With Named NX zone exploit (Standart named with redhat 6.0 is not patched)
On Wed, 10 May 2000, you wrote:
> Hi,
> I have a cable modem connection to Internet. My system is running RedHat 6.0. I have
>a home LAN setup so my linux gateway to the internet is configured as a masquerading
>gateway and also running as a web server and DNS (Primary and Caching only) server.
>I'm still working on the firewall (ipchains) but there is nothing in my
>/etc/inetd.conf.
>
> After the compromise here is what happened:
>
> 1. The log tells me a user called "chaos" entered my system from some ISP in
>primus.ca.
>
> May 6 10:57:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> May 6 11:21:05 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> May 6 11:28:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> May 6 11:32:07 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
>
> May 6 10:57:30 gator PAM_pwdb[4662]: (login) session opened for user chaos by
>(uid=0)
> May 6 10:57:38 gator PAM_pwdb[4675]: (su) session opened for user own by
>chaos(uid=5001)
> May 6 11:21:05 gator PAM_pwdb[4721]: (login) session opened for user chaos by
>(uid=0)
> May 6 11:21:07 gator PAM_pwdb[4733]: (su) session opened for user own by
>chaos(uid=5001)
>
> 2. The following telnetd line was added to /etc/inetd.conf added.
> telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
>
> 3. Following accounts got added at the end of /etc/passwd
>
> own:x:0:0::/root:/bin/bash
> adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
> chaos:x:5001:5001::/home/chaos:/bin/bash
>
> 4. I looked at /home/chaos directory, I saw the following files
> -rwxrwxr-x 1 #chaos #chaos 13672 May 6 15:21 m
> -rw-rw-r-- 1 root root 1149 May 6 15:07 milk.c
> -rwxrwxr-x 1 root root 15818 May 6 15:13 s
> -rw-rw-r-- 1 root root 6793 May 6 15:07 stream.c
>
> 5. I look at .bash_history for the chaos user I see:
> su own
> gcc -o m milk.c
> ./m 129.142.82.11 6000
> ssu own
> su own
> ./m
> ../m 24.114.4.13 7000
>
> Now, my cablemodem ISP (Mediaone) has warmed me that they have recevied complaints
>about port scanning from my system and they will disable the service if this happens
>again!!
>
> Steps I've taken so far:
>
> 1. Upgraded bind to named 8.2.2-P5
> 2. Change root passwords
> 3. Removed all the accounts that the intruder created and again there is nothing in
>/etc/inetd.conf
> 4. Sent email to the originating ISP to take actions about the abuse.
>
> I still can't figure out how the intruder entered my system?? Please advice me on
>what to do to make sure my system is secure.
>
> Thanks in advance.
> --Nehali
>
>
>
> --== Sent via Deja.com http://www.deja.com/ ==--
> Before you buy.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
--
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
owGbwMvMwCQ4a22RMefE9z2MaxkFk9gL0gv0EouTLS4sk9EFASdXd08/hQD3AAVf
1+BgR3dXsChXWGpRcWZ+npWCe15pgLtCmaGegZ6hgoa7X6i+T2ZeaYUml3N+bm5q
XomVglt+kUJmXlq+QnFqqkJGSUmBlb5+eXm5XnpeaUG6Xn5ROhdXfrl7UrlvmW+5
c6BJopFRkG9qmqtllZFvQVVuSK5jWbBzZXmpj3tAcbG7X25UoGNFpJe3c4hLWIFL
gK9BgEFQOJdZZkGFe1SSdlleUYpZaqWxhVFJXphPRXqun0eVmbtPanq2l7ZPWbFf
UrB7VZFhqkdSVLa2U6CjLZdtSYCTMxfYT65+Lpj+7LBnZmUABQYslASZ2qYyzJVt
dP55fFahUvVst1AFXhaPfVfy6xnmmS96+tt1aab7w8Xut17Pdrsp5lx8AAA=
=8omn
-----END PGP MESSAGE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
