Security Incidents mailing list archives
Re: RedHat compromise
From: "Michael H. Warfield" <mhw () WITTSEND COM>
Date: Mon, 19 Feb 2001 23:51:33 -0500
On Mon, Feb 19, 2001 at 03:43:47PM -0600, Jim Roland wrote:
I have a customer who had one RH61 system compromised.
RedHat 6.1? Was it kept up to date? That was one of the network OSs from hell. It had numerous security advisories including pop3 and imap and dns and various ftp and a host of others.
Symptoms: Unable to telnet to the box nor acquire a POP3 connection (drops
connection) from outside. You can telnet to the box from the locally attached subnet w/o problem. You should NOT be using telnet. If you have entered any user ids and passwords you can now consider them his.
Known files modified: /etc/inetd.conf: Line added "smbd2 stream tcp nowait
root /usr/sbin/in.smb in.smb"
/etc/services: Line added "smbd2 54321/tcp # Samba"
Ouch! Backdoor.
crontab table for root: executes /usr/sbin/init every 5 minutes
(the init program resides on /sbin/init and was untouched) Strange... That one makes no sense to me.
No Samba/SMB services were installed on this system by me and it's NAMED
server (bind) was current as per RedHat. From the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box. Further investigation shows that all TCP connections are denied. Probably trapped to trigger on specific IP addresses and/or ports and/or login id and password. You might find out more from that in.smb file, but you need to use a trusted Linux base to save it off first.
No IP addresses are reflected in /var/log/messages nor /var/log/secure,
and I am unable to determine from where the attack came, but date/time stamp on the files shows it occured on Feb 19, at 05:05 localtime. How can I find where it came from? You've been rooted to the core. I wouldn't be surprised to discover stealth kernel modules hiding backdoor and rootkit processes. If you can, you need to get the latest bootable CD Rom and boot the system off that and dump all the partitions to tape or some other storage for forensic analysis. Then reinstall. I can't see any hope of recovering a system that's that far out of date and compromised to the level that this one has been. Just get the data off and rebuild it and save yourself a lot of grief.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
(Thread continues...)