gibberish for you ;) After things have settled a bit, you should dig a little deeper into security. Start with the SuSE manuals covering some security issues and keep your system up-to-date with the latest security fixes. A book worth reading would be O'Reilly's "Practical Unix and Internet Security", 2nd edition, by Garfinkel and Spafford, ISBN 1-56592-148-8 (about $40), which is very readable and not too technical.
Thanks again..
-- Mark Hounschell dmarkh@cfl.rr.com [...]
---
Boris Lorenz
Boris Lorenz wrote:
I'm not sure what to look at, or what to look for when I figure out what to look at. ??
There are various places to look for anomalities. First of all, start with /etc/passwd and look for any 'strange' entries like users you did not create yourself or deletions of entries you definitely put in. Pay also close attention to users with group '0' (the root group). Normal users should have group IDs >=100 (group "users" for instance has number 100). In /etc/shadow, make sure your root account has a password set. A typical line of a root user in shadow looks like this:
root:i4EjeLkxsEUTlskd:10721:0:10000::::
where the part after "root:" is the password hash. An absence of this data would indicate a problem.
Next, check some config files in /etc, like inetd.conf, crontab, fstab, hosts, group. If you haven't configured your system too deeply you may compare these config files against their counterparts on the installation CD. Also take a look at the init scripts in /etc/rc.d (or /sbin/init.d, respectively), and examine boot.local (which should be empty unless you have manually added something).
Then, look for files set setgid/setuid:
find / -user root -perm -4000 -print (setuid root) find / -group root -perm -2000 -print (setgid root)
You will see lots of setgid/setuid files. Pay attention to setuid versions of /bin/sh or /bin/time, or to files with 'funny' names (wH1Ch Are wR1tTeN l1kE tH1SsS....:).
Look for hidden files (files beginning with a dot "."). Normally, these files and directories are hidden from normal ls. A common cracker technique is to create directories with names like ".." or "...". You may find these with:
find / -name ".." -print or find / -name ".. " -print (note the trailing space after the dots)
[...]
If you should detect even more anomalities, secure, backup and freshly re-install your system. Take a look at the SuSE security FAQ at www.susesecurity/faq for more information. Just read it.
The only other anomalitiy I noticed, and it may be nothing, is I am using a cable modem with DHCP and they havn't forced a new IP address on me in a long time. However last weekend I disconnected the machine and connected a new one because I was doing an install for a friend who was also going to be using a cable modem/DHCP. That machine got a new/different IP address from the DHCP server. Then when I was done and reconnected MY machine I got the original IP address back and it's still the same. They used to change it every 3-4 weeks or so but I've ended up with the same one for 2-3 months now. Like I said it may be nothing, but I don't know. I'm no DHCP expert either.
It is not uncommon for cable modem/dsl providers to configure their dhcp server to give out leases with a lease time of a couple of weeks up to one month or so, but 2-3 months seems to be a bit overdone. You should phone up RoadRunner and ask for advice.
Thanks for the scare. I guess I need to read/learn some more about all this stuff. I'll follow the advise givin above as soon as I figure out the part about the shadow pw and config files in /etc.
Hope my tips aren't too gibberish for you ;) After things have settled a bit, you should dig a little deeper into security. Start with the SuSE manuals covering some security issues and keep your system up-to-date with the latest security fixes. A book worth reading would be O'Reilly's "Practical Unix and Internet Security", 2nd edition, by Garfinkel and Spafford, ISBN 1-56592-148-8 (about $40), which is very readable and not too technical.
Thanks again..
No these sound pretty straight foward things to do. I'm not linux ingnorant just security ignorant. Your tips will be followed. I thank you again. regards Mark Hounschell dmarkh@cfl.rr.com
participants (2)
-
Boris Lorenz
-
Mark Hounschell