Tried attack or succesfull attack on mountd?

Tried attack or succesfull attack on mountd?

Post by Joerg Hobi » Thu, 06 May 1999 04:00:00



Hi,
someone has tried to attack my computer but I'm unsure if he has succeded.
I got the following messages:

Apr 30 23:58:14 xxxxxx mountd[94]: [truncated] NFS mount of ^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
[...]
Apr 30 23:58:15 xxxxxx mountd[94]: Unauthorized access by NFS client 210.96.159.
2.
Apr 30 23:58:15 xxxxxx mountd[94]: [truncated] Blocked attempt of 210.96.159.2 t
o mount ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
[...]

In my opinion, the attempt was blocked and not succesful.
Do you agree with that?

Best regards,
Joerg

--

J"org Hobirk
Institut f"ur Plasmaphysik
Forschungszentrum J"ulich

 
 
 

Tried attack or succesfull attack on mountd?

Post by David Stanaw » Thu, 06 May 1999 04:00:00



>Hi,
>someone has tried to attack my computer but I'm unsure if he has succeded.

>In my opinion, the attempt was blocked and not succesful.
>Do you agree with that?

There was a buffer overflow in mountd on linux published a few months ago
and it was patched.  If your mountd was installed before january then I think
that it almost certainly was breached.. if later.. well it depends on your
distribution set.

Check a usenet search on groups with the keyword 'security' for posts that do
contain the keyword `mountd' in the last 6 months.

David Stanaway.

 
 
 

Tried attack or succesfull attack on mountd?

Post by Lance Spitzne » Thu, 06 May 1999 04:00:00



Quote:> someone has tried to attack my computer but I'm unsure if he has succeded.
> I got the following messages:
> Apr 30 23:58:15 xxxxxx mountd[94]: Unauthorized access by NFS client 210.96.159.
> 2.
> Apr 30 23:58:15 xxxxxx mountd[94]: [truncated] Blocked attempt of 210.96.159.2 t
> o mount ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P

They were most likely successfull. For more info, check
http://www.enteract.com/~lspitz/enemy2.html

Check to see if the users "w0rm" or "moof" were added to /etc/passwd
Check to see if you can login as "rewt" with "satori" as you password.

If you find either, you have DEFINITELY been compromised.

Lance Spitzner
http://www.enteract.com/~lspitz
Internetworking & Security Engineer
Dimension Enterprises Inc

 
 
 

Tried attack or succesfull attack on mountd?

Post by Alex Meise » Fri, 07 May 1999 04:00:00



> Check to see if the users "w0rm" or "moof" were added to /etc/passwd
> Check to see if you can login as "rewt" with "satori" as you password.

> If you find either, you have DEFINITELY been compromised.

Hi Lance!

A few weeks ago I found the User wOrm in a passwd of a gatewayrouter
.. I deleted it ...
now my question is: the wOrm user had not the uid 0 .... so what can be
happen to the system, it is only a normal user ... the intruder has no
chance to modify the system. Or is the the user wOrm only a sideeffect
of a bigger attack?

Bye!

        AleX

 
 
 

Tried attack or succesfull attack on mountd?

Post by Matthew Whela » Fri, 07 May 1999 04:00:00




> > Check to see if the users "w0rm" or "moof" were added to /etc/passwd
> > Check to see if you can login as "rewt" with "satori" as you password.

> > If you find either, you have DEFINITELY been compromised.
> Hi Lance!

> A few weeks ago I found the User wOrm in a passwd of a gatewayrouter
> .. I deleted it ...
> now my question is: the wOrm user had not the uid 0 .... so what can be
> happen to the system, it is only a normal user ... the intruder has no
> chance to modify the system. Or is the the user wOrm only a sideeffect
> of a bigger attack?

> Bye!

>         AleX

w0rm's usually inserted by a rootkit after whichever script the kiddie
happened to be using has insinuated its way into your machine - there's
most likely enormous numbers of backdoors lying around your system -
don't trust _any_ of it. In order to insert the entry into passwd, the
attacker must already have root-compromised the machine, once that
happens all bets are off - you don't know what they might have done. In
particular, there's a strong chance that the login binary has been
altered to allow root logins to users not marked as having uid.guid 0.0
in the passwd file. In addition, system binaries such as ls, find, cat,
sum etc. could well have been altered to conceal the hacks.
   If you have a tripwire executable and database on immutable media
(e.g. a read-only NFS mount from a more secure machine, or a CD-R
sitting in a CDROM drive or no drive at all), check everything against
that (having rebooted off trusted media). Otherwise backup the user
space, reformat everything and either restore from known-good backup
(i.e. at least before the user appeared in passwd), or, if such a thing
doesn't exist (but you _do_ keep backups, right?) from known-good
installation media.
    Sorry to be the bearer of bad news
        ~ Matthew ~
 
 
 

Tried attack or succesfull attack on mountd?

Post by Arno Hollos » Fri, 07 May 1999 04:00:00



> A few weeks ago I found the User wOrm in a passwd of a gatewayrouter
> .. I deleted it ...
> now my question is: the wOrm user had not the uid 0 .... so what can be
> happen to the system, it is only a normal user ... the intruder has no

Just ask yourself what priviliges you need to modify /etc/passwd or shadow?
Usually, root.

So if someone is able to modify these files he knows how to get root access.
And any simple user account =! uid 0 is enough (maybe he wouldn't even
need an account, but it's more convinient).

The reason to use a user != uid 0 is that many systems have a passwd check
in their cron entry, which reports any user with uid 0 who is not root.

I suggest that you check for the usual root kit that comes with such
break ins. If you don't have tripwire or something similar, the only
sensible thing to do is to reinstall the whole system from scratch.

/Arno

 
 
 

Tried attack or succesfull attack on mountd?

Post by Alex Meise » Fri, 07 May 1999 04:00:00




> > A few weeks ago I found the User wOrm in a passwd of a gatewayrouter
> > .. I deleted it ...
> > now my question is: the wOrm user had not the uid 0 .... so what can be
> > happen to the system, it is only a normal user ... the intruder has no

> Just ask yourself what priviliges you need to modify /etc/passwd or shadow?
> Usually, root.

I know that, but has the script added the user to the passwd (as a
result of
the mountd bufferoverflow) or was it another script?
The scriptkiddie just used the script to get the wOrm entry in passwd
through the mountd bug .... so everyone can add users, not only root!

Without tripwire or something else I had to reinstall my system ...
there was no chance to be sure, that my system is secure!

My question was, what does that script? ... does it only add an user?
Or does it something else, like replacing the login? Or are there
different
versions of that script out there, with different capabilities?

Scriptkiddies usually don't know how the script work they use ... so I
think
they don't have the knowlege to modify it, in order to add more
features.

Bye!

        AleX

 
 
 

Tried attack or succesfull attack on mountd?

Post by Paul D. Boy » Sun, 09 May 1999 04:00:00


: Scriptkiddies usually don't know how the script work they use ... so I
: think
: they don't have the knowlege to modify it, in order to add more
: features.

That's a pretty dangerous assumption.  If someone got root on your
box, they can do *anything* even make themselves look like a clueless
scriptkiddie.  Unless you meet the person face to face you really know
*nothing* about them, and even then looks can be deceiving.  The only
thing to do if you want to bring your box back into a known state is
to reformat the drive and reinstall.  Don't make an assumption about
someone else's competence that may come back to haunt you.

I once did a post-mortem on a hacked linux box where someone a installed a
modified 'ls' command where it would not display a nfs.o file installed
under /lib/modules/2.0.xx/fs/.  Fortunately, I could find it with find.
Who knows what custom written hack loadable kernel modules exist
out there.  As an example, check out the reference to *.c on
www.rootshell.com.  Scary stuff.

Later,

Paul

--

Director, X-ray Structural Facility |   phone: (919) 515-7362
Department of Chemistry - Box 8204  |   FAX:   (919) 515-5079
North Carolina State University     |
Raleigh, NC, 27695-8204
http://www.veryComputer.com/

 
 
 

Tried attack or succesfull attack on mountd?

Post by Alex Meise » Tue, 11 May 1999 04:00:00



> That's a pretty dangerous assumption.  If someone got root on your
> box, they can do *anything* even make themselves look like a clueless
> scriptkiddie.  Unless you meet the person face to face you really know
> *nothing* about them, and even then looks can be deceiving.  The only
> thing to do if you want to bring your box back into a known state is
> to reformat the drive and reinstall.  Don't make an assumption about
> someone else's competence that may come back to haunt you.

I know that ... I installed my box from scratch after I found this
friend
on my system ....

Quote:> I once did a post-mortem on a hacked linux box where someone a installed a
> modified 'ls' command where it would not display a nfs.o file installed
> under /lib/modules/2.0.xx/fs/.  Fortunately, I could find it with find.
> Who knows what custom written hack loadable kernel modules exist
> out there.  As an example, check out the reference to *.c on
> www.rootshell.com.  Scary stuff.

It was a littlebit difficult to update the very old * source,
but it works ;)

Soooo long!
                AleX

 
 
 

1. Help, I need a list of Denial of Service attack by symptom to track an attack

If anyone knows of a site where they have a list of the currently
occuring denial of service attacks with the symptoms of each?  My
network went down for an hour earlier today, and was brought back up
by closing any incoming traffic from the gateway for about 10 minutes.

Sounds like an obvious flood of some sort, but rather than play around
with what was going on, I brought everything up asap, and can find
nothing in logs, all I know is that there was a BUNCH of network
traffic going on and I couldn't reach a one of my half dozen servers,
ranging from NT and SGI to Linux and even win95.

anyway, anyone know of a list or resource to track down WHAT was going
on by symptom, and give me a list of things to check when this happens
next?

Thanks for your help!!!!

-- alex

2. GNU Solfege 1.2.1

3. YACC Attack -- Please try YACC'ing this.

4. Problem Creating Root and Bootdisk set

5. Hackers trying to attack Oracle's web site

6. Transfering Multiple Files Using A CGI Script

7. Hack Attacks to my Servers!

8. Linux T-Shirts: Mail me ideas

9. Help with DoS attack, PLEASE

10. Fave Unix Hacker Attacks

11. Where I can get SYNC attack fix for BSD4.4?

12. Attacks, Hardware or what?

13. Inetd and "root attacks"