OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Osvaldo J. Filho (ojaneriUOL.COM.BR)
Date: Thu Jan 04 2001 - 17:07:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Wed, 3 Jan 2001, D. Scott Barninger wrote:

    > Hello,
    >
    > I am still trying to determine all that has been done but here is what I
    > know at the moment. If anyone has seen similar attacks please let me
    > know what to look for. For starters there appears to be a trojanized su
    > binary installed. When calling su there is a delay of approximately 6-8
    > seconds after entering the root password before a shell prompt is
    > returned. A log message indicates that "call_pam_xauth" successfully
    > forked a child (returned 1). At that point a check on the /dev directory
    > shows most everything has altered user/group and/or permissions. The tty
    > from which the su command was issued is now owned by my user rather than
    > root as well as /dev/hdb. /dev/tty* is now writeable by group etc.
    > Reinstalling the dev and sh-utils packages corrects things until the
    > next time su is run. The same is true on 2 other boxes from which I
    > typically rlogin over the internal network (primary box is a MASQ
    > gateway). About 2 days prior to discovering this I got port-scanned and
    > logged rejected packets on a netbios port (I did have netbios service
    > exposed for remote connections).
    >
    > Any insights would be greatly appreciated.
    >
    > Scott
    >
    This kind of attack is basically a common one. Looks like the attacker
    scanned a large block of IPs looking for something vulnerable, and then
    some hours laters (or days) it exploited the machines that had a flaw
    (unfortunately yours were one of these) and installed a root kit to keep
    access for him.

    Try a
    # rpm --verify -a

    to check on your RPM database all files that were changed. You will have a
    good look on whats missing/changed. Check the RPM manual to see what the
    output means (SUM/Date/Size/etc altered, missing, etc)

    Try installing lsof (if installed, install from a secure source) and
    checking all binded ports, may be a DDoS Agent running or a Bind Shell.
    # lsof -i tcp
    # lsof -i udp

    Any further help, please contact me at email. 

    ---
Osvaldo J. Filho
Unix Security Specialist
ojaneriproteus.com.br

    Proteus Security Systems
http://www.proteus.com.br / http://www.proteus-sec.com
---