Re: some kind of attack. i need some help here!
From: Matt (news@mattNOSPAMjackets.8m.com)Date: 01/12/02
- Next message: Matt: "Re: some kind of attack. i need some help here!"
- Previous message: those who know me have no need of my name: "Re: What does /etc/securetty do?"
- In reply to: Bit Twister: "Re: some kind of attack. i need some help here!"
- Next in thread: Michael Erskine: "Re: some kind of attack. i need some help here!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matt <news@mattNOSPAMjackets.8m.com> Date: Fri, 11 Jan 2002 22:29:22 -0600
thanks for all the links, i'll be sifting through many of them in the next hour or
so....
as for the question of which exploit was used....i'm 99.9% sure it was that damn
crc32 buffer problem in ssh version 1
i do have a firewall in place; and since they exploited the sshd, the firewall let
everything go right on through. i'm thinking about diving into some annomoly
detection systems.....but i havn't decided if it's worth it. what do you think?
thanks,
-matt
Bit Twister wrote:
> In article <3C3F240A.81CDBCCC@mattNOSPAMjackets.8m.com>, Matt wrote:
> > well, this is becoming fun.......i found another bogus user id 'sbin' how
> > creative......this is really starting to concern me....the last login from
> > the sbin user was from maryland! ok, so it looks like at least two seperate
> > hacks took place.....and it raises more questions.
> >
> >
> > ****what exploit, and in what package, was used? how can i find out? i
> > don't want to wipe the machine clean and reinstall the same buggy software
> > again!
>
> Guess you have to check the vendor site to find out which updates
> have exploits that you did not update.
>
> Failing that, check http://www.cert.org/advisories/ to see
> which things you might have been cracked with.
>
> Lots of luck, you are going to need it.
>
> Any time your know a box is cracked, you should:
> pull the box off the network,
> put the hardrive(s) into a standalone machine,
> mount the disk(s) readonly,
> save any data, user files, ...,
> save a full copy of the disk(s) for your forensic attempt,
> save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.
> Refomat disk drives and do a fresh install from known clean
> source to remove any possible back doors the cracker installed.
> Restore your saved files, verify that the restored files
> do not have the suid bit set "find / -perms +6000 -ls".
> Have everyone on the box's network change passwords and
> tell them why so they will not use them ever again.
> Any other boxes logged into from the cracked box should
> have their passwords changed.
>
> Here is why you need a clean install
> http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
> 4'th paragraph.
>
> Install a firewall
>
> Get all the vendor updates to your distro.
>
> You might want to read Armoring Linux
> http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
> http://www.enteract.com/~lspitz/linux.html
> http://www.linuxsecurity.com/docs/colsfaq.html
> http://www.securityportal.com/lskb/articles/
> http://www.securityportal.com/lasg/
> http://www.cert.org/advisories/
>
> For cheap install cd's
> http://cart.cheapbytes.com/cgi-bin/cart
> top left under Products.
>
> Never login as root unless you have to.
> Always login from the console, no su, telnet, ssh,..
> That way a keystroke logger in your user account cannot
> catch your root login password.
- Next message: Matt: "Re: some kind of attack. i need some help here!"
- Previous message: those who know me have no need of my name: "Re: What does /etc/securetty do?"
- In reply to: Bit Twister: "Re: some kind of attack. i need some help here!"
- Next in thread: Michael Erskine: "Re: some kind of attack. i need some help here!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
