OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alvin Oga (alvin.sec_at_Mail.Linux-Consulting.com)
Date: Tue Sep 10 2002 - 11:11:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hi

    w/o knowing your setup, its hard to tell how they
    got in ...

    stuff to do now, that they are in..

    a. take that disk offline
    b. get a new and install a fresh copy of linux from cdrom
        and apply all patches for that distro
    c. turn off all unused daemons, services
            - change your passwds locally on each console

    d. restore your user data from backup PRIOR to the hack
       -- do NOT restore binaries, libs

    e. get the forensics guyz to come and and review your
        disk and security policy as to how they got in
        and how to prevent it next time
            - probably attack the kernel
            - attack the dns, fw, sendmail, pop, etc

    let the fun of chasing them down begin

    http://www.Linux-Sec.net
            -- hardening your server

    have fun
    alvin

    On Tue, 10 Sep 2002, Ver Allan Sumabat wrote:

    > Hi,
    >
    > We have just recently been hacked. I have no idea how
    > he came in. Here are my preliminary investigations:
    >
    > 1. He was able to add a user without logging in.
    >
    > **Unmatched Entries**
    > Sep 5 10:39:33 srv1 sshd[20514]: Could not reverse
    > map address 10.13.41.4.
    > Sep 5 10:39:35 srv1 sshd[20514]: Accepted password
    > for root from 10.13.41.4
    > port 4207
    > Sep 5 17:30:36 srv1 sshd[23299]: Could not reverse
    > map address 10.13.41.4.
    > Sep 5 17:30:41 srv1 sshd[23299]: Accepted password
    > for root from 10.13.41.4
    > port 2491
    > Sep 5 22:16:59 srv1 useradd[23532]: new group:
    > name=war, gid=502
    > Sep 5 22:16:59 srv1 useradd[23532]: new user:
    > name=war, uid=502, gid=502,
    > home=/home/war, shell=/bin/bash
    > Sep 5 22:17:31 srv1 sshd[23534]: Accepted password
    > for war from
    > 212.179.207.211 port 2746
    > Sep 5 22:19:17 srv1 sshd[23580]: fatal: Read from
    > socket failed: Connection
    > reset by peer
    > Sep 5 22:21:48 srv1 sshd[928]: Received SIGHUP;
    > restarting.
    >
    >
    > 2. He installed a tarball w00tkit.tgz in /home/war
    >
    > 3. After running chkrootkit, the significant lines
    > are:
    >
    > ...
    > Checking `ifconfig'... INFECTED
    > ...
    > Searching for Showtee... Warning: Possible Showtee
    > Rootkit installed
    > ...
    > Checking `lkm'... You have 1 process hidden for ps
    > command
    > Warning: Possible LKM Trojan installed
    >
    > 4. ssh won't run anymore
    >
    > Can anyone help me on how the intrusion was done?
    >
    > Thanks.
    >
    > Regards,
    >
    > Allan
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com