RE: Visited by a cracker
From: Shay Wilson (Bryan_Wilson_at_legis.state.ak.us)
Date: 07/14/04
- Previous message: abe: "Certifying a RedHat Install"
- Maybe in reply to: Per Christian B. Viken: "Visited by a cracker"
- Next in thread: Mario Ohnewald: "RE: Visited by a cracker"
- Reply: Mario Ohnewald: "RE: Visited by a cracker"
- Reply: Peter.Purwin_at_uk.neceur.com: "RE: Visited by a cracker"
- Reply: Godwin Stewart: "Re: Visited by a cracker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jul 2004 10:10:39 -0800 To: <focus-linux@securityfocus.com>
I'm a little confused. There have been several suggestions to wipe the
box and I'm not disagreeing, but there was no sign of any successful
hack. The cracker was given a shell by the administrator. He paid for it
(with a stolen credit card). I realize approaching the machine with
caution and using administrative tools that are verified perhaps freshly
installed from on a CD or another machine is a very good thing, but
wiping the machine?
If I wiped my production machines every time my logs showed that someone
attempted to gain unauthorized access or elevate their privileges I'd
never have a working machine. In fact within minutes of turning a
machine on I'm hit with various malevolent apache requests of someone
trying to gain access through an old exploit.
Granted these were newer exploits and potentially more dangerous because
a shell had already been granted. They were still patched against and
unsuccessful. Why must we wipe?
-----Original Message-----
From: Christian [mailto:serialkiller@thedeadsquad.com]
Sent: Tuesday, July 13, 2004 3:54 PM
To: Arthur Chan; Alan Hicks
Cc: focus-linux@securityfocus.com
Subject: Re: Visited by a cracker
Hi
Sorry to hear about your vistor. I have been around the security field
a while, and from that and my time working with isp's i can say this.
1. Wipe the box! Restore from backup that is trusted, or completely redo
from scratch. These guys here in the newsgroups know alot, but no
matter how deep, and how far you go looking at this box, YOU CAN NEVER
TRUST ONE PIECE OF SOFTWARE ON IT! You have customers and they are
depending on you to be 1000% secure. If this was a personal box, hell
ya.. for the excitiment go for it! I am not a Die hard programmer that
eats sleeps dreams code, and i know that i use code writen by others, so
i dont pretend to be able to check it.
2. Conatct all customers to varify thier account. If it cant be
varified then dont set it up! I doubt your cracker want you calling him
at home to confirm his/her info.
3. Understand that you did nothing wrong. No one (sane) invits a
cracker to them. Most find themselve in the crackers eye, by chance (
script kiddie ) or by reason ( Diligent cracker who is using you for a
purpose, either singled out by DOMAIN, NETWORK your connected into, What
your organization does, or to use you as a launch pad to somewhere else
)
Its a tuff lesson to learn, but that is why we backup.. :)
----- Original Message -----
From: "Arthur Chan" <axc@andrew.cmu.edu>
To: "Alan Hicks" <alan@lizella.net>
Cc: <focus-linux@securityfocus.com>
Sent: Tuesday, July 13, 2004 11:20 AM
Subject: Re: Visited by a cracker
> Is it at all possible that the cracker tampered his .bash_history and
left
> it there to fool you?
>
> .arthur
>
>
>
> On Sun, 11 Jul 2004, Alan Hicks wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > My first suggestion would be to ask the good people in
> > alt.os.linux.slackware for a bit of advice. Specifically I posted
this
> > recent addendum to the FAQ there:
> >
> > http://wombat.san-francisco.ca.us/faqomatic/cache/124.html
> >
> > On Jul 11, 2004, at 10:45 AM, Per Christian B. Viken wrote:
> > > Is there anything else I should check out? Anywhere else some
nasty
> > > exploits
> > > or trojans might be hiding? And should I try to find this guy? Or
is
it
> > > probably hopeless?
> >
> > As mentioned in that article crackers often like to hide binaries in
> > strange places so searching /dev /tmp /var/tmp /usr/src/linux et
cetera
> > isn't just paranoid, it could be a good idea. However in this case I
> > don't think you've got that much to worry about. The cracker
obviously
> > wasn't smart enough to remove his own .bash_history, and probably
> > didn't insert that kmod either (I still wouldn't trust modprobe,
> > insmod, or that kernel however. A little paranoia never hurt
anyone).
> > Of course the only way to be 100% certain that you don't have any
> > backdoors open is to wipe the box clean and re-install.
> >
> > Finding the guy is probably hopeless given that all his IPs are in
> > other countries (I'm going by the whois info on angryadmin.net
here).
> > Still, you could give it a shot, and at least alert whoever owns
those
> > boxen that they have a cracker among their ranks. I'd say as a good
> > netizen you have that obligation at least.
> >
> > - --
> >
> > It is better to hear the rebuke of the wise,
> > Than for a man to hear the song of fools.
> > Ecclesiastes 7:5
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2 (Darwin)
> >
> > iD8DBQFA8d29lKR45I6cfKARAjrZAJ91Q2RiPS0Z9N21H5gDIDcESEWynQCfWert
> > oA0psjuIOJNBg1YIQHtVnFc=
> > =HDZe
> > -----END PGP SIGNATURE-----
> >
> >
> >
>
>
>
- Previous message: abe: "Certifying a RedHat Install"
- Maybe in reply to: Per Christian B. Viken: "Visited by a cracker"
- Next in thread: Mario Ohnewald: "RE: Visited by a cracker"
- Reply: Mario Ohnewald: "RE: Visited by a cracker"
- Reply: Peter.Purwin_at_uk.neceur.com: "RE: Visited by a cracker"
- Reply: Godwin Stewart: "Re: Visited by a cracker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
