Re: Method for intrusion
From: Joe Lofshult (jlofshult_at_cox.net)
Date: Sat, 03 May 2003 23:31:00 GMT
I would highly recommend making a backup image of the filesystems before
wiping and reinstalling. Grab a copy of FIRE from biatchux.sf.net.
It's a great incident response and forensic toolkit. It's a bootable
distribution you can use to make a backup of the filesystems on your
system. I recommend you use dd to make sure you get the entire
filesystem. If you don't have a tape drive on the system, you can always
use netcat to send the backup images to another system. For example, on
the target system run
nc -l -p 10001 > filesystem.img
and on your compromised system which has been booted from the FIRE disk, run
dd if=disk_device | nc target_ip 10001
where disk_device is your filesystem device (e.g. hda1).
You can then investigate further at a later time.
John Oliver wrote:
> I'm trying to figure out how an intruder was able to break into a Red
> Hat 7.2 machine and install the suckit rootkit. This host probably
> hadn't been patched in a while, but most services had been disabled. It
> ran bind 9.2.1, sendmail 8.12.9, webmin, squirrelmail, IMAP and POP3,
> and openssh 3.5 Oh, and an Apache, too. I haven't found any mentions
> of remote root exploits in any of this software, and this host was also
> behind a firewall that blocked any attempt to access anything but those
> services. I'm kinda worried, in that this suckit kit appears to be able
> to modify the kernel even if LKMs aren't allowed.
> Is there a "typical" path of entry used by h4x0r5 using suckit? I found
> the kit and so know when the intrusion took place (it was really a
> sloppy job), but they killed syslogd and then replaced it with an older,
> probably Trojaned, binary, which was restarted the next AM. The machine
> is going to be formatted after I've done as much of a post-mortem as I
> can, but I would really like to be able to find the inital point of
> entry to make sure that other hosts on the same network aren't also