Re: Newbie Questions

From: Michael Kjorling (michael@kjorling.com)
Date: 08/08/01

• Previous message: Xno Xutz: "CodeRedII nows how to find my webservers!"
• In reply to: Joe Warner: "Re: Newbie Questions"
• Next in thread: Devdas Bhagat: "Re: Newbie Questions"
• Next in thread: Vincent Touquet: "Re: Newbie Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 8 Aug 2001 18:38:22 +0200 (CEST)
From: Michael Kjorling <michael@kjorling.com>
To: Joe Warner <rootman@xmission.com>
Subject: Re: Newbie Questions
Message-ID: <Pine.LNX.4.33.0108081821270.20000-100000@varg.wolfpack>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For whatever it's worth:

One of my boxes (Red Hat Linux 6.2 with an upgraded kernel, but
basically no patches installed at the time and an open firewall for
the moment because of reconfiguration from a dial-up) once got
compromised. My first problem was that the connection with the server
kept going down, but the dial-up was stable (I was working from a
nonprivileged account su'd to root). Aside from that, my logs were
being flooded by blocked SMB requests from various hosts throughout
the 24/8 network - this was my first indication of a real problem. As
this was very early a Sunday morning (1-2 AM local time), about all I
could do was look on and trying to figure out what was going on from
my end, some 60-70 miles from the computer itself and no chance to get
there.

I started out by turning off SMB packet logging (to prevent /var from
filling up), and tightened up the firewall as quickly as I could. When
I got back to the console, I disconnected the Internet and LAN network
cables, and started looking. Almost immediately I noticed a few
rootshell /etc/inetd.conf entries, plus some obscure directories
("/dev/.. " and "/dev/...", for example). The conclusion was simple:
someone had got into the box and installed some kind of backdoor
software.

Said and done, my first step was to get a hardware firewall to use
alongside with the ipchains firewalling. After ordering that, I
started looking around more closely on the system to see exactly what
had been done, and how that happened. To my relief, whoever did this
left /etc/passwd and /etc/shadow untouched, along with most other
critical configuration files. I made sure to copy the log files as
well as some strange software I found on the system to floppy disks
and wiping it off the hard disks; then started looking at the logs.
Just before the SMB flood started, there was a message with a whole
lot of garbage, so I suppose it was a standard buffer overflow attack
(lp?).

I found this by keeping my system logs under close watch and
restricting access to the system. However, nowadays tripwire (and
portsentry) is among the standard set of tools I install on every new
Linux system I set up. It might not catch everything, but properly
configured tools like that can catch a lot.

There is nothing, though, that can replace the value of keeping an eye
on the logs, in my opinion.

Michael Kjörling

On Aug 7 2001 06:51 -0600, Joe Warner wrote:

> Ok, let's say that my BSD/UNIX box has been compromised with a trojan. How can
> I detect this? Do I have to use something like tripwire?
>
> Thanks
>
> Joe

- --
Michael Kjörling - michael@kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^ Support the wolves in Norway -- go to ^..^
 \/ http://home.no.net/ulvelist/protest_int.htm \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7cWsBKqN7/Ypw4z4RAlW8AKDfO0hJdI0gSWl3IhLBG6Ri2zOFQQCglHaw
35YP3qbyJVysqZekRFFQw3A=
=75pm
-----END PGP SIGNATURE-----

---

• Previous message: Xno Xutz: "CodeRedII nows how to find my webservers!"
• In reply to: Joe Warner: "Re: Newbie Questions"
• Next in thread: Devdas Bhagat: "Re: Newbie Questions"
• Next in thread: Vincent Touquet: "Re: Newbie Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Account Locked up ... > our entire MS-Network that resides outside the Firewall. ... We are running Windows NT4.0 With SP6 ... Install all service packs and security fixes from Microsoft and otherwise ... not discovered until after an intrusion, when the logs are needed. ... (microsoft.public.security) Re: I cant install critical updates ... The tool creates several log files in C:\aulogs [the logs are stored on the root drive, the drive where Windows is installed to. ... Vista uses wuapp.exe and wuaucult.exe to update and they can't be blocked by the firewall. ... I couldn't install some critical Windows updates ... (microsoft.public.windowsupdate) Re: I cant install critical updates ... The tool attempts to install the WindowsUpdateAgent but, obviously, something went awry. ... Let's check the logs before attempting to run the tool once more, ... "The following prerequisites may need to be installed/reinstalled for proper operation of Windows Update/Microsoft Update/ The Automatic Update Client ... Vista uses wuapp.exe and wuaucult.exe to update and they can't be blocked by the firewall. ... (microsoft.public.windowsupdate) Re: Worm infection problem ... > If only AV install a firewall, if IS you need to check logs and reconfigure ... (microsoft.public.win2000.general) Re: Service Pack 1 & 2 ... but enable to install because of service pack 2. ... >> I recently reinstalled Windows XP home on a new hard disk because the ... >> I tried to install service pack 1 but was rejected from doing so. ... > Why you should use a computer firewall.. ... (microsoft.public.windowsupdate)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)