Re: FC9 Compromised...
On Fri, 27 Feb 2009 13:32:11 -0800, Jack wrote: > Disagree, if anyone used the root password they had to know what it > was... 27 characters > > It's probable that they got in through a pop3 account on one machine. On "one machine", but what about the other machines? Did they use the same root pw? If not, what services did the machines have in common? > No rootkits found, no trojans or viruses found. chkrootkit and rkhunter may not be sufficient when analyzing the systems. Preferably examine the filesystem read-only mounted, and also do RPM database verification with an external RPM. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, Feb 27, 2009 at 3:32 PM, Patrick O'Callaghan wrote: > On Fri, 2009-02-27 at 14:08 -0800, Aldo Foot wrote: >> You could try booting with a LiveCD and use find to expose files >> created recently. > > No good. A rootkit could have changed the file creation time. True. But years ago, while gathering data from a compromised system I came across an executable named "zap" and the command strings showed what was supposed to happen to wtmp files and the like. So, file names alone may be suspicious. ~af -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, 2009-02-27 at 14:08 -0800, Aldo Foot wrote:
> You could try booting with a LiveCD and use find to expose files
> created recently.
No good. A rootkit could have changed the file creation time. Either run
a hash check on all the binaries ("rpm -V" might be useful here, but of
course the rpm database could also be corrupt), or just reinstall from
safe media.
I know which one I'd do.
poc
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
RE: FC9 Compromised...
-- I yanked the drive and scanned it in a clean machine. Nothing found. -- I'm reasonably sure the problem originated internally. (No further comment on this.) -- Thanks Sounds like a naughty user on the box Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: fedora-list-boun...@redhat.com [mailto:fedora-list-boun...@redhat.com] On Behalf Of Jack Lauman Sent: Friday, February 27, 2009 5:07 PM To: Community assistance, encouragement, and advice for using Fedora. Subject: Re: FC9 Compromised... I yanked the drive and scanned it in a clean machine. Nothing found. I'm reasonably sure the problem originated internally. (No further comment on this.) Thanks Craig White wrote: > On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote: >> Craig White wrote: >> >>> the problem isn't Fedora 9, it's the person setting it up and >>> maintaining it. These days, the most likely way someone would own a >>> computer would be to connect via ssh using a brute force method but it >>> could be something as simple as users who can get pop3 e-mail and also >>> have shell access so capturing an unsecured login on pop3 will allow >>> someone a local shell and when that happens, it's likely only a matter >>> of time before they get root. SELinux is designed to limit the >>> opportunities available when things like this happen. >>> >>> Seems to me if you have a number of boxes that were compromised, they >>> probably all shared the same 'root' password and that was definitely >>> hacked. >> Disagree, if anyone used the root password they had to know what it >> was... 27 characters > > I'm going to let this pass... > >> It's probable that they got in through a pop3 account on one machine. > > and then broke the system with a key logger or some unpatched local > exploit. It would stand to reason that they got your root password > somehow if they got onto several boxes unless you used passwordless ssh > keys between them. > > Bad idea to allow users to access pop3 and have a valid shell and ssh > access. > >>> You might parse /etc/passwd to see what account has uid = 0 >>> >> It exists... >> >>> You should not have any of these machines connected to the Internet. You >>> should be aware of the likelihood that these machines have keyloggers >>> installed on them which will capture anything you type. >>> >> No rootkits found, no trojans or viruses found. > > I don't know that I would implicitly trust whatever you used to come to > that conclusion. > >>> Yes, you need to get data off the system and completely re-install. >>> >>> Your question however is unclear. If you want to add 'root' back in, >>> something like this should work... >> Yes, I need to add root back in... >>> useradd -u 0 -g 0 -h /root >>> and then 'passwd root' to set the password >> doesn't work... /etc/shadow is missing. > > Sort of screwed...time spent trying to make this system worked is likely > wasted. > > set up a computer with a large hard drive and get it working. Shut down > and connect hard drive from this box and copy data files to the new hard > drive. This may be a problem if you had hardware raid. > > Craig > > > > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00 > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines smime.p7s Description: S/MIME cryptographic signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, Feb 27, 2009 at 12:49 PM, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines were > compromised. All had the latest patches applied. At this point I would not trust any system binaries such as commands or executable programs you don't recognize. You could try booting with a LiveCD and use find to expose files created recently. Most likely there is a binary somewhere in /usr/bin or /usr/sbin with the sole task of deleting certain files to cover things up. > Any help on resolving this would be appreciated. I need to get data off > these before re-installation. It would be informative for yourself to find out *how* the break in occurred. You'll need to know how to prevent it once you reinstall. ~af -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
I yanked the drive and scanned it in a clean machine. Nothing found. I'm reasonably sure the problem originated internally. (No further comment on this.) Thanks Craig White wrote: On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote: Craig White wrote: the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3 e-mail and also have shell access so capturing an unsecured login on pop3 will allow someone a local shell and when that happens, it's likely only a matter of time before they get root. SELinux is designed to limit the opportunities available when things like this happen. Seems to me if you have a number of boxes that were compromised, they probably all shared the same 'root' password and that was definitely hacked. Disagree, if anyone used the root password they had to know what it was... 27 characters I'm going to let this pass... It's probable that they got in through a pop3 account on one machine. and then broke the system with a key logger or some unpatched local exploit. It would stand to reason that they got your root password somehow if they got onto several boxes unless you used passwordless ssh keys between them. Bad idea to allow users to access pop3 and have a valid shell and ssh access. You might parse /etc/passwd to see what account has uid = 0 It exists... You should not have any of these machines connected to the Internet. You should be aware of the likelihood that these machines have keyloggers installed on them which will capture anything you type. No rootkits found, no trojans or viruses found. I don't know that I would implicitly trust whatever you used to come to that conclusion. Yes, you need to get data off the system and completely re-install. Your question however is unclear. If you want to add 'root' back in, something like this should work... Yes, I need to add root back in... useradd -u 0 -g 0 -h /root and then 'passwd root' to set the password doesn't work... /etc/shadow is missing. Sort of screwed...time spent trying to make this system worked is likely wasted. set up a computer with a large hard drive and get it working. Shut down and connect hard drive from this box and copy data files to the new hard drive. This may be a problem if you had hardware raid. Craig No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
Jack Lauman wrote: Have any other incidents like this been reported lately? Not that I know of. What network services were running on these hosts, and what web applications? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, 27 Feb 2009, Christopher K. Johnson wrote: > Jack Lauman wrote: > > > > Yes, I need to add root back in... > Not necessarily. You would be safer to boot rescue from an installer > DVD, then choose to mount the filesystems for your compromised F9. > Shutdown each system, move it to a trusted network, or off-net and > attach an external disk to save files onto, put in the F9 DVD, then > boot that DVD, not the compromised system's disk. at some point, you have to stop asking for advice on a mailing list and, if those machines are important to you, you need to call in professional help. you may not want to pay the $$$, but there's a reason good consultants cost that much -- they're good. rday -- Robert P. J. Day Linux Consulting, Training and Annoying Kernel Pedantry: Have classroom, will lecture. http://crashcourse.ca Waterloo, Ontario, CANADA -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
Jack Lauman wrote: Craig White wrote: the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3 e-mail and also have shell access so capturing an unsecured login on pop3 will allow someone a local shell and when that happens, it's likely only a matter of time before they get root. SELinux is designed to limit the opportunities available when things like this happen. Seems to me if you have a number of boxes that were compromised, they probably all shared the same 'root' password and that was definitely hacked. Disagree, if anyone used the root password they had to know what it was... 27 characters It's probable that they got in through a pop3 account on one machine. Regardless of how it happened, it happened. You shouldn't point any fingers until you do a complete analysis and figure out how it happened. Don't rule anything out before your analysis. You might parse /etc/passwd to see what account has uid = 0 It exists... Is there a user with UID == 0? If so, spend particular time checking this user's /home directory! You should not have any of these machines connected to the Internet. You should be aware of the likelihood that these machines have keyloggers installed on them which will capture anything you type. No rootkits found, no trojans or viruses found. How did you check? I hope you didn't use *any* of the software on the infected machines, did you? How do you know it hasn't been modified? You should only access the machines by booting them from a rescue disk. Don't trust *anything* on you compromised machines until you are able to verify it is OK. Get your data off via the rescue disk boot, them completely wipe and re-install you compromised machines. Then completely test your copied data to make sure *it* hasn't been compromised as well Yes, you need to get data off the system and completely re-install. Your question however is unclear. If you want to add 'root' back in, something like this should work... Yes, I need to add root back in... useradd -u 0 -g 0 -h /root and then 'passwd root' to set the password doesn't work... /etc/shadow is missing. Use a rescue disk, them re-install from scratch. (Don't forget to reformat your disk partitions to ensure you've removed any possible leftovers from the compromise) If you try and fix your machines by hand, you'll probably keep running into things that are "broken" and if you don't know how to fix each one, it'll be easier just to re-install. Good luck! -- Kevin J. Cummings kjch...@rcn.com cummi...@kjchome.homeip.net cummi...@kjc386.framingham.ma.us Registered Linux User #1232 (http://counter.li.org) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote: > > Craig White wrote: > > > the problem isn't Fedora 9, it's the person setting it up and > > maintaining it. These days, the most likely way someone would own a > > computer would be to connect via ssh using a brute force method but it > > could be something as simple as users who can get pop3 e-mail and also > > have shell access so capturing an unsecured login on pop3 will allow > > someone a local shell and when that happens, it's likely only a matter > > of time before they get root. SELinux is designed to limit the > > opportunities available when things like this happen. > > > > Seems to me if you have a number of boxes that were compromised, they > > probably all shared the same 'root' password and that was definitely > > hacked. > > Disagree, if anyone used the root password they had to know what it > was... 27 characters I'm going to let this pass... > It's probable that they got in through a pop3 account on one machine. and then broke the system with a key logger or some unpatched local exploit. It would stand to reason that they got your root password somehow if they got onto several boxes unless you used passwordless ssh keys between them. Bad idea to allow users to access pop3 and have a valid shell and ssh access. > > > > You might parse /etc/passwd to see what account has uid = 0 > > > It exists... > > > You should not have any of these machines connected to the Internet. You > > should be aware of the likelihood that these machines have keyloggers > > installed on them which will capture anything you type. > > > No rootkits found, no trojans or viruses found. I don't know that I would implicitly trust whatever you used to come to that conclusion. > > Yes, you need to get data off the system and completely re-install. > > > > Your question however is unclear. If you want to add 'root' back in, > > something like this should work... > > Yes, I need to add root back in... > > > > useradd -u 0 -g 0 -h /root > > and then 'passwd root' to set the password > doesn't work... /etc/shadow is missing. Sort of screwed...time spent trying to make this system worked is likely wasted. set up a computer with a large hard drive and get it working. Shut down and connect hard drive from this box and copy data files to the new hard drive. This may be a problem if you had hardware raid. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
Jack Lauman wrote: Yes, I need to add root back in... Not necessarily. You would be safer to boot rescue from an installer DVD, then choose to mount the filesystems for your compromised F9. Shutdown each system, move it to a trusted network, or off-net and attach an external disk to save files onto, put in the F9 DVD, then boot that DVD, not the compromised system's disk. If you choose to start the network during rescue startup dialogs then you could save off files from the filesystems to elsewhere on the network, and could reasonably expect that there is no malicious software watching you do so since you booted the DVD not the compromised system. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
Craig White wrote: the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3 e-mail and also have shell access so capturing an unsecured login on pop3 will allow someone a local shell and when that happens, it's likely only a matter of time before they get root. SELinux is designed to limit the opportunities available when things like this happen. Seems to me if you have a number of boxes that were compromised, they probably all shared the same 'root' password and that was definitely hacked. Disagree, if anyone used the root password they had to know what it was... 27 characters It's probable that they got in through a pop3 account on one machine. You might parse /etc/passwd to see what account has uid = 0 It exists... You should not have any of these machines connected to the Internet. You should be aware of the likelihood that these machines have keyloggers installed on them which will capture anything you type. No rootkits found, no trojans or viruses found. Yes, you need to get data off the system and completely re-install. Your question however is unclear. If you want to add 'root' back in, something like this should work... Yes, I need to add root back in... useradd -u 0 -g 0 -h /root and then 'passwd root' to set the password doesn't work... /etc/shadow is missing. Craig No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines > were compromised. All had the latest patches applied. > > 1. Only the installed user accounts are on these machines. The root user > password is long with upper/lower case characters with numerals & > punctuation. It is unlikely this was cracked. > > 2. All log files were deleted. > > 3. The following users were deleted 'root': >mysql >apache >sshd >dbus >haldaemon >dovecot >gdm >smmsp > > 4. The machine can only be accessed in 'single user' mode. Using > 'passwd' to reset the root password fails with: "passwd: User not known > to the underlying authentication module." I would edit /etc/passwd and /etc/group to restore root entries . Give root no passwd. Then login as root go to user level 3 and change the root passwd to whatever you want. > > Any help on resolving this would be appreciated. I need to get data off > these before re-installation. > > Have any other incidents like this been reported lately? > > Thanks, > > Jack > -- === Don't I know you? === Aaron Konstam telephone: (210) 656-0355 e-mail: akons...@sbcglobal.net -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines > were compromised. All had the latest patches applied. > > 1. Only the installed user accounts are on these machines. The root user > password is long with upper/lower case characters with numerals & > punctuation. It is unlikely this was cracked. > > 2. All log files were deleted. > > 3. The following users were deleted 'root': >mysql >apache >sshd >dbus >haldaemon >dovecot >gdm >smmsp > > 4. The machine can only be accessed in 'single user' mode. Using > 'passwd' to reset the root password fails with: "passwd: User not known > to the underlying authentication module." > > Any help on resolving this would be appreciated. I need to get data off > these before re-installation. > > Have any other incidents like this been reported lately? the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3 e-mail and also have shell access so capturing an unsecured login on pop3 will allow someone a local shell and when that happens, it's likely only a matter of time before they get root. SELinux is designed to limit the opportunities available when things like this happen. Seems to me if you have a number of boxes that were compromised, they probably all shared the same 'root' password and that was definitely hacked. You might parse /etc/passwd to see what account has uid = 0 You should not have any of these machines connected to the Internet. You should be aware of the likelihood that these machines have keyloggers installed on them which will capture anything you type. Yes, you need to get data off the system and completely re-install. Your question however is unclear. If you want to add 'root' back in, something like this should work... useradd -u 0 -g 0 -h /root and then 'passwd root' to set the password Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
FC9 Compromised...
On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines were compromised. All had the latest patches applied. 1. Only the installed user accounts are on these machines. The root user password is long with upper/lower case characters with numerals & punctuation. It is unlikely this was cracked. 2. All log files were deleted. 3. The following users were deleted 'root': mysql apache sshd dbus haldaemon dovecot gdm smmsp 4. The machine can only be accessed in 'single user' mode. Using 'passwd' to reset the root password fails with: "passwd: User not known to the underlying authentication module." Any help on resolving this would be appreciated. I need to get data off these before re-installation. Have any other incidents like this been reported lately? Thanks, Jack -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
