Re: Please Help !! My system got compromised

kees Sat, 13 May 2000 15:39:26 -0700
Hi there,

Be aware that you must trust your netstat, i've seen rootkits which
replace a number of common tools with adapted ones. Run your tools
directly from a 'live CD filesystem' for one.

Kees

On Thu, 11 May 2000, Tony Nugent wrote:

> /usr/bin/netstat is your friend:
> 
>       netstat -plut
> 
> This will show you all the network sockets that are being listened to.
> 
> On Wed May 10 2000 at 20:14, Jim Roland wrote:
> 
> > inetd is only one way he/she can enter your system via remote.
> > You should also (after booting up) do a "ps -ax" or "ps -aux" to see what
> > is running in the background.  Some common entry points could be finger,
> > talkd, rlogind(sp?).  Make sure those services are disabled.  If for some
> > reason you are needing a service that is running, make sure ipchains takes
> > care of blocking those services from going through your gateway.  You can
> > also block his entire subnet (assuming he does not get wise and use another
> > ISP).
> > 
> > 
> > -=>Jim Roland
> > 
> > "Never settle with words what you can settle with a flamethrower."
> >         --Anonymous
> > 
> > 
> > On Wed, 10 May 2000,     wrote:
> > 
> > > Date: Wed, 10 May 2000 07:35:06 -0700
> > > From:     <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: Please Help !! My system got compromised
> > >
> > > Hi,
> > > I have a cable modem connection to Internet. My system is running RedHat 6.0. I 
>have a home LAN setup so my linux gateway to the internet is configured as a 
>masquerading gateway and also running as a web server and DNS (Primary and Caching 
>only) server. I'm still working on the firewall (ipchains) but there is nothing in my 
>/etc/inetd.conf.
> > >
> > > After the compromise here is what happened:
> > >
> > > 1. The log tells me a user called "chaos" entered my system from some ISP in 
>primus.ca.
> > >
> > > May  6 10:57:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > > May  6 11:21:05 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > > May  6 11:28:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > > May  6 11:32:07 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > >
> > > May  6 10:57:30 gator PAM_pwdb[4662]: (login) session opened for user chaos by 
>(uid=0)
> > > May  6 10:57:38 gator PAM_pwdb[4675]: (su) session opened for user own by 
>chaos(uid=5001)
> > > May  6 11:21:05 gator PAM_pwdb[4721]: (login) session opened for user chaos by 
>(uid=0)
> > > May  6 11:21:07 gator PAM_pwdb[4733]: (su) session opened for user own by 
>chaos(uid=5001)
> > >
> > > 2. The following telnetd line was added to /etc/inetd.conf added.
> > > telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
> > >
> > > 3. Following accounts got added at the end of /etc/passwd
> > >
> > > own:x:0:0::/root:/bin/bash
> > > adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
> > > chaos:x:5001:5001::/home/chaos:/bin/bash
> > >
> > > 4. I looked at /home/chaos directory, I saw the following files
> > > -rwxrwxr-x   1 #chaos   #chaos      13672 May  6 15:21 m
> > > -rw-rw-r--   1 root     root         1149 May  6 15:07 milk.c
> > > -rwxrwxr-x   1 root     root        15818 May  6 15:13 s
> > > -rw-rw-r--   1 root     root         6793 May  6 15:07 stream.c
> > >
> > > 5. I look at .bash_history for the chaos user I see:
> > > su own
> > > gcc -o m milk.c
> > > ./m 129.142.82.11 6000
> > > su own
> > > su own
> > > ./m
> > > ./m 24.114.4.13 7000
> > >
> > > Now, my cablemodem ISP (Mediaone) has warmed me that they have recevied 
>complaints about port scanning from my system and they will disable the service if 
>this happens again!!
> > >
> > > Steps I've taken so far:
> > >
> > > 1. Upgraded bind to  named 8.2.2-P5
> > > 2. Change root passwords
> > > 3. Removed all the accounts that the intruder created and again there is nothing 
>in /etc/inetd.conf
> > > 4. Sent email to the originating ISP to take actions about the abuse.
> > >
> > > I still can't figure out how the intruder entered my system??  Please advice me 
>on what to do to make sure my system is secure.
> > >
> > > Thanks in advance.
> > > --Nehali
> > >
> > >
> > >
> > > --== Sent via Deja.com http://www.deja.com/ ==--
> > > Before you buy.
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-net" in
> > > the body of a message to [EMAIL PROTECTED]
> > >
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-net" in
> > the body of a message to [EMAIL PROTECTED]
> > 
> 
> Cheers
> Tony
>  -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
>   Tony Nugent <[EMAIL PROTECTED]>    Systems Administrator, RHCE
>   GrowZone OnLine       (a project of) GrowZone Development Network
>   POBox 475 Toowoomba Oueensland Australia 4350    Ph: 07 4637 8322
>  -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
> 

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
Re: Please Help !! My system got compromised

Reply via email to
