[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Relay Mail Issue
- Subject: Re: [cobalt-security] Relay Mail Issue
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Tue, 22 Aug 2000 23:16:02 +0100 (BST)
On Mon, 21 Aug 2000, Seth Mos wrote:
> At 04:30 PM 8/21/00 -0400, you wrote:
> > > Information:
> > > The user account in question does not have shell access
> > > Had never FTP'd into the site
> > > The only logon is via POP
> > > His SMTP is handled via his own ISP
> > > He has no mailing lists (majardomo) running
> > > He has no CGI scripts running
> > > He does not have mail forwarding enabled
> > > No FrontPage Extensions
> > > No Server Side Includes
> >
> >Does the user show up in the GUI admin? If not, it was obviously added
> >surreptitiously... otherwise, a hacker could have gotten into the system and
> >stolen the account info/changed the password.
> >
> >I would do a portscan on your system to check for trojans, and advise users
> >to change their passwords. Your system might still be compromised.
>
> You could try going into the root of your system and do
> find -name "..."
>
> There is a often used rootkit with this dir in it.
> Then again he could have used another or no rootkit at all.
>
> I'm bad in forensics. But be sure to check /tmp for . entries
I don't know if there are any particularlly good articles in the public
domain on script-kiddy comprises, but needless to say theres plenty of
tell-tale signs of root comprise I can think of...
- Existance of directories of files or dirs beginning with .. - these
don't show up when doing ls... You'll often find these in /dev or /tmp.
- Modification of suid flag on binaries... In particular, you'll often
find things like /usr/bin/time and vi have been made suid. Often, admins
don't notice this (comeon, how often have you used time), yet people can
use these tools to, for example, spawn shells (bash$ /usr/bin/time
/bin/sh || bash#).
- Fairly obviously, changes in binaries. One could only wish that RaQ's
have automatic scripts to check the critical system binaries for changes
and mail root if something changes :\.
- Box hanging. Most of the loadable kernel module trojans I've seen about
cause RaQ3's to crash out, dumping lots of crap into /var/log/messages.
Most admins will flick the switch if a Cobalt has hung - maybe they should
look at why.
- Unusual logins. Entries disappearing from 'last'. 'who' and 'finger'
not matching.
- Missing files from /var/log/*. You'll be amazed how many attackers
simply remove things like /var/log/messages and /var/log/wtmp.
- If a program like 'ps' starts behaving differently than it used to, and
nothing has been changed on the box, its probably (poorly) trojanned. For
example, the version of ps included in the popular 'Linux Rootkit IV' is
so out of date it displays processes in a completely different order than
the one used in Cobalt OS.
- Disappearing disk quota. If 50M has disappeared in the last day and you
can't trace where its gone, panic.
- cpu load too high for tasks running - if you find that the load has been
at 2.55 for 5 minutes, but nobody is logged in and top shows nothing
taking cpu time, panic.
- Ports open that shouldn't be. Netstat -a | grep LISTEN.
- etc.