Good information. Thanks. Please do report them to UU.Net's security
dept.
I caught the guy who tried to email me again with the trojan about 30
minutes after unsuccessfully attempting to login to my system.
(what a dummy he is--hehe)
-=>Jim Roland
"Never settle with words what you can settle with a flamethrower."
--Anonymous
On Wed, 17 May 2000, Julius C. Duque wrote:
> Date: Wed, 17 May 2000 15:47:13 +0800 (PST)
> From: Julius C. Duque <[EMAIL PROTECTED]>
> To: Jim Roland <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
> Subject: Re: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack:
DOS attack, log file attached!)
>
> On Wed, 17 May 2000, Jim Roland wrote:
>
> > Gee guess what!?! I have the guy's IP address and host names. Sorry, I
> > don't remember a guy's name who told me he ran the attachment as root and
> > found a file called ".rhosts", but it might be wise to cronicle your
> > information, look in your logs (messages and syslogs) and send what
> > information you have to Worldcom's Security department (email address noted
> > a few paragraphs below). Also, immediately change all your passwords. If
> > you were in as root, he did get your shadow file, and encrypted passwords
> > *can* be broken. Change them immediately. If the date of your .rhosts
> > file is at or just after the time of the attack, delete it.
>
> That was me. The date of .rhosts on my /home dir was near the time I
> executed the trojan email. I have already deleted that .rhosts. I also
> noticed that sendmail had spawned a child process and was executing a
> program/script ./ex4XXXX or something similar (I can't recall the
> exact filename). I killed it, then decided to reboot the whole system
> afterwards.
>
> The /etc/passwd on my machine have /dev/null for the shell of users.
> Only admins have /bin/bash shells. I also have tcp wrapper installed
> long before this event happened. So, even if this cracker cracks the
> admins' passwords, he still has to login first to our dialup before
> he can telnet to the main server. Of course, I've already changed the
> root's password, as well as informed the other admins to change
> theirs, too. Also, since the shell of "ordinary" users is set to
> /dev/null, a user still cannot enter the server. Without a
> legitimate login shell, the system will just log him/her out
> immediately after logging in. If you want, you could use
> /bin/false instead of /dev/null.
>
> Additionally, it's a good thing that I configured /etc/securetty
> a long time ago so that root can only log on the console. The
> password field on non-human accounts (nobody, guest, ftp, shutdown,
> sync, bin, ftp, etc.) have long been disabled to shut out backdoors.
>
> I have put all users (except for admins) on /etc/ftpusers, chmod 600,
> to prevent non-admins from using the ftp service long before this
> disaster happened. I've also checked my .procmailrc. Why? You could
> execute arbitrary commands using the following .procmailrc recipe:
>
> :0:
> * $ ^Subject:[ ^I]*\/[ ^I].*
> | ${MATCH}
>
> The ^I stands for <tab>. This recipe will execute anything that's
> on the subject line of an email. Imagine if this .procmailrc
> recipe is located on root's directory! Someone just sends an
> email to root with a Subject line: "rm -rf /" and BOOM! By-bye!
>
> About the only thing I regret now is not installing Tripwire beforehand.
> Ouch!
>
> > May 16 16:47:53 ns sendmail[26775]: NOQUEUE: SYSERR: putoutmsg
>(chi-qbu-nvb-vty13.as.wcom.net): error on output channel sending "220 mail.roland.net
>ESMTP Sendmail 8.8.7/8.8.7; Tue, 16 May 2000 16:47:52 -0500": Broken pipe
>
> I've been seeing this IP in /var/log/syslog for about a week now, trying
> unsuccessfully to telnet and ftp to my machine. Yes, you're right,
> this guy came from Chicago.
> >
> > We know he's in Chicago, we have his IP on 2 different occaisons, and know
> > of 2 systems he's hijacked. The 2nd (mediaserve.net) is in California.
>
>
> Julius
>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
