[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Hacked RaQ4 - findings

Subject: Re: [cobalt-security] Hacked RaQ4 - findings
From: Bill Irwin <bill_irwin@xxxxxxxx>
Date: Wed, 18 Apr 2001 16:04:33 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Michael,

Paranoia is good in this case =)

Typically we recommend to all customers that they restore the OS without
connecting the RaQ to the network until AFTER all patches have been
applied. If you are a customer with a network of more than one server,
assume all other servers have been compromised and trust NOTHING. Its
good to be paranoid when you have one infected machine as it will cause
you less headache and aggravation in the long run.

Its a good idea to download all the patches for the machine you are
restoring, then hook it up to the client PC with a crossover cable so
those two machines are connected only to one another. Then restore and
update the server. Add any other protection you feel is necessary and
then put it back on the network. Once you've done that you should be
relatively safe till the next exploit comes along.

It pays to be attentive to security. Firewalls are only a safeguard,
however instuting strict intrusion detection measures and restricting
user access to only needed services will win out in the long run.

BTW, CGI is a really bad area for exploits. Misconfigured CGI scripts
can cause the worst problems for server admins.


Michael Stauber wrote:
> 
> Hello,
> 
> today I had been tasked with checking a customers RaQ4 for signs of intrusion
> and would like to share my findings. Maybe it's of use for someone:
> 
> After a brief inspection of running processes and network requests I broke
> out "chkroot-1.1.7" and adorefind. Adorefind didn't find any traces of this
> popular linux-worm. However, chkroot pointed out that both "netstat" and
> "rshd" had been replaced with compromised binaries.
> 
> Aside from that there were many other fishy things on this machine and it
> appeared as if the intruder had been a regular on this box for more than two
> months. So even before I concluded my investigation I recommended a complete
> OS reinstall to sanitize this mess.
> 
> Here are my findings for that respective machine:
> 
> Cronjob for user "root" which restarts /usr/sbin/init (318004 bytes) every
> five minutes. The running process /usr/sbin/init has nothing to do with the
> normal "init", which is located in /sbin/init (27176 bytes).
> 
> So I removed both the cronjob and the file /usr/sbin/init after killing the
> process.
> 
> Additionally /root/.bash_history revealed that this machine had been used for
> scanning and/or intrusion of other hosts:
> 
> ./synscan
> ./synscan 24.1 sex eth0 100 113
> ;s
> ./synscan
> ./synscan 24.10 sex eth0 10 113
> cat sex
> telnet 24.1.36.136 13
> telnet 24.1.36.136 1134
> telnet 24.1.36.136 113
> asd
> ./synscan 24.10 sex eth0 10 113 >asdf
> [...]
> 
> ./i 128.227.16.85
> telnet 128.227.16.104
> ./i 128.227.16.104
> telnet 128.227.23.243
> telnet 128.227.32.64
> ./i 128.227.32.64
> telnet 128.227.74.163
> 
> This goes on for another 130KB of logfile. Quite a busy chap, this visitor.
> 
> The binaries used for the above listed purposes could be located in
> /usr/lib/.ek/ even though a copy of the sources was found in /tmp/
> 
> The tools in question seem to be from a Polish cracker group called "Last
> stage of delirium". That's at least what the readme claimed. I looked over
> the sources and it seems to be pretty slick stuff.
> 
> On a lighter note: I actually wonder if I can couple it to my own Portsentry
> on my RaQ3 to fight back actively in cases of intrusion attempts <vbeg>.
> 
> A scan for files with suid=0 turned up so many fishy stuff with strange names
> in odd places that I didn't even bother to check further. This box is a prime
> candidate for the restore-CD.
> 
> The infected RaQ4 had all the latest security patches applied. However, it
> seems extremely likely that the patches were applied after the box had been
> rooted. Initial traces in the logfiles (only /var/log/auth provided more than
> the last two months) could be found as early as 10th Feb 2001, when the first
> unsuccessful rlogins showed up in quick succession.
> 
> Conclusion: You can't be paranoid enough.
> 
> Mit freundlichen Grüßen / Best regards
> 
> Michael Stauber
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

-- 
Bill Irwin

Follow-Ups:
- Re: [cobalt-security] Hacked RaQ4 - findings
  - From: Michael Stauber

References:
- Re: [cobalt-security] Hacked RaQ4 - findings
  - From: Michael Stauber

Prev by Date: RE: [cobalt-security] Possible problem?
Next by Date: Re: [cobalt-security] Hacked RaQ4 - findings
Previous by thread: Re: [cobalt-security] Hacked RaQ4 - findings
Next by thread: Re: [cobalt-security] Hacked RaQ4 - findings

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index