Re: SSH Attempts: Link to RedHat?

From: jon schatz (jon@divisionbyzero.com)
Date: 12/18/01 

From: jon schatz <jon@divisionbyzero.com>
To: Gregg Sperling <gs-list@glsrms.com>
Date: 17 Dec 2001 16:26:49 -0800

On Mon, 2001-12-17 at 15:50, Gregg Sperling wrote:
> Surprisingly, I have had several pleasant exchanges with the individual who
> runs the server. He has offered to allow me access
> into his server with root access.

you're kidding me.

> Besides checking the standard /var/log/messages log, are there any
> suggestions as to where I should check for possible breaches
> in this individual's system?

i'd check the integrity of the installed rpms:

        [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done

i'd also look for recent additions in /dev (which seems to be the
directory of choice for rootkits):

        [jon@devotchka /dev]$ ls -tla|more

in fact, you could check file mod times on the whole system to be
totally sure.

i'd also check what ports were open on the local machine, who was
currently connected, and what actual processes were responsible for
those ports:

        [jon@devotchka /dev]$ netstat -na --inet
        [jon@devotchka /dev]$ lsof |grep LISTEN

now the bigger problem is that someone who admins a public linux box
would offer root access to a (basically) complete stranger from the
interweb. you stated that he had ftp + telnet open (amongst others). RH
hasn't enabled telnet by default in a while (i believe ssh has been the
default since 7.0). So we're most likely looking at a box running
outdated software run by an inexperienced admin. not a particularly hard
target from a script kiddie pov. then again, maybe you'll find the
fabled openssh2 remote exploit...

hope this helps.

-jon
  

-- 
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

Relevant Pages

  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Netopia 3347NWG with Remote Desktop and Remote Web Workplace
    ... Glad you're back in business Greg! ... Ports Closed ... Despite this, Remote Web Workplace DOES WORK now, and Connect to Server ... Exchange BPA updates), ...
    (microsoft.public.windows.server.sbs)
  • Solution -> Re: SSH tunnel question.
    ... change IPS and ports around but that is not a big deal. ... telnet/ftp/rsh open on a server including on the Internet facing ports! ... I will go from the corp desktop to a hop ... through the firewall to the hop ...
    (SSH)
  • Re: Exch2003 front-end questions
    ... all the supported protocol ports must be open on the inner ... communication between the front-end server and the back-end servers. ... lists the ports required for the intranet firewall. ...
    (microsoft.public.isa)
Quantcast