Re: Method for intrusion

From: Joe Lofshult (jlofshult_at_cox.net)
Date: 05/04/03

  • Next message: Dylan Reinhold: "Re: want to put msg when user is denied login" 
    Date: Sat, 03 May 2003 23:31:00 GMT

    I would highly recommend making a backup image of the filesystems before
      wiping and reinstalling. Grab a copy of FIRE from biatchux.sf.net.
    It's a great incident response and forensic toolkit. It's a bootable
    distribution you can use to make a backup of the filesystems on your
    system. I recommend you use dd to make sure you get the entire
    filesystem. If you don't have a tape drive on the system, you can always
    use netcat to send the backup images to another system. For example, on
    the target system run

    nc -l -p 10001 > filesystem.img

    and on your compromised system which has been booted from the FIRE disk, run

    dd if=disk_device | nc target_ip 10001

    where disk_device is your filesystem device (e.g. hda1).

    You can then investigate further at a later time.

    John Oliver wrote:
    > I'm trying to figure out how an intruder was able to break into a Red
    > Hat 7.2 machine and install the suckit rootkit. This host probably
    > hadn't been patched in a while, but most services had been disabled. It
    > ran bind 9.2.1, sendmail 8.12.9, webmin, squirrelmail, IMAP and POP3,
    > and openssh 3.5 Oh, and an Apache, too. I haven't found any mentions
    > of remote root exploits in any of this software, and this host was also
    > behind a firewall that blocked any attempt to access anything but those
    > services. I'm kinda worried, in that this suckit kit appears to be able
    > to modify the kernel even if LKMs aren't allowed.
    >
    > Is there a "typical" path of entry used by h4x0r5 using suckit? I found
    > the kit and so know when the intrusion took place (it was really a
    > sloppy job), but they killed syslogd and then replaced it with an older,
    > probably Trojaned, binary, which was restarted the next AM. The machine
    > is going to be formatted after I've done as much of a post-mortem as I
    > can, but I would really like to be able to find the inital point of
    > entry to make sure that other hosts on the same network aren't also
    > vulnerable.
    >

  • Next message: Dylan Reinhold: "Re: want to put msg when user is denied login"