Security Incidents mailing list archives

Re: RedHat compromise

From: "Fabio Pietrosanti (naif)" <naif () INET IT>
Date: Wed, 21 Feb 2001 16:24:13 +0100

What About init from crontab every 5 minutes... does it start with a
/sbin/init q ?
Perhaps /etc/inittab was trojaned to start something ?

Pietrosanti  Fabio          I.NET SpA, High Quality Access to the Internet
e-mail:  naif () inet it       ( Direzione Tecnica, Security Staff )
         firewall () inet it
PGP Key (DSS)               http://naif.itapac.net/naif.asc

Home Page URL:            http://www.inet.it
Sede:                     Via Darwin, 85 20019 Settimo Milanese (MI)
Tel:                      02-328631   Fax: 02-328637701
--
Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS


On Mon, 19 Feb 2001, Jim Roland wrote:

Date: Mon, 19 Feb 2001 15:43:47 -0600
From: Jim Roland <jroland () ROLAND NET>
To: INCIDENTS () SECURITYFOCUS COM
Subject: RedHat compromise

I have a customer who had one RH61 system compromised.

Symptoms:
Unable to telnet to the box nor acquire a POP3 connection (drops connection) from outside.  You can telnet to the box 
from the locally attached subnet w/o problem.
Known files modified:
    /etc/inetd.conf:  Line added "smbd2    stream    tcp    nowait    root    /usr/sbin/in.smb    in.smb"
    /etc/services:    Line added "smbd2    54321/tcp    # Samba"
    crontab table for root:  executes /usr/sbin/init every 5 minutes (the init program resides on /sbin/init and was 
untouched)

No Samba/SMB services were installed on this system by me and it's NAMED server (bind) was current as per RedHat.  
From the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box.  Further investigation 
shows that all TCP connections are denied.

No IP addresses are reflected in /var/log/messages nor /var/log/secure, and I am unable to determine from where the 
attack came, but date/time stamp on the files shows it occured on Feb 19, at 05:05 localtime.  How can I find where 
it came from?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
    "Never settle with words what you can settle with a flamethrower"
          -- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Current thread:

RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
  - Re: RedHat compromise Jim Roland (Feb 20)
  - Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
  - Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
  - Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
  - Re: RedHat compromise Andreas Östling (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 21)
    - Re: RedHat compromise Daniel Martin (Feb 21)
  - Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)