Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: AW: AW: [suse-security] SuSE security reputation, etc..
  • From: <devel@xxxxxxxxxxxxxxxxxx>
  • Date: Sun, 6 Aug 2000 03:34:48 -0700 (PDT)
  • Message-id: <Pine.LNX.4.21.0008060255280.19553-100000@xxxxxxxxxxxxxxxxxx>
Hello Stephan,

I recently had to clean up after a break-in (which is
what inspired me to join this list). Some comments to add
to Pete's followup:

On Sat, 5 Aug 2000, OKDesign oHG Security Webmaster wrote:

> > Someone might install some scripts to USER account and for example copy
> > all input/output to a file, including su passwords.
>
> Good idea.
> But how should he manage to get this script started ?

As Pete said, consider any environment that has been
broken into (even just one of your users) hostile until
completely proven otherwise.

Closely inspect *all* of those user files, *especially*
the dot-files. Sometimes, the only thing changed in the
login profile command (i.e. .bashrc or .bash_profile) is
the "PATH=" statement, to add a new directory to the
beginning of the list.

I've actually seen a new directory of "...", designed
be overlooked with the usual "." and ".." at the top.
I've also heard mention of ".^H" or ".<rubout>" but am
not sure how a person either creates or uses such a
directory. Also, *heavily* scrutinize /tmp! This is
ESPECIALLY imperative if anyone hasn't responded to the
recent SuSE advisory regarding aaabase (where a few users,
such as "nobody" have /tmp as their home directory).
In this case, look for "/tmp/.bashrc".

Often, the best approach, when a user account has
been compromised, is to back it (and /tmp) up to a
secure location, re-initialize it and /tmp, and then
give the user their data files, one at a time, after
carefully examining them.

Hope this helps.

Best regards,

Ken Parker

P.S. When the "Script Kiddies" gained root on my
system, they linked /root/.bash_history
to /dev/null. That was the last straw,
when I was examining my system, inspiring
me to yank the ethernet cord out of the
back of the computer. (They entered through
a year-old Sendmail vulnerability).


< Previous Next >
Follow Ups