inetd is only one way he/she can enter your system via remote.
You should also (after booting up) do a "ps -ax" or "ps -aux" to see what
is running in the background. Some common entry points could be finger,
talkd, rlogind(sp?). Make sure those services are disabled. If for some
reason you are needing a service that is running, make sure ipchains takes
care of blocking those services from going through your gateway. You can
also block his entire subnet (assuming he does not get wise and use another
ISP).
-=>Jim Roland
"Never settle with words what you can settle with a flamethrower."
--Anonymous
On Wed, 10 May 2000, wrote:
> Date: Wed, 10 May 2000 07:35:06 -0700
> From: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Please Help !! My system got compromised
>
> Hi,
> I have a cable modem connection to Internet. My system is running RedHat 6.0. I have
>a home LAN setup so my linux gateway to the internet is configured as a masquerading
>gateway and also running as a web server and DNS (Primary and Caching only) server.
>I'm still working on the firewall (ipchains) but there is nothing in my
>/etc/inetd.conf.
>
> After the compromise here is what happened:
>
> 1. The log tells me a user called "chaos" entered my system from some ISP in
>primus.ca.
>
> May 6 10:57:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> May 6 11:21:05 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> May 6 11:28:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> May 6 11:32:07 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
>
> May 6 10:57:30 gator PAM_pwdb[4662]: (login) session opened for user chaos by
>(uid=0)
> May 6 10:57:38 gator PAM_pwdb[4675]: (su) session opened for user own by
>chaos(uid=5001)
> May 6 11:21:05 gator PAM_pwdb[4721]: (login) session opened for user chaos by
>(uid=0)
> May 6 11:21:07 gator PAM_pwdb[4733]: (su) session opened for user own by
>chaos(uid=5001)
>
> 2. The following telnetd line was added to /etc/inetd.conf added.
> telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
>
> 3. Following accounts got added at the end of /etc/passwd
>
> own:x:0:0::/root:/bin/bash
> adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
> chaos:x:5001:5001::/home/chaos:/bin/bash
>
> 4. I looked at /home/chaos directory, I saw the following files
> -rwxrwxr-x 1 #chaos #chaos 13672 May 6 15:21 m
> -rw-rw-r-- 1 root root 1149 May 6 15:07 milk.c
> -rwxrwxr-x 1 root root 15818 May 6 15:13 s
> -rw-rw-r-- 1 root root 6793 May 6 15:07 stream.c
>
> 5. I look at .bash_history for the chaos user I see:
> su own
> gcc -o m milk.c
> ./m 129.142.82.11 6000
> su own
> su own
> ./m
> ./m 24.114.4.13 7000
>
> Now, my cablemodem ISP (Mediaone) has warmed me that they have recevied complaints
>about port scanning from my system and they will disable the service if this happens
>again!!
>
> Steps I've taken so far:
>
> 1. Upgraded bind to named 8.2.2-P5
> 2. Change root passwords
> 3. Removed all the accounts that the intruder created and again there is nothing in
>/etc/inetd.conf
> 4. Sent email to the originating ISP to take actions about the abuse.
>
> I still can't figure out how the intruder entered my system?? Please advice me on
>what to do to make sure my system is secure.
>
> Thanks in advance.
> --Nehali
>
>
>
> --== Sent via Deja.com http://www.deja.com/ ==--
> Before you buy.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
