Re: Method for intrusion

From: joe (joe_at_joe.net)
Date: 05/03/03

  • Next message: Oscar del Rio: "Re: want to put msg when user is denied login" 
    Date: Sat, 03 May 2003 11:34:55 -0400

    did you run autopsy on the box yet?

    John Oliver wrote:

    > I'm trying to figure out how an intruder was able to break into a Red
    > Hat 7.2 machine and install the suckit rootkit. This host probably
    > hadn't been patched in a while, but most services had been disabled. It
    > ran bind 9.2.1, sendmail 8.12.9, webmin, squirrelmail, IMAP and POP3,
    > and openssh 3.5 Oh, and an Apache, too. I haven't found any mentions
    > of remote root exploits in any of this software, and this host was also
    > behind a firewall that blocked any attempt to access anything but those
    > services. I'm kinda worried, in that this suckit kit appears to be able
    > to modify the kernel even if LKMs aren't allowed.
    >
    > Is there a "typical" path of entry used by h4x0r5 using suckit? I found
    > the kit and so know when the intrusion took place (it was really a
    > sloppy job), but they killed syslogd and then replaced it with an older,
    > probably Trojaned, binary, which was restarted the next AM. The machine
    > is going to be formatted after I've done as much of a post-mortem as I
    > can, but I would really like to be able to find the inital point of
    > entry to make sure that other hosts on the same network aren't also
    > vulnerable.
    >
    > --
    > John Oliver, CCNA http://www.john-oliver.net/
    > Linux/UNIX/network consulting http://www.john-oliver.net/resume/
    > *** sendmail, Apache, ftp, DNS, spam filtering ***
    > **** Colocation, T1s, web/email/ftp hosting ****

  • Next message: Oscar del Rio: "Re: want to put msg when user is denied login"

    Relevant Pages

    • Re: assessing winusb potential
      ... I am now pouring over a USB book but the issue is still not clear. ... What prevents the host from ... Please do not send e-mail directly to this alias. ... able to install downlevle (IIRC, ...
      (microsoft.public.development.device.drivers)
    • Re: assessing winusb potential
      ... I am now pouring over a USB book but the issue is still not clear. ... What prevents the host from ... Please do not send e-mail directly to this alias. ... able to install downlevle (IIRC, ...
      (microsoft.public.development.device.drivers)
    • Re: Virtual PC
      ... Once you install the trial software, make sure to change the date to some far distant time in the future to see if it might trigger on a date. ... You could unlock the snapshot to apply updates to Windows or your known good apps and then save another snapshot and then lock that one to prevent accidental pollution. ... if you do system/data backups of your host then you could just restore the VM's directory from your backups. ... I gave up it very quickly because it was clumsy, poorly documented, and I no longer have it in my download directory to look it up to know its name (but then I already had the free version of ShadowSurfer that did the same thing so I wasn't really motivated to find an alternate free "partition virtualizer" (http://wiki.castlecops.com/System_Partition_Virtualization_-_Comparison). ...
      (microsoft.public.windowsxp.general)
    • Re: Virtual PC
      ... Once you install the trial ... if you don't backup your host then you have ... So do you actually have a 2nd license of Windows XP (either a full ... free "partition virtualizer" ...
      (microsoft.public.windowsxp.general)
    • Re: Virtual PC
      ... Once you install the trial ... if you don't backup your host then you have ... So do you actually have a 2nd license of Windows XP (either a full ... use something like ShadowSurfer to return the system back to its prior ...
      (microsoft.public.windowsxp.general)