Re: linux box compromised: advice needed

From: Bit Twister (BitTwister@localhost.localdomain)
Date: 03/25/02

From: BitTwister@localhost.localdomain (Bit Twister)
Date: Sun, 24 Mar 2002 23:27:47 GMT

On 24 Mar 2002 15:17:18 -0800, Paul Douriaguine wrote:
> Hi,
> We've noticed two new accounts recently added to the system, which
> look like
> m0o:x:501:501::/dev/.w:/bin/bash
> in passwd file.
> I realise nothing is 100% secure, but the only two services we used to
> run were SSH (SSH-1.99-OpenSSH_2.1.1) and sendmail (Sendmail
> 8.11.0/8.11.0) with only limited number of trusted user having an
> account on the system. Oh well, there is mysql on non-standard
> privileged port, but it is shielded from outside world by ipchains.
> I suspect it is sendmail exploit, can anyone confirm?

You could look here for more exploits.

First, Unplug your system from the internet, Your machine is a menace to
society until you've cleaned it up. Even worse is, if it is used to crack
a bank or military site, you and your equipment gets hauled off to jail. has a program for checking for rootkit installs.

Any time you know a box is cracked, you should:
o Pull the box off the network, you do not want the police taking
        you and your equipment to jail because a cracker used it
        to crack a bank or military site.

o Put the hardrive(s) into a standalone machine,
        mount the disk(s) readonly,
        save any data, user files, ...,

o Save a full copy of the disk(s) for your forensic attempt,
        save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.

o Refomat disk drives and do a fresh install from known clean
        source to remove any possible back doors the cracker installed.

o Restore your saved files, verify that the restored files
        do not have the suid bit set "find / -perm +6000 -ls".

o Have everyone on the box's network change passwords and
        tell them why so they will not use them ever again.
        Any other boxes logged into from the cracked box should
        have their passwords changed.

Here is why you need a clean install
4'th paragraph.

Install a firewall, ipchains was replaced by iptables.

Get all the vendor updates to your distro.

You might want to read Armoring Linux

For cheap install cd's
top left under Products.
For people accross the pond,

Never login as root unless you have to.
Always login from the console, no su, telnet, ssh,..
That way a keystroke logger in your user account cannot
catch your root login password.

You can audit your system if you are using the rpm package manager with
  rpm -Va | grep '..5' > /tmp/verify.log Runs for awhile.

/tmp/verify.log will contain changes which you have made using
configuration tools

Hope crackers do not put in a rootkit which makes the rpm check obsolete.
I think this has happened, though not sure.

Relevant Pages

  • CreateService as current user?
    ... account during the installation ). ... Since the CreateServicefunction takes a login and password, ... is there any way to install a service on a local machine to ... CreateService(), a command-line tool that doesn't require a password, or only ...
  • RE: login ID and Password Problems
    ... account used to configure the operating system. ... When the system finishes booting there is the login prompt, ... whatever password you entered during the install. ... All hell breaks loose right at the login prompt. ...
  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... create a 'documents' folder automatically if you install it to your ... as opposed to in Windows. ... will, upon creating a new user account, automatically create a user ... In most distributions, yes. ...
  • Re: linux box compromised: advice needed
    ... >>account on the system. ... > o Refomat disk drives and do a fresh install from known clean ... > Never login as root unless you have to. ... > Always login from the console, no su, telnet, ssh,.. ...
  • Re: Advanced Client install nightmare
    ... I can successfully install manually using the SMS account. ... MS Client Configuration Manager cannot install the Advanced Client to ...