Help needed to check for intruders

Help needed to check for intruders

Post by Ramin Sin » Thu, 08 Oct 1998 04:00:00



Hi,

Over the weekend  we found that our linux machines at the office are
broken into. Some one had put a snip-dog and got the root password. I
telnet (or ftp) from my S.u.S.E linux machine at home to office using my
ISP  very often. I was wondering how can I check to see if my system is
compromised? In particular I have the following questions:

1) I think I have not turnrd on the ability to ftp or http to my home
machine, but I am not positive. How do I check that? I have no
/var/log/xferlog  and /var/log/httpd.access_log is empty.  Are there any
other things I should monitor?

2) I was told by someone very knowledgable that 'rpm -Va' on another
S.u.S.E. machine at work showed that some files have been thinkered
with. What do I check for when I use this command?

3) the command 'which ls' does not return anything. I have found out
that there is a /usr/local/ftp/bin/ls file. Is it normal to have a
/usr/local/ftp/bin/ directory? The other files in that directory are
compress and gzip.

Thanks,
Ramin

--
--------------------------------------------------------

 
 
 

Help needed to check for intruders

Post by Pat Hennes » Thu, 08 Oct 1998 04:00:00


: Hi,
:
: Over the weekend  we found that our linux machines at the office are
: broken into. Some one had put a snip-dog and got the root password. I
: telnet (or ftp) from my S.u.S.E linux machine at home to office using my
: ISP  very often. I was wondering how can I check to see if my system is
: compromised? In particular I have the following questions:

You may be another victim of the nfs/mountd problems.  But you ought to
install ssh, which is an encrypted rsh/rlogin program.  When you use
telnet, you send your password in plain text accross the internet.  That
could have been picked up by someone else.

:
: 1) I think I have not turnrd on the ability to ftp or http to my home
: machine, but I am not positive. How do I check that? I have no
: /var/log/xferlog  and /var/log/httpd.access_log is empty.  Are there any
: other things I should monitor?
:
Most services are started in /etc/inetd.conf or in the /etc/rc.d dir or
/etc/rc.* files.  You need to find out where ftp/http and so forth is
started, and disable that.

: 2) I was told by someone very knowledgable that 'rpm -Va' on another
: S.u.S.E. machine at work showed that some files have been thinkered
: with. What do I check for when I use this command?
:
: 3) the command 'which ls' does not return anything. I have found out
: that there is a /usr/local/ftp/bin/ls file. Is it normal to have a
: /usr/local/ftp/bin/ directory? The other files in that directory are
: compress and gzip.
:
: Thanks,
: Ramin
:
: --
: --------------------------------------------------------

:
:
:

--

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><


                        http://www.magpage.com/~path/

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><


 
 
 

Help needed to check for intruders

Post by Alan J Rosenth » Thu, 08 Oct 1998 04:00:00



>1) I think I have not turnrd on the ability to ftp or http to my home
>machine, but I am not positive. How do I check that?

Try it!

Quote:>2) I was told by someone very knowledgable that 'rpm -Va' on another
>S.u.S.E. machine at work showed that some files have been thinkered
>with. What do I check for when I use this command?

I don't know, but nothing which can't be faked by someone if they can become
root.

Quote:>3) the command 'which ls' does not return anything. I have found out
>that there is a /usr/local/ftp/bin/ls file. Is it normal to have a
>/usr/local/ftp/bin/ directory?

Yes.  Anonymous ftp users are chrooted to ~ftp, so without ~ftp/bin/ls, the
"dir" command won't work.  But if you're not offering anonymous ftp, you
should remove the ftp home directory.  If you have the "ftp" line in
/etc/passwd, then if you're offering ftp for user accounts you'll find you
ARE offering anonymous ftp.

If someone has become root on your machine, you can't, in general, tell what
they've done.  Probably your only option is to reinstall from scratch.  See
ftp://ftp.cert.org/pub/tech_tips/root_compromise

 
 
 

Help needed to check for intruders

Post by Chuck Sterlin » Sat, 10 Oct 1998 04:00:00




> writes:

> |> 1) I think I have not turnrd on the ability to ftp or http to my home
> |> machine, but I am not positive. How do I check that? I have no
> |> /var/log/xferlog  and /var/log/httpd.access_log is empty.  Are there any
> |> other things I should monitor?

> do a ps, if there is a program called ftpd running, it means you have a ftp
> daemon running. modify your config files to prevent if from running next time
> you boot, kill it for immediate effect.
> However, the process could run as "emacs" and yet be a deamon of some sort,
> check who owns what, amd kill everything that is not relevant. :)

> if you really don't want ftp, you can remove the user ftp or put a star as a
> password.

> |>
> |> 2) I was told by someone very knowledgable that 'rpm -Va' on another
> |> S.u.S.E. machine at work showed that some files have been thinkered
> |> with. What do I check for when I use this command?
> |>
> |> 3) the command 'which ls' does not return anything. I have found out
> |> that there is a /usr/local/ftp/bin/ls file. Is it normal to have a
> |> /usr/local/ftp/bin/ directory? The other files in that directory are
> |> compress and gzip.

> Yes it is normal, but if you don't want ftpd to run, do a rm -r /usr/local/ftp,
> this directory is for anonymous ftp.

> EA

On using ps to check on ftpd running: On at least one of my Sun servers
the ftp daemon only runs when someone is logged in. It's kicked off by
another daemon, init or another system widget, and dies when the user
leaves. There can be multiple copies if multiple users are in. This is
on a Solaris 2.6 using wu-ftpd, I think version 2.4 but I'm not sure on
that. Just thought I'd mention this to add to the confusion... :-]>

Chuck

 
 
 

Help needed to check for intruders

Post by voi » Sun, 11 Oct 1998 04:00:00


On 8 Oct 1998 08:17:11 GMT, Edouard Alligand


>do a ps, if there is a program called ftpd running, it means you have a ftp
>daemon running.

But that doesn't tell you whether your system allows ftp, only whether
someone is currently using it.  Remember, ftpd is generally run out of
inetd, which listens on the appropriate port and spawns an ftpd when
someone connects.

I would first check with 'netstat -a', which should show a TCP socket
in the listen state on port 21:

TCP
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State
-------------------- -------------------- ----- ------ ----- ------ ------
      *.ftp                *.*                0      0     0      0 LISTEN

(The '21' is translated to 'ftp' by netstat looking it up in
/etc/services, but either way it means the same thing.)

However, netstat could be modified by an attacker who has root, so as to
give a false negative.  The best test is to go to a known non-compromised
machine and attempt to ftp to the machine you're worried about.  If you
get "ftp: connect: Connection refused", then nothing is listening on that
port.

Of course, your attacker could be running ftpd on a different port if they
have some use for it, so to really figure out what services they're
offering, download Julian Assange's strobe program and strobe your machine
to see what ports are open.  Better still, reload your OS from the
installation media, after unplugging it from the network, figure out
what's wrong with your security, and bring it back up.

--

 Ben

"You have your mind on computers, it seems."

 
 
 

Help needed to check for intruders

Post by Sylvain Robitail » Mon, 12 Oct 1998 04:00:00



>> do a ps, if there is a program called ftpd running, it means you have a ftp
>> daemon running. modify your config files to prevent if from running next time
>> you boot, kill it for immediate effect.

> On using ps to check on ftpd running: On at least one of my Sun servers
> the ftp daemon only runs when someone is logged in. It's kicked off by
> another daemon, init or another system widget, and dies when the user
> leaves. There can be multiple copies if multiple users are in. This is
> on a Solaris 2.6 using wu-ftpd, I think version 2.4 but I'm not sure on
> that. Just thought I'd mention this to add to the confusion... :-]>

On the systems I'm familiar with, (Linux, NetBSD, Ultrix, OSF/1,
Solaris) ftpd is run from inetd, not as a standalone daemon. Use netstat
(the quick answer is 'netstat -a' but you should read the netstat
manpage for details of what options are available and what the output
contains) to find out what network ports are being listened on, and
close off any that you don't specifically want open.

On the other hand, httpd (which was also mentioned as a concern in the
original post) usually runs as a standalone daemon and will normally
show up in a ps listing. Note that I say "usually". Again, netstat will
give you a more accurate picture.

Hope that helps...

--
----------------------------------------------------------------------

Systems Manager                                   Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------

 
 
 

Help needed to check for intruders

Post by Jean Richar » Mon, 12 Oct 1998 04:00:00



Quote:> If someone has become root on your machine, you can't, in general, tell what
> they've done.  Probably your only option is to reinstall from scratch.  See
> ftp://ftp.cert.org/pub/tech_tips/root_compromise

When it happened to me, I caught the guy in the act.  I just happened to
do a ps axu and a bunch of odd processes showed up.  I cold booted the
computer and then found a .bash_history in the / directory.  You might
want to look for something like that.

--
:-)
Fozzy

 
 
 

Help needed to check for intruders

Post by Alan J Rosenth » Tue, 13 Oct 1998 04:00:00




>> If someone has become root on your machine, you can't, in general, tell what
>> they've done.  Probably your only option is to reinstall from scratch.  See
>> ftp://ftp.cert.org/pub/tech_tips/root_compromise

>When it happened to me, I caught the guy in the act.

So you think.
(From your description, I think so too; but we don't KNOW.)

Quote:>I just happened to
>do a ps axu and a bunch of odd processes showed up.  I cold booted the
>computer and then found a .bash_history in the / directory.

But your hypothesis that this represents the extent of your intruder's actions
is unsupported as far as you've stated.  They may have done all sorts of
things, and you've just seen a few of them.  Maybe.

Quote:>You might want to look for something like that.

Absolutely.  But you should take it with a grain of salt, and you should take
it as a lower bound of their activities, not as a complete list.
(And it could even be fabricated entirely.)

As far as possible, computer security should be based on guarantees rather
than guesswork.  Deciding that an intruder did or did not do a particular
thing or replace a particular program is rarely safe once they've obtained
root access.  The guarantee can only be based on reinstalling from scratch.
Win95 users have to reinstall the OS every few days; we only do after a
thorough penetration; it could be worse.

 
 
 

Help needed to check for intruders

Post by <Jouni... » Tue, 20 Oct 1998 04:00:00





> >I just happened to
> >do a ps axu and a bunch of odd processes showed up.  I cold booted the
> >computer and then found a .bash_history in the / directory.

> But your hypothesis that this represents the extent of your intruder's actions
> is unsupported as far as you've stated.  They may have done all sorts of
> things, and you've just seen a few of them.  Maybe.

> >You might want to look for something like that.

> Absolutely.  But you should take it with a grain of salt, and you should take
> it as a lower bound of their activities, not as a complete list.
> (And it could even be fabricated entirely.)

I also found an intruder last week in our RedHat 5.0.  The traces were
in /var/log/secure and /var/log/messages, which record connections to
telnet and also other services.  I also found .bash_history in /root
and also from /tmp, where the intruder had set up the home directory
for a new account 'bomb'.  I think the history-logs and the other logs
shared a very common view of what really had happened.  It seemed very
obvious that the guy had used a documented security hole in imapd
(www.redhat.com somewhere).  And I was a little surprised that the
traces hadn't been touched.  Not all intruders know they should try to
remove their traces, it seems...

I think secure-log is made by tcp_wrappers, which seems to installed
on my RH.  This is a very usefuil package, after you make a
'grep'-script which filter out all connections from known hosts. One
could perhaps watch the 'secure-log' automatically to give an alarm
each time a suspicious connection is made.

Quote:> As far as possible, computer security should be based on guarantees rather
> than guesswork.  Deciding that an intruder did or did not do a particular
> thing or replace a particular program is rarely safe once they've obtained
> root access.  The guarantee can only be based on reinstalling from scratch.
> Win95 users have to reinstall the OS every few days; we only do after a
> thorough penetration; it could be worse.

One could of course use find to look for files that have been changed
during the suspicious logins...

BTW: Is it wise to discuss the details here, I suppose many hackers
read this newsgroup as well?

 
 
 

Help needed to check for intruders

Post by Stefan David » Tue, 20 Oct 1998 04:00:00



>I also found an intruder last week in our RedHat 5.0.  The traces were
>in /var/log/secure and /var/log/messages, which record connections to
>telnet and also other services.  I also found .bash_history in /root
>and also from /tmp, where the intruder had set up the home directory
>for a new account 'bomb'.  I think the history-logs and the other logs
>shared a very common view of what really had happened.  It seemed very
>obvious that the guy had used a documented security hole in imapd
>(www.redhat.com somewhere).  And I was a little surprised that the
>traces hadn't been touched.  Not all intruders know they should try to
>remove their traces, it seems...

You were lucky. If you value this sort of logging I'd _strongly_ advise
doing remote syslogging to a protected safe computer, or straight to a
line printer.

Quote:>One could of course use find to look for files that have been changed
>during the suspicious logins...

Not reliably.

You're far better off using tripwire and putting the database somewhere
safe (like a remote safe computer, or floppy/zip with write protect). That
way you _know_ what's been changed.

regards

Stefan

--
perl -we 'map { eval q( sub ).$_.q( { $_ = shift; $_ .= "). $_ .q("; print
qq($_\n); return($_); }) }((A..Z),(q(a)..q(z))); sub _ {return $_[0]." ";}
r(E(k(C(a(H(_(l(R(e(P(_(R(e(H(t(O(n(A(_(t(S(u(J())))))))))))))))))))))));'
             http://www.maths.nott.ac.uk/personal/smd/

 
 
 

Help needed to check for intruders

Post by Bennett To » Wed, 21 Oct 1998 04:00:00


Quote:>>I also found an intruder last week in our RedHat 5.0. [...] One could
>>of course use find to look for files that have been changed during the
>>suspicious logins...

>Not reliably.

Right --- it's easy for an intruder to reset mod times back to their values
from before they changed the contents.

Quote:>You're far better off using tripwire and putting the database somewhere
>safe (like a remote safe computer, or floppy/zip with write protect). That
>way you _know_ what's been changed.

Tripwire is certainly a fine tool, and has its place. But since they are
using Red Hat, they have another option. Score a copy of the CD for your
release if you don't have one already. Make a nice shiny new boot floppy
using your known-good copy of the release, boot from that floppy, and mount up
your known-good copy of the release. Then run the known-good rpm(1) executable
from that release, to check your installed system against the packages in the
release, reporting any files that have changed.

The end result is much like tripwire, only you don't need to have planned in
advance and made the needed database; the packages from which you install the
software can work as the database for a tripwire-like check.

-Bennett

 
 
 

Help needed to check for intruders

Post by unsCAre » Thu, 22 Oct 1998 04:00:00



  >You were lucky. If you value this sort of logging I'd _strongly_ advise
  >doing remote syslogging to a protected safe computer, or straight to a
  >line printer.
        An old pc connected to the serial line its better than a line printer
, it allows you to post-proccess loggins. A 386 running linux its (IMHO) the
best choice.

  >>One could of course use find to look for files that have been changed
  >>during the suspicious logins...

  >Not reliably.

  >You're far better off using tripwire and putting the database somewhere
  >safe (like a remote safe computer, or floppy/zip with write protect). That
  >way you _know_ what's been changed.
        Put the database in a CD, its more secure than floppys/zips.
  >regards

  >Stefan

  >--
  >perl -we 'map { eval q( sub ).$_.q( { $_ = shift; $_ .= "). $_ .q("; print
  >qq($_\n); return($_); }) }((A..Z),(q(a)..q(z))); sub _ {return $_[0]." ";}
  >r(E(k(C(a(H(_(l(R(e(P(_(R(e(H(t(O(n(A(_(t(S(u(J())))))))))))))))))))))));'
  >             http://www.maths.nott.ac.uk/personal/smd/
--
Un Saludo:
-------------------------------------------------------------------------------
E-mail: alvarovp!mad.servicom.es      + PGP id:7B87DC61 (at public servers)
        alvarovp!diskobolo.mat.ucm.es + unsCAred at #linux [irc-hispano]

 
 
 

Help needed to check for intruders

Post by Terry Port » Wed, 28 Oct 1998 04:00:00



<snip regarding security breach>
Quote:

>I think secure-log is made by tcp_wrappers, which seems to installed
>on my RH.  This is a very usefuil package, after you make a
>'grep'-script which filter out all connections from known hosts. One
>could perhaps watch the 'secure-log' automatically to give an alarm
>each time a suspicious connection is made.

You could install Xlogmaster, this is a GTK app that has all the
filters, alarms etc.
I have been using it for 3-4 months and it works really well.

The url is:
http://www.gnu.org/software/xlogmaster/xlogmaster.html

Good on you Georg!!

terry

--

   My Computer is powered by GNU-LINUX, and has been
 up 1 week 2 days 22 hours 8 minutes
..........NOTE Spam protection in use...................

 
 
 

Help needed to check for intruders

Post by oak » Wed, 28 Oct 1998 04:00:00


What's the difference between this and "tripwire"?

Thanks

-Tony



> <snip regarding security breach>

> >I think secure-log is made by tcp_wrappers, which seems to installed
> >on my RH.  This is a very usefuil package, after you make a
> >'grep'-script which filter out all connections from known hosts. One
> >could perhaps watch the 'secure-log' automatically to give an alarm
> >each time a suspicious connection is made.
> You could install Xlogmaster, this is a GTK app that has all the
> filters, alarms etc.
> I have been using it for 3-4 months and it works really well.
> The url is:
> http://www.gnu.org/software/xlogmaster/xlogmaster.html
> Good on you Georg!!
> terry
> --

>    My Computer is powered by GNU-LINUX, and has been
>  up 1 week 2 days 22 hours 8 minutes
> ..........NOTE Spam protection in use...................

--

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
MartNet InterNet Services             99.9% pure       http://www.martnet.com

 
 
 

Help needed to check for intruders

Post by Bruce Barnet » Wed, 28 Oct 1998 04:00:00



> The end result is much like tripwire, only you don't need to have planned in
> advance and made the needed database; the packages from which you install the
> software can work as the database for a tripwire-like check.

How does rpm verify packages? If it just uses sum(1), then may I
suggest this is not secure? I've seen rootkits that can defeat
verification done by using sum(1). Hopefully rpm uses md5.

--
Bruce  <barnett at crd. ge. com> (speaking as myself, and not a GE employee)

 
 
 

1. Help: Need to foil intruder on my (AIX) system using ftp

Dear Mr. Thomas,

  If you want to fix the security problems without stirring
the pot, I suggest you use an anonymous remailer to let your
bosses and the sysadmin know that your system is being compromised.

  Someone else suggested that you run TCP wrappers to log and
deny access.  I use this approach myself, but it can be gotten
around also.

  It's important that you clean these people off your system,
because not only are your own machines at risk, but you may
be held liable for the damage these guys do FROM your systems
to other sites on the internet.

Regards,  

PeterM

2. DLT won't show up as target #5 with probe-scsi. help!

3. need help: samba mount intruder

4. SOCKS5 HowTo

5. I need help with DIP (I have checked the faqs, nothing helped)

6. 16-bit color with ATI Mach32

7. Help! intruders in my system!

8. Newbie: Slackware: Setup: Configure Won't Work, How can I create a boot disk?

9. HELP!? Potential Intruder/Hack!?

10. help - intruder wiped out my passwd file!

11. Grep bug? Help in double-checking needed.

12. Need Help ftp script error checking

13. Newbie needs help on a script to check 3 mailboxes..