[97947] in RedHat Linux List

home help back first fref pref prev next nref lref last post

Re: assistance to track a break in

daemon@ATHENA.MIT.EDU (Ramon Gandia)
Thu Nov 5 22:23:45 1998

Date: Thu, 05 Nov 1998 18:19:41 -0900
From: Ramon Gandia <rfg@nook.net>
To: plaven@idl.net.au, redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com

Pete wrote:
> 
> Hi everyone,
> 
> Well I've learnt a pretty good lesson in the last few days.. trust no
> one.
> 
> I have setup my linux box for ip-masq and wasn't too concerned
> with security.  I fugured that there were bigger targets to keep
> these poeple busy.  It turns out that this isn't the case.  At least as
> far as I can figure.
> 
> Here's what I have found so far:
> 
> 1. My /var/log/messages file stops at the 4th of november wtih this
> line:
> 
> Nov  4 23:39:37 piglet rz[12656]: clean/ZMODEM: 145 Bytes, 44
> BPS
> 
> I had run tail -f on this log file andit had been running fine until the
> 5th.. it was only becuase I wasn't careful that I hit ^C that stopped
> it.  Running the commandline again showed me this anomoly.
> 
> I would say that someone has broken in and has now sent a file to
> the system of this size, yet trying to find it has proven fruitless.
> 
> 2. who no longer shows me any external logins ie when I telnet
> from the win95 box it doesn't show up.
> 
> 3.  /var/log/messages hasn't been written to since that last line,
> hence I suspect that syslogd isn't running, but shows up in the ps
> aux.
> 
> 4.  my login prompt has changed, and I hadn't changed it.
> 
> I'm sure there are a number of things here that has been touched or
> changed, the dates seem to be set ok, ie nothing looks unusual
> about them.
> 
> Obviously this person would now have root access, but if they are
> smart they will have created another user as a backup no?  I guess
> searching the passwd file for any account with root access would
> be the next thing to check.
> 
> Also, how would I be sure that once checked and rectified
> everything that the infiltrator is gone for good?  I could just re-install
> everything and be done with it, this time setting up much tighter
> security, but then I wouldn't learn anything from this.
> 
> Any and all assiatance is appreciated, please repond to my email
> address to as it will be read quicker.
> 
> Pete

This is definetely a breakin.  Do an altavista search on
"Root Kit" or maybe "rootkit".  It is a comprehensive hackers'
toolkit for breaking into Unix and Linux boxes.  While it
does not allow someone to just be root, it allows that person
to modify your system once he has root access.  In other words,
he got root access one of several ways:  tried a gazillion
passwords, guessed it right, or found the root password by hook
or by crook.

OK, now he is root.  He uploads a bunch of programs that REPLACE
the ones in your Linux box.  Most of these programs have install
routines on them that ensure that both the date, size of the
file is the SAME, and the CRC is the same.  This is real sneaky,
as it defeats a lot of programs that depend on this info.

Programs that get modified, among others, are the syslogging
programs ie, they log things except what the hacker does.  It
modifies who, last and so on, so HIS login doesn't show.  It
also modifies less, more and a few other programs to filter
out HIS entry in the /etc/passwd, /etc/group and /etc/shadow.
I am not sure what word processors are modified if any.  I 
think that cp and mv is modified to filter out his entry as
well, so that if for instance, you copy /etc/passwd to
something else and examine it with an editor, it will still
not have his entry in there.

I know this sounds incredible, but its there.  I do not have the
URL handy, but you will find it easy enough.  Read the docs.
They are written by an obviously immature person (or dopehead),
but the work it does is actually quite good.

Your own breakin attempt sounds a bit more amateurish,
nevertheless
it seems that the breaker used an older rootkit or manually did
things in there.  The latest rootkit will leave files that
easily pass the rpm -v (verify) test, so that is no indication
at all.

What I suggest you do is this.  Go back to your installation
notes.
Resize all your partitions from an installation disk, perhaps by
ONE cylinder (example /usr was cyl 608 to 747, now will be 608 to
746),
then reformat the entire drive, all partitions, and reinstall.

What? You have no NOTES?  Shame on you, and lesson learned!  You
ought to be able to reinstall RedHat Linux in 15 to 20 minutes
if you have your notes.  His files and hacks will then be erased.
Use a secure root password, and change it every so often.  Etc.
You know the routine.  Bite the bullet and do it.

The hacker will think himself victorious.  Breaking into a Linux
box like this does not have too many consequences for most people.
But here is what he can do with root access:

IP sniffers.  Password Sniffers.  Credit card number sniffers.
PGP key sniffers.  All of this info can be telnet or emailed
to HIM.  Don't forget your firewall ipfwadm machine has en
interface on both nets:  the internet where the hacker is, and
the intranet where you think you are secure from sniffers.  Some
hackers just like to look around; others pry more.  Some like
to break things just to frustrate you.  Some are serious criminals
that will gather info for a period of time and then spring it on
the unsuspecting victims.  So.  Reinstall Linux TONIGHT.

Good luck!

-- 
Ramon Gandia ==== Sysadmin ==== Nook Net ==== http://www.nook.net
285 West First Avenue                                rfg@nook.net
P.O. Box 970                                    tel. 907-443-7575
Nome, Alaska 99762-0970 ======================= fax. 907-443-2487


-- 
  PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
		http://www.redhat.com http://archive.redhat.com
         To unsubscribe: mail redhat-list-request@redhat.com with 
                       "unsubscribe" as the Subject.


home help back first fref pref prev next nref lref last post