Re: linux box compromised: advice needed

From: Bit Twister (BitTwister@localhost.localdomain)
Date: 03/25/02


From: BitTwister@localhost.localdomain (Bit Twister)
Date: Sun, 24 Mar 2002 23:27:47 GMT

On 24 Mar 2002 15:17:18 -0800, Paul Douriaguine wrote:
> Hi,
>
> We've noticed two new accounts recently added to the system, which
> look like
>
> m0o:x:501:501::/dev/.w:/bin/bash
>
> in passwd file.
>
> I realise nothing is 100% secure, but the only two services we used to
> run were SSH (SSH-1.99-OpenSSH_2.1.1) and sendmail (Sendmail
> 8.11.0/8.11.0) with only limited number of trusted user having an
> account on the system. Oh well, there is mysql on non-standard
> privileged port, but it is shielded from outside world by ipchains.
>
> I suspect it is sendmail exploit, can anyone confirm?

You could look here for more exploits.
http://www.cert.org/advisories/

First, Unplug your system from the internet, Your machine is a menace to
society until you've cleaned it up. Even worse is, if it is used to crack
a bank or military site, you and your equipment gets hauled off to jail.

http://www.chkrootkit.org has a program for checking for rootkit installs.

Any time you know a box is cracked, you should:
o Pull the box off the network, you do not want the police taking
        you and your equipment to jail because a cracker used it
        to crack a bank or military site.

o Put the hardrive(s) into a standalone machine,
        mount the disk(s) readonly,
        save any data, user files, ...,

o Save a full copy of the disk(s) for your forensic attempt,
        save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.

o Refomat disk drives and do a fresh install from known clean
        source to remove any possible back doors the cracker installed.

o Restore your saved files, verify that the restored files
        do not have the suid bit set "find / -perm +6000 -ls".

o Have everyone on the box's network change passwords and
        tell them why so they will not use them ever again.
        Any other boxes logged into from the cracked box should
        have their passwords changed.

Here is why you need a clean install
   http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
4'th paragraph.

Install a firewall, ipchains was replaced by iptables.

Get all the vendor updates to your distro.

You might want to read Armoring Linux
        http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
        http://www.enteract.com/~lspitz/linux.html
        http://www.linuxsecurity.com/docs/colsfaq.html
        http://www.securityportal.com/lskb/articles/
        http://www.securityportal.com/lasg/
        http://www.cert.org/advisories/

For cheap install cd's
http://cart.cheapbytes.com/cgi-bin/cart
top left under Products.
For people accross the pond,
        http://www.linuxemporium.co.uk
        http://www.linux123.co.uk/

Never login as root unless you have to.
Always login from the console, no su, telnet, ssh,..
That way a keystroke logger in your user account cannot
catch your root login password.

You can audit your system if you are using the rpm package manager with
  rpm -Va | grep '..5' > /tmp/verify.log Runs for awhile.

/tmp/verify.log will contain changes which you have made using
configuration tools

Hope crackers do not put in a rootkit which makes the rpm check obsolete.
I think this has happened, though not sure.