[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Have I been hacked?
- Subject: RE: [cobalt-security] Have I been hacked?
- From: "Lew" <lewis@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 9 Jan 2002 13:25:26 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Simon,
I have been the victim of hackers with my raq4. On that occasion I was
denied the luxury of exploring what had happened myself, as my machine is
leased. My host provider disconnected it, and did a little investigation
themselves. They informed me that the /bin/login file had been changed (I
notice that is in your list of modified files). They examined this file with
the strings program, and claimed it allowed in a user called owned, with
root priveleges, and no password. My only option was to pay to have them
blank it and re-install the entire system. All the security patches were
then applied (my vulnerability may have dated back to the bind exploit last
february - that may be when one or more back doors were installed on my
machine). I have now installed the tools mentioned, and in normal use my
tripwire tends to report around 11 violations. These are mostly to do with
the automatic log rotation (backing-up and starting new files), as well as
changes to hosts.deny made by portsentry.
If you weren't expecting all those system binaries to have changed, then
surely you must have been hacked. If your tripwire reports did not
previously list those files, and nothing has happened to disturb the
tripwire database, or the files (have you copied the binaries folder - that
would modify them all I guess), then I would be suspicious. If you need to
rebuild your system without starting from scratch, then you would need to
recover the binaries from known good copies. Starting from scratch however
is the only way to ensure there are no backdoors left in place.
Cheers,
Lew
>
> --__--__--
>
> Message: 6
> From: "Simon Wilson" <simon@xxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: RE: [cobalt-security] Have I been hacked?
> Date: Mon, 7 Jan 2002 15:30:27 -0000
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> We already run chkrootkit on a daily basis using cron (your advice I
> believe) and it is reporting nothing unusual.
>
> I ran a netstat on the machine, nothing unusual. I can't run a portscan
from
> outside becase I only have a windows machine to connect from and I don't
> know how to do that...yet (i'll try to find something)
>
> The restart I mentioned shows up as this in logcheck...
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jan 5 04:04:14 ns1 syslogd 1.3-3: restart.
> Jan 5 04:05:03 ns1 syslogd 1.3-3: restart.
> Jan 5 04:06:41 ns1 named[376]: Cleaned cache of 4 RRsets
>
> I can't tell you whether is is a server reboot or just a restart of the
> logging
> facility because I don't know what this means!!!I just mentioned it
because
> for it to appear twice is unusual.
>
> I hope this answers some of your questions and thankyou for your help so
> far, it is very much appreciated.
>
> Simon
>
>
> Full tripwire report.
> Rule Summary:
>
============================================================================
> ===
>
> --------------------------------------------------------------------------
--
> ---
> Section: Unix File System
> --------------------------------------------------------------------------
--
> ---
>
> Rule Name Severity Level Added Removed
> Modified
> --------- -------------- ----- ------- ----
--
> --
> Invariant Directories 66 0 0 0
> Temporary directories 33 0 0 0
> Tripwire Data Files 100 0 0 0
> Critical devices 100 0 0 0
> User binaries 66 0 0 0
> Tripwire Binaries 100 0 0 0
> * Libraries 66 0 0 1
> * File System and Disk Administraton Programs
> 100 0 0 34
> * Kernel Administration Programs 100 0 0 9
> * Networking Programs 100 0 0 14
> * System Administration Programs 100 0 0 16
> * Hardware and Device Control Programs
> 100 0 0 3
> * System Information Programs 100 0 0 2
> * Application Information Programs
> 100 0 0 2
> Critical Utility Sym-Links 100 0 0 0
> * Critical configuration files 100 0 1 4
> OS executables and libraries 100 0 0 0
> System boot changes 100 0 0 0
> * Security Control 100 0 0 7
> Login Scripts 100 0 0 0
> * Operating System Utilities 100 0 0 41
> Shell Binaries 100 0 0 0
> * Critical system boot files 100 0 0 5
> (/boot)
> * Root config files 100 0 0 5
>
> Total objects scanned: 7233
> Total violations found: 144
>