[1823] in SIPB_Linux_Development
Re: Subject: workaround for Samba bug described by ADM
daemon@ATHENA.MIT.EDU (Kevin 'Bob' Fu)
Mon Sep 29 22:58:46 1997
To: mhpower@MIT.EDU
Cc: linux-dev@MIT.EDU, efoo@MIT.EDU
In-Reply-To: Your message of Mon, 29 Sep 1997 17:53:35 -0400.
<199709292153.AA06990@stan.mit.edu>
Date: Mon, 29 Sep 1997 22:58:29 EDT
From: "Kevin 'Bob' Fu" <fubob@MIT.EDU>
Since sending my first message, another few linux machines in resnet
have been compromised via the samba problem. How about this
slightly changed announcement:
Important security bugfix for Samba
-------------------------
A security hole in all versions of Samba has been recently discovered.
As a result, many Resnet linux boxes were compromised this weekend.
This security hole allows unauthorized remote users to obtain root
access on the Samba server.
*** Aka, you *really* want to fix your machine. ***
*How to prevent the attack:
If you run Redhat linux, you probably run Samba ("ps aux | grep smbd"
to check). Until the RPM is updated in the next few weeks, I suggest
doing this as root:
rpm -e samba
rm /etc/rc.d/rc?.d/S??smb*
This will turn off the automatic running of Samba daemons. After you
reboot the linux box, Sambda daemons should no longer automatically
start. "ps aux" to make sure "smbd" and "nmbd" are no longer running.
*How to test if you are probably compromised:
Do you see unusual logins or strange programs running the the
background? (eg, packet sniffers, irc). Do you see lots of strange
entries in /root/.bash_history ? Then you've probably been
compromised. However, lack of these symptoms does not imply that you
are secure. Always check your log files for suspicious activity.
*How to fix after a compromise
There's no ideal method. We suggest reformatting your linux drive to
get rid of any infected files. You never know what a malicious hacker
could have installed. Programs may run in a stealth mode--not even
appearing in "ps aux"! To more easily detect tainted files in the
future, try using "tripwire".
<attach Andrew Tridgell's bugtraq announcement here>
--------
Kevin E. Fu aka Bob the BobOp Athena OLC/RCC
PGP key: finger fubob@snafu.mit.edu SIPB Member
