[100791] in RedHat Linux List
RE: Hacked! :(
daemon@ATHENA.MIT.EDU (Soffen, Matthew)
Mon Nov 23 11:10:22 1998
From: "Soffen, Matthew" <msoffen@iso-ne.com>
To: redhat-list@redhat.com, "David E. Fox" <dfox@belvdere.vip.best.com>
Date: Mon, 23 Nov 1998 11:08:28 -0500
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
Here are a few suggestions to help stop access to your system.
1) Notify CERT of the intrusion.
2) Install TCP Wrappers and only allow accesses from explicit places.
Not 100 % fool proof but better than leaving the barn door open.
Basically allow access to known systems for telnet and ftp and then deny
all other domains/hosts.
3) Check the user creation log. Delete any accounts that have UID 0
*except for root of course* . Make sure you start closing down all
security holes. I would also expire all passwords and change them
(incase they did copy the password file to crack later).
4) You might also want to install a package like trip wire. This would
let you know of intrusions.
Matthew Soffen - Webmaster http://www.iso-ne.com/
ISO New England
1 Sullivan Road
Holyoke, MA 01040-2841
(413) 535 8167
==============================================
Boss - "My boss says we need some eunuch programmers."
Dilbert - "I think he means UNIX and I already know UNIX."
Boss - "Well, if the company nurse comes by, tell her I said
never mind."
- Dilbert -
==============================================
> ----------
> From: David E. Fox[SMTP:dfox@belvdere.vip.best.com]
> Sent: Friday, November 20, 1998 6:16 PM
> To: redhat-list@redhat.com
> Cc: postmaster@mech.ubc.ca; abuse@mech.ubc.ca; postmaster@ubc.ca;
> postmaster@csun.edu; abuse@csun.edu
> Subject: Hacked! :(
>
> Well, I never thought it might happen to me, but apparently over
> the last few days my system was broken into by a user in
> Canada, and also apparently from a user at csun.edu. I am also
> copying this to the abuse administrators at csun.edu and at
> mech.ubc.ca.
>
> I have syslog entries to prove it, and a ps listing that I noticed
> just a few minutes ago -- thank god I was running 'top'; otherwise
> I might not have noticed it... but there it was, a user r0x running
> a 'vi rootkit.h' command... I immediately killed the net
> connection and went digging.
>
> find / -name rootkit.h only reveals one rootkit.h file, in the
> linux source directory (Specifically: /usr/src/linux-2.0.35/arch/
> ppc/boot/compressed/.o/rootkit.h).
>
> But that's a very strange place to hide a rootkit, and it is there
> plainly for me to see.... everything is there that one would
> expect to be in a hacking kit.
>
> Relevant logs show the following:
>
>
> Nov 19 00:20:01 belvdere pam_rhosts_auth[596]: denied to
> roxana@serendip.mech.ubc.ca as anti: access not allowed
> Nov 19 00:20:03 belvdere PAM_pwdb[602]: (login) session opened for
> user anti by (uid=0)
> Nov 19 00:20:04 belvdere login[602]: LOGIN ON ttyp2 BY anti FROM
> serendip.mech.ubc.ca
> Nov 19 00:20:10 belvdere PAM_pwdb[610]: (su) session opened for user
> r0x by anti(uid=0)
> Nov 19 00:22:20 belvdere identd[623]: from: 204.244.142.155 (
> hope2a28.dial.uniserve.ca ) for: 1049, 21
> Nov 19 00:25:14 belvdere pam_rhosts_auth[643]: denied to
> root@localhost as http: access not allowed
> Nov 19 00:25:15 belvdere PAM_pwdb[645]: (login) session opened for
> user http by (uid=0)
> Nov 19 00:25:15 belvdere login[645]: LOGIN ON ttyp3 BY http FROM
> localhost
> Nov 19 00:25:20 belvdere PAM_pwdb[653]: (su) session opened for user
> www by http(uid=0)
> Nov 19 00:25:38 belvdere PAM_pwdb[653]: (su) session closed for user
> www
> Nov 19 00:25:41 belvdere PAM_pwdb[645]: (login) session closed for
> user http
> Nov 19 00:28:16 belvdere identd[672]: from: 204.244.142.155 (
> hope2a28.dial.uniserve.ca ) for: 1052, 21
> Nov 19 01:01:02 belvdere PAM_pwdb[1624]: (su) session opened for user
> news by (uid=9)
> Nov 19 01:01:14 belvdere PAM_pwdb[1624]: (su) session closed for user
> news
> Nov 19 01:01:34 belvdere PAM_pwdb[610]: (su) session closed for user
> r0x
> Nov 19 01:01:36 belvdere PAM_pwdb[602]: (login) session closed for
> user anti
>
> Nov 20 14:36:17 belvdere dip[7595]: root dial-up
> 204.156.152.2/204.156.152.2 to remote 204.156.128.1/204.156.128.1
> with CSLIP/296
> Nov 20 14:39:25 belvdere pam_rhosts_auth[7626]: denied to
> root@s057n110.csun.edu as anti: access not allowed
> Nov 20 14:39:26 belvdere PAM_pwdb[7627]: (login) session opened for
> user anti by (uid=0)
> Nov 20 14:39:26 belvdere login[7627]: LOGIN ON ttyp2 BY anti FROM
> s057n110.csun.edu
> Nov 20 14:39:29 belvdere PAM_pwdb[7635]: (su) session opened for user
> r0x by anti(uid=0)
> Nov 20 14:39:46 belvdere identd[7646]: from: 128.3.7.48 ( mh1.lbl.gov
> ) for: 10257, 25
> Nov 20 14:40:20 belvdere identd[7654]: from: 204.244.142.134 (
> hope2a7.dial.uniserve.ca ) for: 10258, 21
> Nov 20 14:46:26 belvdere dip[7595]: >>> DETACH "/sbin/ifconfig sl0
> down"
> Nov 20 14:46:26 belvdere dip[7595]: root down CSLIP link to remote
> 204.156.128.1/204.156.128.1
> Nov 20 14:46:27 belvdere dip[7595]: Total online:609s in:0 bytes 0
> pkts; out:0 bytes 0 pkts
> Nov 20 14:46:30 belvdere dip[7595]: DIP: Probably line disconnected!
> Nov 20 14:46:30 belvdere dip[7595]: DIP: tty_puts: failed to write to
> tty (Input/output error)...
> Nov 20 14:46:33 belvdere dip[7595]: DIP: Probably line disconnected!
> Nov 20 14:46:33 belvdere dip[7595]: DIP: tty_puts: failed to write to
> tty (Input/output error)...
>
> warning: `-' deprecated; use `ps ax', not `ps -ax'
> PID TTY STAT TIME COMMAND
> 7626 ? S 0:00 in.rlogind
> 7635 p2 S 0:00 su r0x
> 7636 p2 S 0:00 bash
> 7664 p2 S 0:00 vi rootkit.h
> 7627 p2 S 0:00 login -p -h s057n110.csun.edu -f anti
>
> root tty1 Nov 19 00:00
> dfox tty2 Nov 19 12:04
> dfox tty3 Nov 19 15:16
> dfox tty4 Nov 20 14:56
> dfox ttyp0 Nov 19 14:29 (:0.0)
> anti ttyp2 Nov 20 14:39 (s057n110.csun.edu) <-- the perp
>
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
