Board index Unix Security

security gurus:please help analyze

security gurus:please help analyze

Post by joeh » Sat, 28 Aug 1999 04:00:00



I had a telnet session in server.domain.com
Next AM I saw a broadcast message that the system was shutting
down.  However, the system referred to was not my server.domain.com,
since my telnet session was alive and well the next morning.  The

There is no host on this network by that name
The host had no FQDN (like dylan.domain.com)
The syslogs showed nothing
/var/adm/messages showed nothing
Absolutely no one was on the console at that time
What are the possibilities?  
Any help appreciated

--

access to a news server; thanks!
Disclaimer: opinions expressed my own and not representative of my employers

 
 
 
Top

security gurus:please help analyze

Post by Barry Margoli » Sat, 28 Aug 1999 04:00:00



>I had a telnet session in server.domain.com
>Next AM I saw a broadcast message that the system was shutting
>down.  However, the system referred to was not my server.domain.com,
>since my telnet session was alive and well the next morning.  The

>There is no host on this network by that name
>The host had no FQDN (like dylan.domain.com)
>The syslogs showed nothing
>/var/adm/messages showed nothing
>Absolutely no one was on the console at that time
>What are the possibilities?  
>Any help appreciated

NFS servers typically broadcast shutdown notices to all the machines that
have mounted filesystem from them.  Someone on your system may have mounted
a filesystem from a remote host named Dylan, and never performed a clean
unmount, so Dylan still thought you had the filesystem mounted and notified
you that it was shutting down.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 
Top

security gurus:please help analyze

Post by Henry R. Linnewe » Sat, 28 Aug 1999 04:00:00


hmm looks like a rootkit to me, prolly been hacked into

Henry



> >I had a telnet session in server.domain.com
> >Next AM I saw a broadcast message that the system was shutting
> >down.  However, the system referred to was not my server.domain.com,
> >since my telnet session was alive and well the next morning.  The

> >There is no host on this network by that name
> >The host had no FQDN (like dylan.domain.com)
> >The syslogs showed nothing
> >/var/adm/messages showed nothing
> >Absolutely no one was on the console at that time
> >What are the possibilities?
> >Any help appreciated

> NFS servers typically broadcast shutdown notices to all the machines that
> have mounted filesystem from them.  Someone on your system may have mounted
> a filesystem from a remote host named Dylan, and never performed a clean
> unmount, so Dylan still thought you had the filesystem mounted and notified
> you that it was shutting down.

> --

> GTE Internetworking, Powered by BBN, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 
Top

security gurus:please help analyze

Post by joeh » Sat, 28 Aug 1999 04:00:00


I am ignorant; please define "rootkit"
TIA


> hmm looks like a rootkit to me, prolly been hacked into

> Henry



> > >I had a telnet session in server.domain.com
> > >Next AM I saw a broadcast message that the system was shutting
> > >down.  However, the system referred to was not my server.domain.com,
> > >since my telnet session was alive and well the next morning.  The

> > >There is no host on this network by that name
> > >The host had no FQDN (like dylan.domain.com)
> > >The syslogs showed nothing
> > >/var/adm/messages showed nothing
> > >Absolutely no one was on the console at that time
> > >What are the possibilities?
> > >Any help appreciated

> > NFS servers typically broadcast shutdown notices to all the machines that
> > have mounted filesystem from them.  Someone on your system may have mounted
> > a filesystem from a remote host named Dylan, and never performed a clean
> > unmount, so Dylan still thought you had the filesystem mounted and notified
> > you that it was shutting down.

> > --

> > GTE Internetworking, Powered by BBN, Burlington, MA
> > *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> > Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

--

access to a news server; thanks!
Disclaimer: opinions expressed my own and not representative of my employers
 
 
 
Top

security gurus:please help analyze

Post by Jose Nazari » Sat, 28 Aug 1999 04:00:00



> I am ignorant; please define "rootkit"

a rootkit is just that, a kit of precompiled or pre written exploits for a given
architecture that, when run, gives the kiddiez root, or privilidged superuser access.
an example of a root kit is one i found on an SGI that had been rooted, it contained
precompiled buffer overflow exploits for Xterm, cdplayer, xlock etc... 12 in total.
they're available all over the net, if you know where to look (or beg).

it saves the user (usually a script kiddie) a lot of thought and work. rootkits usually
have a predefined signature, ie a root equivilent account username (sometimes r00t or
moot or rewt), a temp file or location of a backdoor (ie /tmp/.x which is really a
shell that, when run, turns you into root; another one is a login replacement that has
a username that doesn't require a password and drops you to root; any trojan to leave
access), various other trojans to hide activity, or the like. it's how you can help
identify that you've been rootkitted.

what i want to know is the signature of the attack (presumably this dylan thing) and
what the attack is... it's not one i've seen.


 
 
 
Top

security gurus:please help analyze

Post by Henry R. Linnewe » Wed, 01 Sep 1999 04:00:00


A suite of programs like ps, ls, & du which have been modified to
prevent display of certain files & processes in order to hide an intruder.

> I am ignorant; please define "rootkit"
> TIA


> > hmm looks like a rootkit to me, prolly been hacked into

> > Henry



> > > >I had a telnet session in server.domain.com
> > > >Next AM I saw a broadcast message that the system was shutting
> > > >down.  However, the system referred to was not my server.domain.com,
> > > >since my telnet session was alive and well the next morning.  The

> > > >There is no host on this network by that name
> > > >The host had no FQDN (like dylan.domain.com)
> > > >The syslogs showed nothing
> > > >/var/adm/messages showed nothing
> > > >Absolutely no one was on the console at that time
> > > >What are the possibilities?
> > > >Any help appreciated

> > > NFS servers typically broadcast shutdown notices to all the machines that
> > > have mounted filesystem from them.  Someone on your system may have mounted
> > > a filesystem from a remote host named Dylan, and never performed a clean
> > > unmount, so Dylan still thought you had the filesystem mounted and notified
> > > you that it was shutting down.

> > > --

> > > GTE Internetworking, Powered by BBN, Burlington, MA
> > > *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> > > Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

> --

> access to a news server; thanks!
> Disclaimer: opinions expressed my own and not representative of my employers

 
 
 
Top

1. Please provide some advice Linux security Gurus

My boss wants to print from his desktop corporate LAN client (we try to
keep it "secure").
The printer is also connected to the open Internet (a LAN that has very
little security).

Both the corporate print server and open Internet print server can send
print jobs to this common printer via
seperate ethernet ports.

Q: Can someone from the outside hack to the corporate network via the
common printer ?

I'd appriciate any info on this one-thanks.

2. Backspace problems, AMSTeX problem

3. Please help analyze unusual Apache log format

4. file permissions PLEASE HELP

5. Strange pppd problem, can a kernel guru please help !!!

6. SIS 6326

7. attn: iptables/rate limiting GURU's, help me please!

8. lilo multiboot problem

9. Unix guru, please help!!!!

10. Calling all Linux Guru's - Please help a poor soul.

11. ethernet and vganylan GURUS HELP PLEASE

12. EVMS gurus, please help

13. kernel gurus PLEASE help...


All times are UTC
Board index