[100558] in RedHat Linux List
Re: Hacked! :(
daemon@ATHENA.MIT.EDU (Ramon Gandia)
Sat Nov 21 21:00:28 1998
Date: Sat, 21 Nov 1998 16:58:10 -0900
From: Ramon Gandia <rfg@nook.net>
To: redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
Sean Harding wrote:
> Not particularly. Any cracker who values his own time won't bother trying
> to decrypt passwd entries. Time is better spent using a dictionary attack
> program, such as Crack...
Depends on how you set up your system. Normally, a telnet
session will kick you off after 3 tries, and it is possible to
add a delay in repeated attempts between the tree tries. If
you do this, it could take *years* before someone could break
in....
Of course, if the user in question has a shell account, then he
is 95% inside already! I think anyone running a serious system
is *nuts* to give strangers/dialup users a shell account, unless
it is on a "trash" computer.
There was another respondent that said that "if he had root
privileges (account) it means that he already had the root
password. So why bother with the rootkit?
Well, it ain't neccesarily so.
The root access can be obtained by several exploits. The TYPICAL
one involves an attack on IMAP4 or NFS. You will see the attempt
as a series of logins where the username is ^P^P^P^P^P^P^P^P
etc. With a subsceptible program, the buffer will overflow, and
the program (IMAP4 or NFS) will crash. That leaves the login user
at the root prompt. The reason is that those programs are running
with root privileges.
Example:
telnet elephant.nook.net 113 ( I think, not sure, 113 is IMAP)
blah blah blah
user?> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P etc for over 4 - 5 lines.
elephant [/sbin]#
Just as simple as that folks. Now the cracker has root prompt.
But he knows that it is temporary. He does NOT have the root
password, so he proceeds to install the rootkit. Lacking the
rootkit, he can create a normal user account and give it the
bash shell, and then in /etc/group he can give it root group.
That way he can log in again.
It would be fairly obvious if he created an account called "cracker"
or some bogus name. But using www, ftp or some such ALREADY
established account would be simple.
Take for instance, these accounts (in /etc/passwd)
news:x:9:13:/var/spool/news: <---- normal account.
news:x:9:13:/var/spool/news:/bin/bash <----- cracked
It would take a sharp eye to catch this one. There are
variants. Of course,, with the rootkit installed, the
account name will be in /etc/passwd but it will not show
up when listed with more, less, or cat. That is a *feature*
of the rootkit. Nor will his home directory show up with
ls, du and a few others. The rootkit is good at this sort
of things.
--
Ramon Gandia sysadmin Nook Net
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
