Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] compromised SuSE7.3?
I looked into my logfiles and found out that there
>had not been any sign of life for the last hour i.e. no MARK, ippl,
>snort, xntpd entries at all! The last message was produced by fetchmail
>and even there everything seemed to be ok. I feared, that somebody had
>made it into my system and I had disturbed him while placing a rootkit,
>so the hd activity was due to his sudden cleanup.

So what ? You wrote your system crashed - the logfile was not closed
properly.

> I looked for rootkits
>(chkrootkit-0.35) but found nothing of interest and posted my
>experiences to a newsgroup. A few hours later I found
>
>Feb 6 22:48:23 nephilim kernel: Packet log: input DENY eth0 PROTO=1
>212.60.6.125:8 134.169.145.147:0 L=84 S=0x60 I=0 F=0x4000 T=45 (#113)
>Feb 6 22:48:29 nephilim last message repeated 5 times
>Feb 6 22:49:38 nephilim sshd[11226]: Connection closed by 212.60.6.125
>
>in my syslog and became even more anxious. But I found out, that if you
>try to login to my box but give ssh a Ctrl-C instead of a password,
>exactly this message will be produced. Perhaps somebody read my posting
>and felt curious enough to drop in for a second.

ACK - thatswhy you should mask your ip even when you post logs into a list

>
>After that I changed the "Protocol" in sshd_config to 2 (was 2,1
>before), even though it is said here, that this ssh-version is as

Too late !

>secure as openssh-3.0. Additionally, I searched for directories
>beginning with ..* but found nothing. I did an "rpm --verify" on each
>installed packet and lo got e.g. for openssh
>
>S.5....T c /etc/pam.d/sshd
>S.5....T c /etc/ssh/ssh_config
>SM5....T c /etc/ssh/sshd_config
>.M...... /usr/bin/ssh
>
>my guesses:
>pam.d/sshd was changed when activating md5 passwords (>8 characters)
>ssh*_config were changed by myself
>ssh hmmm... as one can change file permissions (easy,local,secure), is
>it possible, that after an installation default permissions and groups
>are overriden by a script that sets the chosen values?

My guesses for ssh - you installed an update with rpm -i instead of
of rpm -u or a script such as harden_suse changed attributes.

By the way - its ssh not sshd. An attacker would exchange the daemon to
get in.

>So what do you think what could have happened? What should be done
>next? How can I check, whether new users/groups were created? How can I
>verify files on my discs against RPMs and not against a potentially
>corrupted rpm-database? Could this be also explained in a way, that KDE
>or X had an internal problem, perhaps due to some network errors within
>our LAN (it does not work that perfect now) and made my system freeze?
>What will happen, if the dhclient does not get appropriate data form
>the server (or even does not find him)? Could this confuse other
>programs?
>

If you think its not only paranoia thank check this url 4 forensic analysis.

http://project.honeynet.org/challenge/results/submissions/roessler/evidence.txt

This docs describes techniques methods to seek hidden information post mortem

You may want to see other examples 2

http://project.honeynet.org/challenge/results/index.html#rankings

See the winners

:O) Michael Appeldorn




< Previous Next >
Follow Ups
References