Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: RH6 boxes cracked
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: RH6 boxes cracked
  • From: "Osvaldo J. Filho" <[EMAIL PROTECTED]>
  • Date: Thu, 04 Jan 2001 12:39:28 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
On Wed, 3 Jan 2001, D. Scott Barninger wrote:

> Hello,
>
> I am still trying to determine all that has been done but here is what I
> know at the moment. If anyone has seen similar attacks please let me
> know what to look for. For starters there appears to be a trojanized su
> binary installed. When calling su there is a delay of approximately 6-8
> seconds after entering the root password before a shell prompt is
> returned. A log message indicates that "call_pam_xauth" successfully
> forked a child (returned 1). At that point a check on the /dev directory
> shows most everything has altered user/group and/or permissions. The tty
> from which the su command was issued is now owned by my user rather than
> root as well as /dev/hdb. /dev/tty* is now writeable by group etc.
> Reinstalling the dev and sh-utils packages corrects things until the
> next time su is run. The same is true on 2 other boxes from which I
> typically rlogin over the internal network (primary box is a MASQ
> gateway). About 2 days prior to discovering this I got port-scanned and
> logged rejected packets on a netbios port (I did have netbios service
> exposed for remote connections).
>
> Any insights would be greatly appreciated.
>
> Scott
>
This kind of attack is basically a common one. Looks like the attacker
scanned a large block of IPs looking for something vulnerable, and then
some hours laters (or days) it exploited the machines that had a flaw
(unfortunately yours were one of these) and installed a root kit to keep
access for him.

Try a
# rpm --verify -a

to check on your RPM database all files that were changed. You will have a
good look on whats missing/changed. Check the RPM manual to see what the
output means (SUM/Date/Size/etc altered, missing, etc)

Try installing lsof (if installed, install from a secure source) and
checking all binded ports, may be a DDoS Agent running or a Bind Shell.
# lsof -i tcp
# lsof -i udp

Any further help, please contact me at email.

---
Osvaldo J. Filho
Unix Security Specialist
[EMAIL PROTECTED]

Proteus Security Systems
http://www.proteus.com.br / http://www.proteus-sec.com
---
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.