Today, Jerry Eckert gleaned this insight:
> Welcome back!
>
> Will you be doing a post mortem so the rest of us can (hopefully) avoid the
> same situation?
>
> Jerry
Isn't much to tell.. the script this kid used did a real good job cleaning
up after itself. I prolly wouldn't even have noticed except for some
reason the IMAP server was hung when I got up this morning, which prompted
me to go looking. Then I discovered root could log in without a password,
and the default bash prompt was given, so bash was started as a non-login
shell.
I figure IMAP is probably how they got in too... that or possibly BIND...
ordinarily I've got IMAP filtered so only certain addresses can get to it,
but I've been doing a little experimentation with a few things, and I got
lax about my ipchains rules, and blamo.
Ordinarily, I don't have much else running on the machine, apache 1.3.9,
IMAP, sendmail (whatever ships with RH 6.1), named, openssh, and a
half-life server. Not aware of any security exploits on the halflife
server, and it doesn't run as root (has it's own specific user), so I
doubt that's how they got in.
It's conceivable that I left some random service running that I was
mucking with... possibly one that I shouldn't have.
The lesson to be learned is if you have a Linux box that's always
connected to the internet, especially if you've got a decent connection,
YOU ARE A TARGET. Make really sure you've got only what you need running
on the box, and have some solid filters in place.
The only traces the attacker left was there was a modified /bin/login
program, /etc/inetd.conf was modified at about the same time (to re-enable
telnet, which is normally turned off), and a bunch of entries in a log
file from ipchains which showed someone hammering the dns server. They
also rebooted the machine, obviously to have inetd reread it's config.
This all tells me this was no pro.
Anyone worth their salt wouldn't have needed to reboot the machine, and
would have discovered my non-standard log file. They also would have
checked and changed the timestamps on the files they modified. If they'd
been just a little more careful (or should I say, if the script had been a
little more robust), I would probably never have noticed.
Time to go re-subscribe to bugtraq and CERT advisories... :(
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
