[100892] in RedHat Linux List
RE: Hacked! :(
daemon@ATHENA.MIT.EDU (Mike Bridge)
Mon Nov 23 17:56:31 1998
From: "Mike Bridge" <mike@bridgecanada.com>
To: redhat-list@redhat.com
Date: Mon, 23 Nov 1998 15:53:14 -0700
In-reply-to: <A17D93A46315D1118FF20020182ACFBB710566@msexchange.iso-ne.com>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
I've found that a log monitoring program is a good tool for finding out about
unsuccessful attempts (e.g. logwatch rpm at
http://kaybee.org/~kirk/html/linux.html).
-Mike
Date sent: Mon, 23 Nov 1998 11:08:28 -0500
From: "Soffen, Matthew" <msoffen@iso-ne.com>
To: redhat-list@redhat.com, "David E. Fox" <dfox@belvdere.vip.best.com>
Subject: RE: Hacked! :(
> Here are a few suggestions to help stop access to your system.
>
> 1) Notify CERT of the intrusion.
>
> 2) Install TCP Wrappers and only allow accesses from explicit places.
> Not 100 % fool proof but better than leaving the barn door open.
> Basically allow access to known systems for telnet and ftp and then deny
> all other domains/hosts.
>
> 3) Check the user creation log. Delete any accounts that have UID 0
> *except for root of course* . Make sure you start closing down all
> security holes. I would also expire all passwords and change them
> (incase they did copy the password file to crack later).
>
> 4) You might also want to install a package like trip wire. This would
> let you know of intrusions.
>
> Matthew Soffen - Webmaster http://www.iso-ne.com/
>
> ISO New England
> 1 Sullivan Road
> Holyoke, MA 01040-2841
> (413) 535 8167
> ==============================================
> Boss - "My boss says we need some eunuch programmers."
> Dilbert - "I think he means UNIX and I already know UNIX."
> Boss - "Well, if the company nurse comes by, tell her I said
> never mind."
> - Dilbert -
> ==============================================
>
> > ----------
> > From: David E. Fox[SMTP:dfox@belvdere.vip.best.com]
> > Sent: Friday, November 20, 1998 6:16 PM
> > To: redhat-list@redhat.com
> > Cc: postmaster@mech.ubc.ca; abuse@mech.ubc.ca; postmaster@ubc.ca;
> > postmaster@csun.edu; abuse@csun.edu
> > Subject: Hacked! :(
> >
> > Well, I never thought it might happen to me, but apparently over
> > the last few days my system was broken into by a user in
> > Canada, and also apparently from a user at csun.edu. I am also
> > copying this to the abuse administrators at csun.edu and at
> > mech.ubc.ca.
> >
> > I have syslog entries to prove it, and a ps listing that I noticed
> > just a few minutes ago -- thank god I was running 'top'; otherwise
> > I might not have noticed it... but there it was, a user r0x running
> > a 'vi rootkit.h' command... I immediately killed the net
> > connection and went digging.
> >
> > find / -name rootkit.h only reveals one rootkit.h file, in the
> > linux source directory (Specifically: /usr/src/linux-2.0.35/arch/
> > ppc/boot/compressed/.o/rootkit.h).
> >
> > But that's a very strange place to hide a rootkit, and it is there
> > plainly for me to see.... everything is there that one would
> > expect to be in a hacking kit.
> >
> > Relevant logs show the following:
> >
> >
> > Nov 19 00:20:01 belvdere pam_rhosts_auth[596]: denied to
> > roxana@serendip.mech.ubc.ca as anti: access not allowed
> > Nov 19 00:20:03 belvdere PAM_pwdb[602]: (login) session opened for
> > user anti by (uid=0)
> > Nov 19 00:20:04 belvdere login[602]: LOGIN ON ttyp2 BY anti FROM
> > serendip.mech.ubc.ca
> > Nov 19 00:20:10 belvdere PAM_pwdb[610]: (su) session opened for user
> > r0x by anti(uid=0)
> > Nov 19 00:22:20 belvdere identd[623]: from: 204.244.142.155 (
> > hope2a28.dial.uniserve.ca ) for: 1049, 21
> > Nov 19 00:25:14 belvdere pam_rhosts_auth[643]: denied to
> > root@localhost as http: access not allowed
> > Nov 19 00:25:15 belvdere PAM_pwdb[645]: (login) session opened for
> > user http by (uid=0)
> > Nov 19 00:25:15 belvdere login[645]: LOGIN ON ttyp3 BY http FROM
> > localhost
> > Nov 19 00:25:20 belvdere PAM_pwdb[653]: (su) session opened for user
> > www by http(uid=0)
> > Nov 19 00:25:38 belvdere PAM_pwdb[653]: (su) session closed for user
> > www
> > Nov 19 00:25:41 belvdere PAM_pwdb[645]: (login) session closed for
> > user http
> > Nov 19 00:28:16 belvdere identd[672]: from: 204.244.142.155 (
> > hope2a28.dial.uniserve.ca ) for: 1052, 21
> > Nov 19 01:01:02 belvdere PAM_pwdb[1624]: (su) session opened for user
> > news by (uid=9)
> > Nov 19 01:01:14 belvdere PAM_pwdb[1624]: (su) session closed for user
> > news
> > Nov 19 01:01:34 belvdere PAM_pwdb[610]: (su) session closed for user
> > r0x
> > Nov 19 01:01:36 belvdere PAM_pwdb[602]: (login) session closed for
> > user anti
> >
> > Nov 20 14:36:17 belvdere dip[7595]: root dial-up
> > 204.156.152.2/204.156.152.2 to remote 204.156.128.1/204.156.128.1
> > with CSLIP/296
> > Nov 20 14:39:25 belvdere pam_rhosts_auth[7626]: denied to
> > root@s057n110.csun.edu as anti: access not allowed
> > Nov 20 14:39:26 belvdere PAM_pwdb[7627]: (login) session opened for
> > user anti by (uid=0)
> > Nov 20 14:39:26 belvdere login[7627]: LOGIN ON ttyp2 BY anti FROM
> > s057n110.csun.edu
> > Nov 20 14:39:29 belvdere PAM_pwdb[7635]: (su) session opened for user
> > r0x by anti(uid=0)
> > Nov 20 14:39:46 belvdere identd[7646]: from: 128.3.7.48 ( mh1.lbl.gov
> > ) for: 10257, 25
> > Nov 20 14:40:20 belvdere identd[7654]: from: 204.244.142.134 (
> > hope2a7.dial.uniserve.ca ) for: 10258, 21
> > Nov 20 14:46:26 belvdere dip[7595]: >>> DETACH "/sbin/ifconfig sl0
> > down"
> > Nov 20 14:46:26 belvdere dip[7595]: root down CSLIP link to remote
> > 204.156.128.1/204.156.128.1
> > Nov 20 14:46:27 belvdere dip[7595]: Total online:609s in:0 bytes 0
> > pkts; out:0 bytes 0 pkts
> > Nov 20 14:46:30 belvdere dip[7595]: DIP: Probably line disconnected!
> > Nov 20 14:46:30 belvdere dip[7595]: DIP: tty_puts: failed to write to
> > tty (Input/output error)...
> > Nov 20 14:46:33 belvdere dip[7595]: DIP: Probably line disconnected!
> > Nov 20 14:46:33 belvdere dip[7595]: DIP: tty_puts: failed to write to
> > tty (Input/output error)...
> >
> > warning: `-' deprecated; use `ps ax', not `ps -ax'
> > PID TTY STAT TIME COMMAND
> > 7626 ? S 0:00 in.rlogind
> > 7635 p2 S 0:00 su r0x
> > 7636 p2 S 0:00 bash
> > 7664 p2 S 0:00 vi rootkit.h
> > 7627 p2 S 0:00 login -p -h s057n110.csun.edu -f anti
> >
> > root tty1 Nov 19 00:00
> > dfox tty2 Nov 19 12:04
> > dfox tty3 Nov 19 15:16
> > dfox tty4 Nov 20 14:56
> > dfox ttyp0 Nov 19 14:29 (:0.0)
> > anti ttyp2 Nov 20 14:39 (s057n110.csun.edu) <-- the perp
> >
>
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
