I agree, get this box off the network and do the following.... Make an ISO image of the box before you do anything. Once that's done and burnt to a CD or 2 , I'd just whack that box and start from scratch. Just trying to patch that box is going to haunt you down the line. There is always something on the box that you'll never find. Then you'll run into something similar, download the latest chkroot kit and it might find a trace that you missed and then have to wonder if the systems been compromised again. Use the ISO image as your evidence if you need some at the end of this event. That way you can just reload that box and get it back online with little downtime for the customer.
Mike Or give us all the IP so we can check it out???? Just kidding.... On Friday 13 December 2002 2:34 pm, Jeromey Hannel wrote: > First things first. Nobody stated this but take the system off the network > right away. > > Using the rpm command, (rpm -V <package) on all important packages > including netutils fileutils procps etc. Using this command will let you > know what has been changed including MD5 sum and permissions. Next replace > every package that has been changed from the original distribution compact > disk. After that the ls, ifconfig, top, ps etc will function as normal. > Then you can begin to find out exactly what files have been placed on your > system from the rootkit. Also you will be able to see what process are > running on your system. Then start cleaning. > > If you want to learn what exactly happened to your system, do not reload > your system. Use the compromise to learn and teach others. > > -----Original Message----- > From: Daniel Kuecker [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 12, 2002 11:15 PM > To: [EMAIL PROTECTED] > Subject: Re: [sclug-general] security > > > thanks all. i am going to bed. i fear i am going to have to reload the > server :-( > ----- Original Message ----- > From: "Brion Hase" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, December 12, 2002 11:08 PM > Subject: Re: [sclug-general] security > > > Use the following URL: > > http://www.cert.org/tech_tips/root_compromise.html > > > > General Answer to Original Question: > > > > I think one of the best rules is to not give users shell access unless > > you absolutely have to. If you have a single program which they must > > run, run the program from their ".profile". If there are specific > > programs that they must run, set them up with a menu. Bill talked a few > > months ago > > about > > > using PDMenu (http://www.kitenet.net/programs/pdmenu/). If the users > > don't > > > need shell access, use "/bin/true" as their shell. Shutting off shell > > access does not necessarily prevent rootkits, but it help make it more > > difficult for the attacker. > > > > Make sure when you or your users log onto the system you are either on > > the console or you are using ssh. Take the Telnet client and server off > > the system!! A student could run a traffic sniffer from a laptop or > > workstation (Windows or Linux) to get passwords. > > > > Another rule of thumb is always keep the system packages updated. With > > RedHat, the up2date function works well, run it every day or put it into > > cron. If you don't need a package or service take it off the > > system. There is also some RPM options which will check the signatures > > of packages against the RPM files. As Ted says, make sure you also have > > the current "openssh" packages installed. > > > > I noticed you said you are running FTP. Never use "wuftpd", my > > experience has been that "wuftpd" has historically been full of problems. > > Look at using ncftpd (http://ncftpd.com/) or a different FTP server. A > > lot of rootkits use your FTP clients to get the kit transferred to your > > system. Move your FTP client binaries to a directory not in your path or > > get them off the system. You can still run them using the full path. > > The "wget" command is also getting popular for this. > > > > Also check your /etc/initd.conf file (or xinetd files) for unknown > > services. Check out what files the rootkit waxes and get them replaced. > > > > Run port scans regularly to check for open ports (put it in cron). Also, > > get and install Port Sentry (http://www.psionic.com/). Setup ipchains or > > iptables to block ports which are not used or better yet use a firewall > > to block ports. > > > > There are dozens of other tricks and utilities you can use. Check some > > of the security sites that should be on the links page of sclinux.org. > > What you are looking for is ways to "Harden" your system. As Ted kind of > > points > > > out, remote logging may also be a good thing to do. > > > > There are some simple ways to detect when a root kit is on your system. > > It > > > doesn't stop them but it does normally pick them up when they are > > there. We are trying to get Jeromey Hannel ([EMAIL PROTECTED]) to give > > a > > > presentation next year on stopping root kits. He has been working hard > > on some related work and certifications and is very knowledgeable on the > > subject. > > > Brion. > > > > At 10:58 PM 12/12/02 -0600, you wrote: > > >where can i find that info on this website? i noticed the files top and > > ps > > > >are modified and pointed to >/dev/null > > >----- Original Message ----- > > >From: "Brion Hase" <[EMAIL PROTECTED]> > > >To: <[EMAIL PROTECTED]> > > >Sent: Thursday, December 12, 2002 10:45 PM > > >Subject: Re: [sclug-general] security > > > > > > > The ifconfig file is a pretty basic target. Copy one over from > > another > > > > > system to the /root directory and try that. Check > > http://www.cert.org/ to > > > > > see which files the kit usually attacks. > > > > > > > > Brion. > > > > > > > > At 10:40 PM 12/12/02 -0600, you wrote: > > > > >the .bash_history is root's, ifconfig is in /sbin but it doesnt do > > > > > >anything > > > > > > > >when i run it, it says file not found. when i tried to telnet to > > > > > port > > > > > >1010 > > > > > > > >it refused me > > > > >----- Original Message ----- > > > > >From: "dax wood" <[EMAIL PROTECTED]> > > > > >To: <[EMAIL PROTECTED]> > > > > >Sent: Thursday, December 12, 2002 10:37 PM > > > > >Subject: Re: [sclug-general] security > > > > > > > > > > > have you tried telnet 'ing to the open port for some indication > > > > > > of > > the > > > > > > > program running? > > > > > > > > > > > > and try /sbin/ifconfig > > > > > > or locate ifconfig > > > > > > > > > > > > and who's .bash_history file are you talking about > > > > > > ? > > > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > > i just ran chkrootkit, it has found a possible LKM infection. > > port > > > > > > > > 1010 is > > > > > > > open, nmap says it doesnt know what it is. i cant tell what > > rootkit > > > > > > > > was > > > > > > > used. anyone have any ideas on how to stop this? i know the who > > file > > > > > > > > doesnt > > > > > > > work, ifconfig doesnt work, .bash_history is linked to another > > file > > > >i > > > > > > > > > > cant > > > > > > > find. any suggestions? > > > > > > > ----- Original Message ----- > > > > > > > From: "dax wood" <[EMAIL PROTECTED]> > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > Sent: Thursday, December 12, 2002 10:22 PM > > > > > > > Subject: Re: [sclug-general] security > > > > > > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > > > > All, > > > > > > > > > I have installed a redhat 7.2 box in a local school system. > > Its > > > > > > > > > > functions include: > > > > > > > > > > > > > > > > > > Servers: > > > > > > > > > FTP > > > > > > > > > HTTP > > > > > > > > > SSH > > > > > > > > > DHCP > > > > > > > > > DNS > > > > > > > > > Email > > > > > > > > > > > > > > > > > > I have discovered someone created a user account with the > > home > > > > > > > > dir of > > > > > > > > > > > > > > > > /var/.bash2 > > > > > > > > > they granted themselves group member of a pricipal. i > > noticed > > > > > > > > three > > > > > > > > > > > > > > > > files in their home dir of what appears to be a root > > > > > > > > > exploit > > > > > > > > > > > > > > called > > > > > > > > > > > > > > > > dr. dolittle. i have not heard of this exploit. anyhow, i > > > > > > > > > > > > > > disabled > > > > > > > > > > > > > > > > the account. > > > > > > > > > i was curious as to how to prevent this from the future. i > > > > > > > > > > > > > > suspect it > > > > > > > > > > > > > > > > is a student causing this. i am wondering if i can disable > > the > > > > > > > > shell > > > > > > > > > > > > > > > > access to all except a select few. will this cause problems > > with > > > > > > > > > > email services, etc? > > > > > > > > > will this prevent users from getting to a shell to run > > > > > > > > > these exploits? > > > > > > > > > any help would be greatly appreciated..... > > > > > > > > > thanks > > > > > > > > > daniel kuecker > > > > > > > > > > > > > > > > Best guess would be that some one guessed or manipulated a > > > > > > > > > > > > > > privlaged > > > > > > > > > > > > > > > account password. Look at logs for connections(if this was a > > real > > > > > > > > > hacker you will not find any thing) Red Hat has drwxr-xr-x on > > > > > >/var? > > > > > > > > > > so > > > > > > > > > > > > > > > proof of a root hack if that is the case. > > > > > > > > as far as the shell goes you can allways play with the > > > > > > > > > > > > > > inittab > > > > > > > > > > > > > > > file! > > > > > > > > > > > > > > > > In any case you need to upgrade to 8.0 otherwise due to a lot > > of > > > > > > > > > httpd->apache and openssl security holes your like fish in a > > > > > > > > > > > > > > barrel. > > > > > > > > > > > > > > > I was a kid once( :) _) and i can remember a certain > > > > > > > > > > > > > > area12 > > > > > > > > > > > > > > > hack on the schools main servers long ago...... in a mac unix > > far > > > > > > > > away > > > > > > > > > > > > > > > never at a school do you use pen or pencil as a > > password > > > > > > > > > ------ted---- > > > > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > > > > Do you Yahoo!? > > > > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > > > > http://mailplus.yahoo.com > > > > > > > > > > > > __________________________________________________ > > > > > > Do you Yahoo!? > > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > > http://mailplus.yahoo.com
