First things first. Nobody stated this but take the system off the network right away.
Using the rpm command, (rpm -V <package) on all important packages including netutils fileutils procps etc. Using this command will let you know what has been changed including MD5 sum and permissions. Next replace every package that has been changed from the original distribution compact disk. After that the ls, ifconfig, top, ps etc will function as normal. Then you can begin to find out exactly what files have been placed on your system from the rootkit. Also you will be able to see what process are running on your system. Then start cleaning. If you want to learn what exactly happened to your system, do not reload your system. Use the compromise to learn and teach others. -----Original Message----- From: Daniel Kuecker [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 11:15 PM To: [EMAIL PROTECTED] Subject: Re: [sclug-general] security thanks all. i am going to bed. i fear i am going to have to reload the server :-( ----- Original Message ----- From: "Brion Hase" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 11:08 PM Subject: Re: [sclug-general] security > Use the following URL: > http://www.cert.org/tech_tips/root_compromise.html > > General Answer to Original Question: > > I think one of the best rules is to not give users shell access unless you > absolutely have to. If you have a single program which they must run, run > the program from their ".profile". If there are specific programs that > they must run, set them up with a menu. Bill talked a few months ago about > using PDMenu (http://www.kitenet.net/programs/pdmenu/). If the users don't > need shell access, use "/bin/true" as their shell. Shutting off shell > access does not necessarily prevent rootkits, but it help make it more > difficult for the attacker. > > Make sure when you or your users log onto the system you are either on the > console or you are using ssh. Take the Telnet client and server off the > system!! A student could run a traffic sniffer from a laptop or > workstation (Windows or Linux) to get passwords. > > Another rule of thumb is always keep the system packages updated. With > RedHat, the up2date function works well, run it every day or put it into > cron. If you don't need a package or service take it off the > system. There is also some RPM options which will check the signatures of > packages against the RPM files. As Ted says, make sure you also have the > current "openssh" packages installed. > > I noticed you said you are running FTP. Never use "wuftpd", my experience > has been that "wuftpd" has historically been full of problems. Look at > using ncftpd (http://ncftpd.com/) or a different FTP server. A lot of > rootkits use your FTP clients to get the kit transferred to your > system. Move your FTP client binaries to a directory not in your path or > get them off the system. You can still run them using the full path. The > "wget" command is also getting popular for this. > > Also check your /etc/initd.conf file (or xinetd files) for unknown > services. Check out what files the rootkit waxes and get them replaced. > > Run port scans regularly to check for open ports (put it in cron). Also, > get and install Port Sentry (http://www.psionic.com/). Setup ipchains or > iptables to block ports which are not used or better yet use a firewall to > block ports. > > There are dozens of other tricks and utilities you can use. Check some of > the security sites that should be on the links page of sclinux.org. What > you are looking for is ways to "Harden" your system. As Ted kind of points > out, remote logging may also be a good thing to do. > > There are some simple ways to detect when a root kit is on your system. It > doesn't stop them but it does normally pick them up when they are > there. We are trying to get Jeromey Hannel ([EMAIL PROTECTED]) to give a > presentation next year on stopping root kits. He has been working hard on > some related work and certifications and is very knowledgeable on the subject. > > Brion. > > > At 10:58 PM 12/12/02 -0600, you wrote: > >where can i find that info on this website? i noticed the files top and ps > >are modified and pointed to >/dev/null > >----- Original Message ----- > >From: "Brion Hase" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Thursday, December 12, 2002 10:45 PM > >Subject: Re: [sclug-general] security > > > > > > > The ifconfig file is a pretty basic target. Copy one over from another > > > system to the /root directory and try that. Check http://www.cert.org/ to > > > see which files the kit usually attacks. > > > > > > Brion. > > > > > > At 10:40 PM 12/12/02 -0600, you wrote: > > > >the .bash_history is root's, ifconfig is in /sbin but it doesnt do > >anything > > > >when i run it, it says file not found. when i tried to telnet to port > >1010 > > > >it refused me > > > >----- Original Message ----- > > > >From: "dax wood" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Sent: Thursday, December 12, 2002 10:37 PM > > > >Subject: Re: [sclug-general] security > > > > > > > > > > > > > have you tried telnet 'ing to the open port for some indication of the > > > > > program running? > > > > > > > > > > and try /sbin/ifconfig > > > > > or locate ifconfig > > > > > > > > > > and who's .bash_history file are you talking about > > > > > ? > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > i just ran chkrootkit, it has found a possible LKM infection. port > > > > > > 1010 is > > > > > > open, nmap says it doesnt know what it is. i cant tell what rootkit > > > > > > was > > > > > > used. anyone have any ideas on how to stop this? i know the who file > > > > > > doesnt > > > > > > work, ifconfig doesnt work, .bash_history is linked to another file > >i > > > > > > cant > > > > > > find. any suggestions? > > > > > > ----- Original Message ----- > > > > > > From: "dax wood" <[EMAIL PROTECTED]> > > > > > > To: <[EMAIL PROTECTED]> > > > > > > Sent: Thursday, December 12, 2002 10:22 PM > > > > > > Subject: Re: [sclug-general] security > > > > > > > > > > > > > > > > > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > > > All, > > > > > > > > I have installed a redhat 7.2 box in a local school system. Its > > > > > > > > functions include: > > > > > > > > > > > > > > > > Servers: > > > > > > > > FTP > > > > > > > > HTTP > > > > > > > > SSH > > > > > > > > DHCP > > > > > > > > DNS > > > > > > > > Email > > > > > > > > > > > > > > > > I have discovered someone created a user account with the home > > > > > > dir of > > > > > > > > /var/.bash2 > > > > > > > > they granted themselves group member of a pricipal. i noticed > > > > > > three > > > > > > > > files in their home dir of what appears to be a root exploit > > > > > > called > > > > > > > > dr. dolittle. i have not heard of this exploit. anyhow, i > > > > > > disabled > > > > > > > > the account. > > > > > > > > i was curious as to how to prevent this from the future. i > > > > > > suspect it > > > > > > > > is a student causing this. i am wondering if i can disable the > > > > > > shell > > > > > > > > access to all except a select few. will this cause problems with > > > > > > > > email services, etc? > > > > > > > > will this prevent users from getting to a shell to run these > > > > > > > > exploits? > > > > > > > > any help would be greatly appreciated..... > > > > > > > > thanks > > > > > > > > daniel kuecker > > > > > > > > > > > > > > > > > > > > > > Best guess would be that some one guessed or manipulated a > > > > > > privlaged > > > > > > > account password. Look at logs for connections(if this was a real > > > > > > > hacker you will not find any thing) Red Hat has drwxr-xr-x on > >/var? > > > > > > so > > > > > > > proof of a root hack if that is the case. > > > > > > > as far as the shell goes you can allways play with the > > > > > > inittab > > > > > > > file! > > > > > > > > > > > > > > In any case you need to upgrade to 8.0 otherwise due to a lot of > > > > > > > httpd->apache and openssl security holes your like fish in a > > > > > > barrel. > > > > > > > > > > > > > > I was a kid once( :) _) and i can remember a certain > > > > > > area12 > > > > > > > hack on the schools main servers long ago...... in a mac unix far > > > > > > away > > > > > > > never at a school do you use pen or pencil as a password > > > > > > > > > > > > > > ------ted---- > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > > > Do you Yahoo!? > > > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > > > http://mailplus.yahoo.com > > > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > Do you Yahoo!? > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > http://mailplus.yahoo.com > > > > > > > > > > > > >
