Re: HELP: RH 7.2 box hacked
From: crawdog@erols.comDate: 01/28/02
- Next message: Matthew Goldman: "Re: Hacked by "bobkit""
- Previous message: crawdog@erols.com: "Re: mountd and ports (again)"
- In reply to: ERA: "Re: HELP: RH 7.2 box hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: crawdog@erols.com Date: 27 Jan 2002 20:29:08 -0800
You have a lot of good advice, but I personally disagree with some.
era@eracc.hypermart.net (ERA) wrote in message news:<gWtomC2dEjRt-pn2-deBdVd1RHEdP@era0>...
> On Thu, 24 Jan 2002 03:08:26 UTC, Simon Ngan
> <saiho@yahoo.com> wrote:
--------SNIP----------
> + Someone from infinitiodt.com is connecting to my port 32769!
> +
> + What can I do?
------SNIP----------
> 6. Reinstall the OS + apps and restore data to the clean partition /
> drive.
>
> 6a. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
> Then, scan all of the files which you saved for suid
> programs:
>
> find / -perm +6000 -ls
Only do this if you know what you are doing and understand what and
why you are doing this. Don't reinstall the old OS and apps to a clean
partition unless you are doing forensic work.
> 6c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
> When you restore your backup, check all system configuration
> files that are restored for any cracks that may have already
> been incorporated into these files.
Do not restore the old config files over the "new" ones. Manually
restore the components of config files (from the old ones). You can
cut and paste from the old files. But don't restore, then look.
> 6d. (Suggested by Bill Staehle <withheld on req.> 01-07-2002)
>
> find / \( -nouser -o -nogroup \) -exec ls -lad {} \;
>
> and if anything turns up, determine _why_ the user and/or
> group is not in /etc/passwd and/or /etc/group. Who _really_
> owns those files/directories? What are they?
Once again, manually restore the passwd file (while checking for bogus
info). If is not mentioned but do not restore the shadow file. Make
each user enter a new password. Use "devious" means to check that
users entered a NEW password. If they use the same password, the
compliment them on their inability to listen and comprehend. Make sure
that all people have been notified (and it is properly documented),
that they should use a new password.
> 8. Create your own, unique hidden directory and 'cp' files to it
> that are essential to system maintenance like 'ls', 'netstat',
> 'route', 'ifconfig', 'ps', etc.
> (Should you be cracked again, God forbid, as long as you don't
> have a compromised kernel this will allow you to use these copies
> to "see" what a cracker may have done.)
I would not do this. Never trust any binary on a cracked system. Are
you sure that your "hidden" binary has also not been compromised? I
know how to potentially find your hidden binary commands. If you do
not know what I'm talking about, then do not give this advice (hide
some commands).
help with this, such as port scanners; etc.
> 8c. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
> [It] would be better if the program files you put into that
> hidden directory are statically compiled, and not using the
> possibly corrupted dynamic libraries. It also assumes that
> the kernel doesn't get messed with. _At this time_ these
> concerns are not big, but why not stay ahead?
This helps, but I know how to defeat this. I'm not a computer security
expert nor am I a properly trained sysadmin. If I can figure this
out...
> 8d. (Suggested by James Knott <james.knott@rogers.com> 01-02-02)
> Mount as much of your filesystem as possible as read only. If
> the crackers can't write to a partition, they can't change
> it. Rename and hide su etc. [as suggested in 8].
Okay, this is a part of security procedures. Binary executable files
should be on read only file partitions. Just make sure that a person
with root access cannot change this. Remember, a person with root
access can substitute/copy their own stuff on a r/w partition, thereby
getting around the real command. Additionally, make sure that one
(everyone) does not have a r/w directory high up in their path. But
once again, I can get around this.
I could write more stuff. I'm also paranoid. The advice that you write
about and cite helps, but some can be easily circumvented.
Clyde
- Next message: Matthew Goldman: "Re: Hacked by "bobkit""
- Previous message: crawdog@erols.com: "Re: mountd and ports (again)"
- In reply to: ERA: "Re: HELP: RH 7.2 box hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
