[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Have I been hacked?

Subject: RE: [cobalt-security] Have I been hacked?
From: "Lew" <lewis@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 9 Jan 2002 13:25:26 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Simon,

I have been the victim of hackers with my raq4. On that occasion I was
denied the luxury of exploring what had happened myself, as my machine is
leased. My host provider disconnected it, and did a little investigation
themselves. They informed me that the /bin/login file had been changed (I
notice that is in your list of modified files). They examined this file with
the strings program, and claimed it allowed in a user called owned, with
root priveleges, and no password. My only option was to pay to have them
blank it and re-install the entire system. All the security patches were
then applied (my vulnerability may have dated back to the bind exploit last
february - that may be when one or more back doors were installed on my
machine). I have now installed the tools mentioned, and in normal use my
tripwire tends to report around 11 violations. These are mostly to do with
the automatic log rotation (backing-up and starting new files), as well as
changes to hosts.deny made by portsentry.

If  you weren't expecting all those system binaries to have changed, then
surely you must have been hacked. If your tripwire reports did not
previously list those files, and nothing has happened to disturb the
tripwire database, or the files (have you copied the binaries folder - that
would modify them all I guess), then I would be suspicious. If you need to
rebuild your system without starting from scratch, then you would need to
recover the binaries from known good copies. Starting from scratch however
is the only way to ensure there are no backdoors left in place.


Cheers,
Lew


>
> --__--__--
>
> Message: 6
> From: "Simon Wilson" <simon@xxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: RE: [cobalt-security] Have I been hacked?
> Date: Mon, 7 Jan 2002 15:30:27 -0000
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> We already run chkrootkit on a daily basis using cron (your advice I
> believe) and it is reporting nothing unusual.
>
> I ran a netstat on the machine, nothing unusual. I can't run a portscan
from
> outside becase I only have a windows machine to connect from and I don't
> know how to do that...yet (i'll try to find something)
>
> The restart I mentioned shows up as this in logcheck...
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jan  5 04:04:14 ns1 syslogd 1.3-3: restart.
> Jan  5 04:05:03 ns1 syslogd 1.3-3: restart.
> Jan  5 04:06:41 ns1 named[376]: Cleaned cache of 4 RRsets
>
> I can't tell you whether is is a server reboot or just a restart of the
> logging
> facility because I don't know what this means!!!I just mentioned it
because
> for it to appear twice is unusual.
>
> I hope this answers some of your questions and thankyou for your help so
> far, it is very much appreciated.
>
> Simon
>
>
> Full tripwire report.
> Rule Summary:
>
============================================================================
> ===
>
> --------------------------------------------------------------------------
--
> ---
>   Section: Unix File System
> --------------------------------------------------------------------------
--
> ---
>
>   Rule Name                       Severity Level    Added    Removed
> Modified
>   ---------                       --------------    -----    -------  ----
--
> --
>   Invariant Directories           66                0        0        0
>   Temporary directories           33                0        0        0
>   Tripwire Data Files             100               0        0        0
>   Critical devices                100               0        0        0
>   User binaries                   66                0        0        0
>   Tripwire Binaries               100               0        0        0
> * Libraries                       66                0        0        1
> * File System and Disk Administraton Programs
>                                   100               0        0        34
> * Kernel Administration Programs  100               0        0        9
> * Networking Programs             100               0        0        14
> * System Administration Programs  100               0        0        16
> * Hardware and Device Control Programs
>                                   100               0        0        3
> * System Information Programs     100               0        0        2
> * Application Information Programs
>                                   100               0        0        2
>   Critical Utility Sym-Links      100               0        0        0
> * Critical configuration files    100               0        1        4
>   OS executables and libraries    100               0        0        0
>   System boot changes             100               0        0        0
> * Security Control                100               0        0        7
>   Login Scripts                   100               0        0        0
> * Operating System Utilities      100               0        0        41
>   Shell Binaries                  100               0        0        0
> * Critical system boot files      100               0        0        5
>   (/boot)
> * Root config files               100               0        0        5
>
> Total objects scanned:  7233
> Total violations found:  144
>

Prev by Date: RE: [cobalt-security] newbie question: how do i change the chiliASP default password...
Next by Date: RE: [cobalt-security] Have I been hacked?
Previous by thread: Re: [cobalt-security] Have I been hacked?
Next by thread: RE: [cobalt-security] Have I been hacked?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index