Re: RedHat compromise

["Johan.Augustsson" <Johan.Augustsson () ADM GU SE>]

At 15:43 2001-02-19 -0600, Jim Roland wrote:
> I have a customer who had one RH61 system compromised.
>
> Symptoms:
> Unable to telnet to the box nor acquire a POP3 connection (drops
> connection) from outside.  You can telnet to the box from the locally
> attached subnet w/o problem.


Telnet!? Are you out of your mind? The intruder might use the cracked box
as a sniffer and then you try to telnet to it?
Use SSH and do not use telnet for any other systems in the same physical
network as the cracked computer.


> Known files modified:
>     /etc/inetd.conf:  Line added
> "smbd2    stream    tcp    nowait    root    /usr/sbin/in.smb    in.smb"
>     /etc/services:    Line added "smbd2    54321/tcp    # Samba"
>     crontab table for root:  executes /usr/sbin/init every 5 minutes (the
> init program resides on /sbin/init and was untouched)
>
> No Samba/SMB services were installed on this system by me and it's NAMED
> server (bind) was current as per RedHat.  From the remote network, I am
> able to telnet to port 54321 and get a telnet prompt on the box.  Further
> investigation shows that all TCP connections are denied.

My guess is that this isn't Samba.  :)
Could be a backdoor or some other tool running (sniffer, portscanner).
You can't trust your binaries now, get verified versions of ls, ps, lsof,
netstat etc if you want to do some investigation.


> No IP addresses are reflected in /var/log/messages nor /var/log/secure,
> and I am unable to determine from where the attack came, but date/time
> stamp on the files shows it occured on Feb 19, at 05:05 localtime.  How
> can I find where it came from?

This is why you should send the logs to a remote syslogserver.  :)
The intruder has used some tools for clearing the logs.
You will not find a trace of the attacker (my guess only).
Have you checked the last logged in users? Probably cleared from the
hackers ID but worth a try.

Depending on the hackers skill you will not get so much more.
I've seen scriptkiddies leaving traces lika a hurricane and other
scriptkiddies that at least knew how to use the tools to cover their trails.

You should consider this system as gone, dead, lost forever.
Install an updated version of the system and then restore the vital data
from backups took before the intrusion.

And remember one thing. You can't use the same passwords for the users on
the restored system. You don't know if the intruder took the shadowfile, do
you? And I hope that you don't have the same password for root or any other
users at any other boxes as the cracked one.

May the penguin help you.  :)

Johan Augustsson


> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jim Roland, RHCE (RedHat Certified Engineer)
> Owner, Roland Internet Services
>     "Never settle with words what you can settle with a flamethrower"
>           -- Anonymous
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~