Re: Machine compromised

[Jan van Rensburg <jan.van.rensburg () epiuse com>]

> Hi again,
> Thanks to everyone that replied. In fact so many replied with helpful
> suggestions that I can't say thanks to everyone individually. 
>
> To quickly respond to a few questions:
>
> > So why do I get 
> > 'Operation not
> > permitted' when I try to do anything to the files?
>
> As the majority of you replied this is due to ext2's extended 
> attributes.
> The fix was this:
> # cd /usr/bin
>
> # lsattr ssh2d
> lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
> s---ia-- ssh2d
>
> # chattr -i ssh2d
> chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
>
> # lsattr ssh2d
> lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
> s----a-- ssh2d
>
> # mv ssh2d ssh2d_hack
> mv: cannot move `ssh2d' to `ssh2d_hack': Operation not permitted
>
> # chattr -a ssh2d
> chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
>
> # mv ssh2d ssh2d_hack
>
> # ls -la ssh2*
> -rwxr-xr-x   1 root     root       205288 Jan  5 14:43 ssh2d_hack
>
> > Considering that I couldn't find any info of how old 
> UW-IMAP-1.5.1 is
> > (e.g. http://freshmeat.net/branches/11037/ lists only some 
> "2000x" and
> > "2001y" versions)
>
> Yes, sorry I realised my mistake afterwards. It was in fact 2000c. The
> release 1.5.1 was RedHat's release (as per RPM info). 
>
> > Secondly, if your machine is compromised you cannot trust 
> the output of
> > e.g. lsmod.
>
> Yes, I realize this is a problem. Like I said the server is 
> about 7000 miles
> from us, so we can't immediately reinstall as we'd like to. 
> However in the
> meantime people on that continent really depend on the server 
> to be able to
> continue doing business. So what I did in the meantime was upgrade
> everything on the machine, and copied a trusted version of lsof to the
> machine to try and verify that there's no backdoors. So far 
> it looks ok, but
> I realize one can't be 100% sure. In any case we're 
> monitoring everything
> very closely.
>
> > (And you should not scorn the importance of
> > security updates although you have services blocked by firewall!)
>
> Very good point! At this stage I suspect either exim-2.x or 
> ssh-1.2.26 (even
> though it was host based firewalled). I looked at the ssh 
> situation when all
> the advisories came out last year, but decided the firewall should be
> enough. I didn't want to be in a position where I upgraded 
> ssh remotely and
> something goes wrong. But yesterday I decided to bite the 
> bullet and do it,
> and it worked fine. 
>
> Thanks again to everyone who responded. And also thanks to 
> Security Focus
> and The Honeynet Project who are invaluable resources at 
> times like this.
>
> Regards,
> Jan
>
>
> > -----Original Message-----
> > From: Jan van Rensburg [mailto:jan.van.rensburg () epiuse com]
> > Sent: 09 January 2002 07:03
> > To: incidents () securityfocus com
> > Subject: Machine compromised
> >
> >
> > Hi,
> > One of our servers that's literally on the other side of the 
> > globe has been
> > compromised on Saturday, 5 Jan. I'm not sure how the person 
> > got in, but it
> > has to be either exim (early 2.x version), University of 
> > Washington IMAP/POP
> > v 1.5.1 or Apache 1.3.9. It could also be that it was through 
> > ssh-1.2.26,
> > although this is supposed to be firewall filtered, so I doubt 
> > it. The base
> > machine is RedHat-5.2, but a lot has been changed since the 
> > original install
> > about 3 years ago. 
> > ...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com