Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Intrusion
  • From: Bjorn Tore Sund <bjornts@xxxxxxxxx>
  • Date: Mon, 24 Nov 2003 16:38:12 +0100 (CET)
  • Message-id: <Pine.LNX.4.58.0311241623350.12813@xxxxxxxxxxxxxxx>

On Mon, 24 Nov 2003, Antun Balaz wrote:

>
> Hi to all,
> it seems that I have a serious problem, although I updated my SuSE 8.1
> server quite recently (all security updates were applied).
>
> I have two questions:
>
> 1) What to do right now to prevent any misconduct of my server?
> 2) How to clean up the server?
>
> Description of the problem: one of my users (mvasilic) noticed that
> someone from IP 81.196.122.7 logged to his account (that IP originates
> from Romania, and we are in Serbia). Close inspection shows that indeed
> someone was logged to our server from that IP, and obviously was running
> some kind of a rootkit:

1. Get the machine offline. Now.
2. No, don't plug it back online.
3. Verify how they got in to the user's account:
- 'xhost +' and no firewall on port 6000?
- On this machine.
- On machine with X server (beware of MS X-servers!)
- Passwords typed on insecure machines.
- Same password on multiple systems, where another system may be
taken.
- Username/password borrowed by others.
This is a script-kiddie. It's highly unlikely that they've cracked
their way in through a service the way things look here. Then they'd
own the account owning the service.
4. They've owned a user. Is there any indication that they've gotten
a root user. Does the user in question _have_ root access? Check
carefully. They obviously haven't had time to clean up thoroughly,
check /var/log/messages etc.
5. If you're 100% sure it's only the user, clean up for that user:
- New password
- Remove crontab
- Remove ~/.ssh, ~/.shosts, ~/.rhosts, etc.
- Remove at jobs
6. If you're not 100% sure, reinstall and configure from scratch is your
one and only answer, with new passwords for all users, etc, etc, etc.
7. Plug back online.

BTDT,

-Bjørn
--
Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a
System administrator Fax: (+47) 555-89672 fractal; universal and
Math. Department Mobile: (+47) 918 68075 infinitely repetitive.
University of Bergen VIP: 81724
teknisk@xxxxxxxxx Email: bjornts@xxxxxxxxx http://www.mi.uib.no/

< Previous Next >
References