You have been seriously compromised!!!
Even if you repair the damage, there will be timebombs inside to open up
a firewall at a particular time so someone can get through.
Check ../cron/root and other background processes.
(Although the root password may not have been compromised)
You MUST put up a complete firewall. A partial one is a waste of time.
Take the Linux machine off the air and Start writing now!
Save milk.c and stream.c - they may help to track the owner.
In inetd.conf -close off finger, limit inetd (see man inetd)
and disable ALL access to telnet through the firewall. This may be
inconvenient for you in the interim but still.
Now the trap - You have to close off anonymous ftp. This will have been
altered so the hacker can upload code and get back in.
A recommendation.
Save your own files to another machine and FORMAT the disk and start again.
It will only take a day and the firewall will be MUCH better won't it!
Regards,
Bruce.
PS Our IP/ports are being scanned daily by potential hackers and we take
explicit action against IP addresses attempting to connect to anything
other than the services provided.
>Hi,
>I have a cable modem connection to Internet. My system is running RedHat
>6.0. I have a home LAN setup so my linux gateway to the internet is
>configured as a masquerading gateway and also running as a web server and
>DNS (Primary and Caching only) server. I'm still working on the firewall
>(ipchains) but there is nothing in my /etc/inetd.conf.
>
>After the compromise here is what happened:
>
>1. The log tells me a user called "chaos" entered my system from some ISP
>in primus.ca.
>
>May 6 10:57:30 gator login: LOGIN ON 1 BY chaos FROM
>dialin-154-26.tor.primus.ca
>May 6 11:21:05 gator login: LOGIN ON 1 BY chaos FROM
>dialin-154-26.tor.primus.ca
>May 6 11:28:30 gator login: LOGIN ON 1 BY chaos FROM
>dialin-154-26.tor.primus.ca
>May 6 11:32:07 gator login: LOGIN ON 1 BY chaos FROM
>dialin-154-26.tor.primus.ca
>
>May 6 10:57:30 gator PAM_pwdb[4662]: (login) session opened for user
>chaos by (uid=0)
>May 6 10:57:38 gator PAM_pwdb[4675]: (su) session opened for user own by
>chaos(uid=5001)
>May 6 11:21:05 gator PAM_pwdb[4721]: (login) session opened for user
>chaos by (uid=0)
>May 6 11:21:07 gator PAM_pwdb[4733]: (su) session opened for user own by
>chaos(uid=5001)
>
>2. The following telnetd line was added to /etc/inetd.conf added.
>telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
>
>3. Following accounts got added at the end of /etc/passwd
>
>own:x:0:0::/root:/bin/bash
>adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
>chaos:x:5001:5001::/home/chaos:/bin/bash
>
>4. I looked at /home/chaos directory, I saw the following files
>-rwxrwxr-x 1 #chaos #chaos 13672 May 6 15:21 m
>-rw-rw-r-- 1 root root 1149 May 6 15:07 milk.c
>-rwxrwxr-x 1 root root 15818 May 6 15:13 s
>-rw-rw-r-- 1 root root 6793 May 6 15:07 stream.c
>
>5. I look at .bash_history for the chaos user I see:
>su own
>gcc -o m milk.c
>./m 129.142.82.11 6000
>su own
>su own
>./m
>./m 24.114.4.13 7000
>
>Now, my cablemodem ISP (Mediaone) has warmed me that they have recevied
>complaints about port scanning from my system and they will disable the
>service if this happens again!!
>
>Steps I've taken so far:
>
>1. Upgraded bind to named 8.2.2-P5
>2. Change root passwords
>3. Removed all the accounts that the intruder created and again there is
>nothing in /etc/inetd.conf
>4. Sent email to the originating ISP to take actions about the abuse.
>
>I still can't figure out how the intruder entered my system?? Please
>advice me on what to do to make sure my system is secure.
>
>Thanks in advance.
>--Nehali
>
>
>
>--== Sent via Deja.com http://www.deja.com/ ==--
>Before you buy.
>-
>To unsubscribe from this list: send the line "unsubscribe linux-net" in
>the body of a message to [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
