RE: Visited by a cracker

From: Herman F. Ebeling Jr. (hfebelingjr_at_lycos.com)
Date: 07/15/04

  • Next message: Moderator: "Administrivia" 
    To: focus-linux@securityfocus.com
Date: Wed, 14 Jul 2004 19:19:17 -0500

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    True, there are no apparent signs of a successful hack, BUT how can
    the admin in charge be 100% sure that they have rooted out ALL Trojan
    horses? Or that one of the legit users data hasn’t been altered in
    some way? Or even deleted?

    Now granted to some a complete and total wipe, and reinstall, as well
    as applying ALL patches, may seem excessive, but it is about the only
    way to be totally sure that the data has not been corrupted or
    altered in any way.

    Also the choice to wipe and reinstall also depends on several
    factors, as you have said in some environments wiping and
    reinstalling isn’t always practical.

    The best thing(s) to do is:

    a) keep up-to-date on all patches and exploits for your particular OS
    b) turn on auditing and monitor the resulting logs for unauthorized
    access/usage
    c) IF someone or something causes a red flag to go up investigate it

    Herman F. Ebeling Jr.

    - ----- Original Message -----
    From: “Shay Wilson” <Bryan_Wilson@legis.state.ak.us>
    Date: Wed, 14 Jul 2004 10:10:39 -0800
    To: <focus-linux@securityfocus.com>
    Subject: RE: Visited by a cracker

    > I’m a little confused. There have been several suggestions to wipe
    > the box and I’m not disagreeing, but there was no sign of any
    > successful hack. The cracker was given a shell by the
    > administrator. He paid for it (with a stolen credit card). I
    > realize approaching the machine with caution and using
    > administrative tools that are verified perhaps freshly installed
    > from on a CD or another machine is a very good thing, but wiping
    > the machine?
    >
    > If I wiped my production machines every time my logs showed that
    > someone attempted to gain unauthorized access or elevate their
    > privileges I’d never have a working machine. In fact within minutes
    > of turning a
    > machine on I’m hit with various malevolent apache requests of
    > someone trying to gain access through an old exploit.
    >
    > Granted these were newer exploits and potentially more dangerous
    > because a shell had already been granted. They were still patched
    > against and unsuccessful. Why must we wipe?
    >
    >
    > -----Original Message-----
    > From: Christian [mailto:serialkiller@thedeadsquad.com]
    > Sent: Tuesday, July 13, 2004 3:54 PM
    > To: Arthur Chan; Alan Hicks
    > Cc: focus-linux@securityfocus.com
    > Subject: Re: Visited by a cracker
    >
    > Hi
    > Sorry to hear about your vistor. I have been around the security
    > field a while, and from that and my time working with isp’s i can
    > say this.
    >
    > 1. Wipe the box! Restore from backup that is trusted, or completely
    > redo from scratch. These guys here in the newsgroups know alot,
    > but no matter how deep, and how far you go looking at this box, YOU
    > CAN NEVER TRUST ONE PIECE OF SOFTWARE ON IT! You have customers
    > and they are depending on you to be 1000% secure. If this was a
    > personal box, hell ya.. for the excitiment go for it! I am not a
    > Die hard programmer that eats sleeps dreams code, and i know that i
    > use code writen by others, so i dont pretend to be able to check
    > it.
    >
    > 2. Conatct all customers to varify thier account. If it cant be
    > varified then dont set it up! I doubt your cracker want you
    > calling him at home to confirm his/her info.
    >
    > 3. Understand that you did nothing wrong. No one (sane) invits a
    > cracker to them. Most find themselve in the crackers eye, by
    > chance ( script kiddie ) or by reason ( Diligent cracker who is
    > using you for a purpose, either singled out by DOMAIN, NETWORK your
    > connected into, What your organization does, or to use you as a
    > launch pad to somewhere else )
    >
    > Its a tuff lesson to learn, but that is why we backup.. :)
    > ----- Original Message -----
    > From: “Arthur Chan” <axc@andrew.cmu.edu>
    > To: “Alan Hicks” <alan@lizella.net>
    > Cc: <focus-linux@securityfocus.com>
    > Sent: Tuesday, July 13, 2004 11:20 AM
    > Subject: Re: Visited by a cracker
    >
    >
    > > Is it at all possible that the cracker tampered his .bash_history
    > > and
    > left
    > > it there to fool you?
    > >
    > > .arthur
    > >
    > >
    > >
    > > On Sun, 11 Jul 2004, Alan Hicks wrote:
    > >
    > > > -----BEGIN PGP SIGNED MESSAGE-----
    > > > Hash: SHA1
    > > >
    > > > My first suggestion would be to ask the good people in
    > > > alt.os.linux.slackware for a bit of advice. Specifically I
    > > > posted
    > this
    > > > recent addendum to the FAQ there:
    > > >
    > > > http://wombat.san-francisco.ca.us/faqomatic/cache/124.html
    > > >
    > > > On Jul 11, 2004, at 10:45 AM, Per Christian B. Viken wrote:
    > > > > Is there anything else I should check out? Anywhere else some
    > nasty
    > > > > exploits
    > > > > or trojans might be hiding? And should I try to find this
    > > > > guy? Or
    > is
    > it
    > > > > probably hopeless?
    > > >
    > > > As mentioned in that article crackers often like to hide
    > > > binaries in strange places so searching /dev /tmp /var/tmp
    > > > /usr/src/linux et
    > cetera
    > > > isn’t just paranoid, it could be a good idea. However in this
    > > > case I don’t think you’ve got that much to worry about. The
    > > > cracker
    > obviously
    > > > wasn’t smart enough to remove his own .bash_history, and
    > > > probably didn’t insert that kmod either (I still wouldn’t trust
    > > > modprobe, insmod, or that kernel however. A little paranoia
    > > > never hurt
    > anyone).
    > > > Of course the only way to be 100% certain that you don’t have
    > > > any backdoors open is to wipe the box clean and re-install.
    > > >
    > > > Finding the guy is probably hopeless given that all his IPs are
    > > > in other countries (I’m going by the whois info on
    > > > angryadmin.net
    > here).
    > > > Still, you could give it a shot, and at least alert whoever
    > > > owns
    > those
    > > > boxen that they have a cracker among their ranks. I’d say as a
    > > > good netizen you have that obligation at least.
    > > >
    > > > - --
    > > >
    > > > It is better to hear the rebuke of the wise,
    > > > Than for a man to hear the song of fools.
    > > > Ecclesiastes 7:5
    > > > -----BEGIN PGP SIGNATURE-----
    > > > Version: GnuPG v1.2.2 (Darwin)
    > > >
    > > > iD8DBQFA8d29lKR45I6cfKARAjrZAJ91Q2RiPS0Z9N21H5gDIDcESEWynQCfWert
    > > > oA0psjuIOJNBg1YIQHtVnFc=
    > > > =HDZe
    > > > -----END PGP SIGNATURE-----
    > > >
    > > >
    > > >
    > >
    > >
    > >
    >
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com

    iQA/AwUBQPXNOR/i52nbE9vTEQJrdgCcDGd3IYza9WyjxavQfh22WANjHdcAn2Q8
    XoEa2NGWv1N3+wTvphBL7j+9
    =aBWn
    -----END PGP SIGNATURE-----

  • Next message: Moderator: "Administrivia"