Re: linux box compromised: advice needed

From: David (thunderbolt01@netscape.net)
Date: 03/25/02

  • Next message: Edward Lee: "Re: SSH and restricting to a chroot jail"

    From: David <thunderbolt01@netscape.net>
    Date: Sun, 24 Mar 2002 17:41:53 -0600
    
    

    Bit Twister wrote:
    > On 24 Mar 2002 15:17:18 -0800, Paul Douriaguine wrote:
    >
    >>Hi,
    >>
    >>We've noticed two new accounts recently added to the system, which
    >>look like
    >>
    >>m0o:x:501:501::/dev/.w:/bin/bash
    >>
    >>in passwd file.
    >>
    >>I realise nothing is 100% secure, but the only two services we used to
    >>run were SSH (SSH-1.99-OpenSSH_2.1.1) and sendmail (Sendmail
    >>8.11.0/8.11.0) with only limited number of trusted user having an
    >>account on the system. Oh well, there is mysql on non-standard
    >>privileged port, but it is shielded from outside world by ipchains.
    >>
    >>I suspect it is sendmail exploit, can anyone confirm?
    >
    >
    > You could look here for more exploits.
    > http://www.cert.org/advisories/
    >
    >
    > First, Unplug your system from the internet, Your machine is a menace to
    > society until you've cleaned it up. Even worse is, if it is used to crack
    > a bank or military site, you and your equipment gets hauled off to jail.
    >
    > http://www.chkrootkit.org has a program for checking for rootkit installs.
    >
    > Any time you know a box is cracked, you should:
    > o Pull the box off the network, you do not want the police taking
    > you and your equipment to jail because a cracker used it
    > to crack a bank or military site.
    >
    > o Put the hardrive(s) into a standalone machine,
    > mount the disk(s) readonly,
    > save any data, user files, ...,
    >
    > o Save a full copy of the disk(s) for your forensic attempt,
    > save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.
    >
    > o Refomat disk drives and do a fresh install from known clean
    > source to remove any possible back doors the cracker installed.
    >
    > o Restore your saved files, verify that the restored files
    > do not have the suid bit set "find / -perm +6000 -ls".
    >
    > o Have everyone on the box's network change passwords and
    > tell them why so they will not use them ever again.
    > Any other boxes logged into from the cracked box should
    > have their passwords changed.
    >
    >
    > Here is why you need a clean install
    > http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
    > 4'th paragraph.
    >
    > Install a firewall, ipchains was replaced by iptables.
    >
    > Get all the vendor updates to your distro.
    >
    > You might want to read Armoring Linux
    > http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
    > http://www.enteract.com/~lspitz/linux.html
    > http://www.linuxsecurity.com/docs/colsfaq.html
    > http://www.securityportal.com/lskb/articles/
    > http://www.securityportal.com/lasg/
    > http://www.cert.org/advisories/
    >
    >
    > For cheap install cd's
    > http://cart.cheapbytes.com/cgi-bin/cart
    > top left under Products.
    > For people accross the pond,
    > http://www.linuxemporium.co.uk
    > http://www.linux123.co.uk/
    >
    > Never login as root unless you have to.
    > Always login from the console, no su, telnet, ssh,..
    > That way a keystroke logger in your user account cannot
    > catch your root login password.
    >
    > You can audit your system if you are using the rpm package manager with
    > rpm -Va | grep '..5' > /tmp/verify.log Runs for awhile.
    >
    > /tmp/verify.log will contain changes which you have made using
    > configuration tools
    >
    > Hope crackers do not put in a rootkit which makes the rpm check obsolete.
    > I think this has happened, though not sure.
    >

    Also if you need to run a mail server upgrade sendmail to the newest
    version which is "8.12.2" or possibly switch to a more secure MTA like
    qmail or one of the others.

    Also install the newest Openssh version which is "3.1p1"

    Be sure to get all updates for Distro used after you get done with a
    disk format and re-install.

    -- 
    Confucius say: He who play in root, eventually kill tree.
    Registered with the Linux Counter.  http://counter.li.org
    ID # 123538
    



    Relevant Pages

    • Re: Alerting - Malicious software removal tool
      ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
      (microsoft.public.security.virus)
    • Re: user privledges
      ... > redhat 7.2 i created a user account for myself to use on a daily basis. ... > fare i have just been su - and entering the root pass. ... it started but would not install because i did ... sofware to /opt/musicmatch as a normal user. ...
      (comp.security.unix)
    • Re: hi all..
      ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
      (Fedora)
    • Re: Easy way/script to add another user like me?
      ... of cracking the root password because they already know the ... Hence the valid need for sudo to limit what other users can ... would have to have been a special sudoer account password. ... install I can 'sudo /bin/bash' and effectively be fully root, ...
      (Ubuntu)
    • user privledges
      ... redhat 7.2 i created a user account for myself to use on a daily basis. ... fare i have just been su - and entering the root pass. ... i just downloaded the music match install script for linux. ... with the normal user account. ...
      (comp.security.unix)