Very Computer

The reason that I started using linux was to avoid MS NT's cost
and still have multi cpu access for rendering but someone has been
banging
on my box pretty hard and done some damage (or so it seems). I have done
what all I understand to do to keep them out and it has not helped. I've
run cops and satin and pourd over /etc and dissabled sendmail. It's
not helped and that is all I know how to do. I've contacted my ISP (who
handed me off to /dev/null) and AOL (who has not responded, !surpise!).

There is nothing on this machine that could be worth anything to anyone
and it does not have secure links to any other boxes. I don't mind the
target practice, but it has gone a little beyond that now (/bin and
/sbin
have been thrashed).

So what I am asking is can any of you help me plug these holes (or where
to start looking, or what do I need to wrap how to get a fix on the
source).
I've included the only traces I have been able to capture -- maybe
they mean something to you. All it tells me is that they don't know
this site is running Linux and they are trumping netcom's smtp and
at least using AOL as an ID.

!**What ever advice you may have will be welcomed. I just do pictures**!

####################################################################
From /var/adm/messages:

Oct  7 07:51:22 localhost pppd[2979]: remote IP address 163.179.240.2
Oct  7 07:52:28 localhost sendmail[2986]: HAA02986:


relay=emout15.mx.aol.com [198.81.11.41]
Oct  7 07:54:01 localhost sendmail[2986]: HAA02986:

mailer=smtp, relay=orioles.dyn.ml.org. [205.186.165.43], stat=Deferred:
Connection refused by orioles.dyn.ml.org.
Oct  7 07:56:15 localhost sendmail[2989]: HAA02986:

mailer=smtp, relay=orioles.dyn.ml.org. [205.186.165.43], stat=Deferred:
Connection refused by orioles.dyn.ml.org.
Oct  7 08:11:19 localhost sendmail[2996]: HAA02986:

mailer=smtp, relay=orioles.dyn.ml.org. [205.186.165.40], stat=Local
configuration error
Oct  7 08:11:19 localhost sendmail[2996]: HAA02986: IAA02996: postmaster
notify: Local configuration error
Oct  7 08:11:33 localhost sendmail[2996]: IAA02996:

relay=c.mx.aol.com. [198.81.19.179], stat=Sent (IAA28144 Message
accepted for delivery)
Oct  7 08:11:33 localhost sendmail[2996]: IAA02996: to=postmaster,
delay=00:00:14, xdelay=00:00:00, mailer=local, stat=Sent

#########################################################
Also from /var/adm/messages but with the disabled local sendmail:

Oct 14 08:55:07 localhost sendmail[1310]: IAA01310: from=root, size=131,


Oct 14 08:55:07 localhost sendmail[1310]: IAA01310: to=root,
ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 08:55:07 localhost sendmail[1310]: IAA01310: IAB01310: postmaster
notify: unknown mailer error 1
Oct 14 08:55:07 localhost sendmail[1310]: IAB01310: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 08:55:07 localhost sendmail[1310]: IAB01310: IAC01310: return to
sender: unknown mailer error 1
Oct 14 08:55:07 localhost sendmail[1310]: IAC01310: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
Oct 14 09:00:06 localhost sendmail[1320]: JAA01320: from=root, size=131,


Oct 14 09:00:06 localhost sendmail[1320]: JAA01320: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 09:00:06 localhost sendmail[1320]: JAA01320: JAB01320: postmaster
notify: unknown mailer error 1
Oct 14 09:00:06 localhost sendmail[1320]: JAB01320: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 09:00:06 localhost sendmail[1320]: JAB01320: JAC01320: return to
sender: unknown mailer error 1
Oct 14 09:00:06 localhost sendmail[1320]: JAC01320: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
Oct 14 09:05:06 localhost sendmail[1332]: JAA01332: from=root, size=131,


Oct 14 09:05:06 localhost sendmail[1332]: JAA01332: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 09:05:06 localhost sendmail[1332]: JAA01332: JAB01332: postmaster
notify: unknown mailer error 1
Oct 14 09:05:06 localhost sendmail[1332]: JAB01332: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 09:05:06 localhost sendmail[1332]: JAB01332: JAC01332: return to
sender: unknown mailer error 1
Oct 14 09:05:06 localhost sendmail[1332]: JAC01332: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
Oct 14 09:10:06 localhost sendmail[1352]: JAA01352: from=root, size=131,


Oct 14 09:10:06 localhost sendmail[1352]: JAA01352: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 09:10:06 localhost sendmail[1352]: JAA01352: JAB01352: postmaster
notify: unknown mailer error 1
Oct 14 09:10:06 localhost sendmail[1352]: JAB01352: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 09:10:06 localhost sendmail[1352]: JAB01352: JAC01352: return to
sender: unknown mailer error 1
Oct 14 09:10:06 localhost sendmail[1352]: JAC01352: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
Oct 14 09:15:06 localhost sendmail[1371]: JAA01371: from=root, size=131,


Oct 14 09:15:06 localhost sendmail[1371]: JAA01371: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 09:15:06 localhost sendmail[1371]: JAA01371: JAB01371: postmaster
notify: unknown mailer error 1
Oct 14 09:15:06 localhost sendmail[1371]: JAB01371: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 09:15:06 localhost sendmail[1371]: JAB01371: JAC01371: return to
sender: unknown mailer error 1
Oct 14 09:15:06 localhost sendmail[1371]: JAC01371: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
Oct 14 09:20:06 localhost sendmail[1395]: JAA01395: from=root, size=131,


Oct 14 09:20:06 localhost sendmail[1395]: JAA01395: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 09:20:06 localhost sendmail[1395]: JAA01395: JAB01395: postmaster
notify: unknown mailer error 1
Oct 14 09:20:06 localhost sendmail[1395]: JAB01395: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 09:20:06 localhost sendmail[1395]: JAB01395: JAC01395: return to
sender: unknown mailer error 1
Oct 14 09:20:06 localhost sendmail[1395]: JAC01395: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
Oct 14 09:25:06 localhost sendmail[1418]: JAA01418: from=root, size=131,


Oct 14 09:25:06 localhost sendmail[1418]: JAA01418: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
stat=unknown mailer error 1
Oct 14 09:25:06 localhost sendmail[1418]: JAA01418: JAB01418: postmaster
notify: unknown mailer error 1
Oct 14 09:25:06 localhost sendmail[1418]: JAB01418: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=unknown mailer error
1
Oct 14 09:25:06 localhost sendmail[1418]: JAB01418: JAC01418: return to
sender: unknown mailer error 1
Oct 14 09:25:06 localhost sendmail[1418]: JAC01418: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent

#########################################################
from /tmp/cron.root.13925

To: root
Subject: cron: /usr/lib/atrun 1> /dev/null 2> /dev/null

On Tue, 14 Oct 1997 19:54:38 -0400, Morgan Larch

I'm sorry I don't have a straigh answer other than:
firewalls and internet security. $ 29
        by William R. Cheswick and Steven M. Bellovin
        Addision Welsley ISBN 0-201-63357-4
Very good UNIX firewall, bastion host configuration, read it all book.

and especially:
Maximum Security : A Hacker's  Guide to Protecting Your Internet  Site
and Network
book &Cd-Rom Edition
Paperback
Published by Sams
Publication date: July 1, 1997
ISBN: 1575212684

good luck !

put

ALL: ALL in /etc/hosts.deny

then put something like

ALL: LOCAL

in /etc/hosts.allow

This should keep the intruders off the regular services such as telnet,
while alowing access to your computer from your local net.

If you're running a recent distribution like RedHat, simply remove the
anon-ftp (wu.ftpd) and sendmail packages from the system with the package
maintenace tool for your system (glint for redhat). If you need these
packages, fetch the latest versions and just do an update on them.
(www.redhat.com or www.debian.org, don't know for slackware)

Also, qmail (www.qmail.org) might be a better replacement for sendmail.

If that doesn't plug enough holes, take a look at a page like
http://world.std.com/~loki/security/ for lots and lots of information..

Hope this helps!

Erik

--

My email is at c2i.net, not c3i.net, so please change it if you want to
reply directly.

Quote:>The reason that I started using linux was to avoid MS NT's cost
>and still have multi cpu access for rendering but someone has been
>banging
>on my box pretty hard and done some damage (or so it seems). I have done
>what all I understand to do to keep them out and it has not helped. I've
>run cops and satin and pourd over /etc and dissabled sendmail. It's
>not helped and that is all I know how to do. I've contacted my ISP (who
>handed me off to /dev/null) and AOL (who has not responded, !surpise!).

>There is nothing on this machine that could be worth anything to anyone
>and it does not have secure links to any other boxes. I don't mind the
>target practice, but it has gone a little beyond that now (/bin and
>/sbin have been thrashed).

In that case, you can secure it simply by disabling all remote services:
don't run inetd, or turn off (by commenting the lines out) every single
thing you don't need in /etc/inetd.conf (such as telnetd, rlogind, ftpd,
and so on).  Also, and unless you actually need them, don't run any RPC
services (i.e don't start the portmapper nor the RPC daemons
themselves), and unless you plan to get mail directly to your machine
(as opposed to fetching it via POP), don't run sendmail.  If you don't
actually need it, don't put an ftp daemon (let alone an anonymous ftp
account) on your box.  If you don't really need it, don't put a web
server either, and if you do need it, remove all the default CGI scripts
and just put those of your own that you need if you do need any.

The daemons that are started up at boot time (or at going-multiuser
time) are usually configured somewhere in /etc/rc* .

--
Roger Espel Llima

http://www.eleves.ens.fr:8080/home/espel/index.html

: In that case, you can secure it simply by disabling all remote services:

Do realize this may not stop your attacker.  The only way to ensure
that is to reload the OS and then disable the remote services.  Before
I catch flak, remember the covert ICMP channel that appeared in, I
believe, 2600.  You can turn everything off, the kernel will still
deal with ICMP.

Roger
----------------------------------------------------------------------
The reply-to: address in the headers is a valid address, if you want
to send me e-mail just hit reply and it should work fine.  If your
newsreader is broken and can't deal with that then send your e-mail

----------------------------------------------------------------------

-Patrick

http://home.kudonet.com/~jvc411/welcome.html

Quote:>> There is nothing on this machine that could be worth anything to anyone
>> and it does not have secure links to any other boxes. I don't mind the
>> target practice, but it has gone a little beyond that now (/bin and
>> /sbin
>> have been thrashed).

Quote:>> So what I am asking is can any of you help me plug these holes (or where
>> to start looking, or what do I need to wrap how to get a fix on the
>> source).

Quote:>> I've included the only traces I have been able to capture -- maybe
>> they mean something to you. All it tells me is that they don't know
>> this site is running Linux and they are trumping netcom's smtp and
>> at least using AOL as an ID.

>> !**What ever advice you may have will be welcomed. I just do pictures**!

>> ####################################################################
>> From /var/adm/messages:

>> Oct  7 07:51:22 localhost pppd[2979]: remote IP address 163.179.240.2

Note that the YOU were connected to a box at 163.179.240.2, which is
frd-md-pm1.netcom.net... and that 205.186.165.43 is not just
orioles.dyn.ml.org (or was, for that few minutes), but also
frd-md1-11.ix.netcom.com.

Looks to me like John Luber has a dynamic address with ML, and was just
on frd-md1-11.ix.netcom.com, and then lost carrier for some reason...
so mail he was sending to himself from AOL went to your machine, thinking
it was his.

That is a drawback of ML.ORG's service: it gets weird when you lose link
unexpectedly.

It's no more cracking than dialing a wrong number is stalking.

Quote:>> #########################################################
>> Also from /var/adm/messages but with the disabled local sendmail:

Quote:>> from /tmp/cron.root.13925

>> To: root
>> Subject: cron: /usr/lib/atrun 1> /dev/null 2> /dev/null

--
Brian Moore                      The opinions expressed above are my own, not
Sysadmin, C/Perl Hacker          necessarily my employers'.