I am getting hacked like its going out of style.

I am getting hacked like its going out of style.

Post by Justin Kell » Wed, 28 Mar 2001 05:57:20



Background on questions:
I am ending my third month using linux. When I had gotten bakc from
spring break my comuter was going haywire, when I shutdown, and
restarted I realized that my root password had changed and so started a
week of getting things back in line (harware trouble complicated my
efforts at restoring root access.) Upon inspection , I've realized my
system has been inudated with intruders for at least a month with what
apears to me to be two completely different hakcing incidents (one
around the 27th of february where some suspect files apear in the '/'
directory, the intruder erased log files from this time as well and one
around the tenth  to 17th of march in which they took over my system
over spring break for who knows what reasom.

Question one:
Right now I have started going through some security books my brother
had, I have found "Practical Unix Security" by Garfinkel and Spafford,
but it is copywrighted for 1991, is it still worth going through or has
too much changed?

Question two:
I need a quick security fix until I learn something anbout security,
will shutting down Telnet do it? How do I shut it down? And does the
default Linux FTP program pose a security risk to me as well? (I haven't
been able to log onto my computer via FTP so right now I am assuming it
is safe)

a good security book recomendation would help me out as well.

As always, thank you in advance for any information.
Regards,
-Justin Kelly

 
 
 

I am getting hacked like its going out of style.

Post by john anselm » Wed, 28 Mar 2001 06:09:13


Justin you can shutdown telent by commenting telnet out of  /etc/inetd.conf

then kill -HUP <pid of inetd>

if you want to use telnet install tcp wrappers if you have 7.0 its already
pre installed you can just edit /etc/hosts.deny and put
ALL:ALL
to deny everybody from your network

then on  /etc/hosts.allow
you can put
in.telnetd: ip address
so you can allow certain people from your network

thats it
t its probably a good idea if you install openssh coz this also include scp
secure copy so you can block your ftp port aswell. If you have redhat 7.0
openssh is already pre-installed but you might wanna go to redhat and
download the lates patches


> Background on questions:
> I am ending my third month using linux. When I had gotten bakc from
> spring break my comuter was going haywire, when I shutdown, and
> restarted I realized that my root password had changed and so started a
> week of getting things back in line (harware trouble complicated my
> efforts at restoring root access.) Upon inspection , I've realized my
> system has been inudated with intruders for at least a month with what
> apears to me to be two completely different hakcing incidents (one
> around the 27th of february where some suspect files apear in the '/'
> directory, the intruder erased log files from this time as well and one
> around the tenth  to 17th of march in which they took over my system
> over spring break for who knows what reasom.

> Question one:
> Right now I have started going through some security books my brother
> had, I have found "Practical Unix Security" by Garfinkel and Spafford,
> but it is copywrighted for 1991, is it still worth going through or has
> too much changed?

> Question two:
> I need a quick security fix until I learn something anbout security,
> will shutting down Telnet do it? How do I shut it down? And does the
> default Linux FTP program pose a security risk to me as well? (I haven't
> been able to log onto my computer via FTP so right now I am assuming it
> is safe)

> a good security book recomendation would help me out as well.

> As always, thank you in advance for any information.
> Regards,
> -Justin Kelly


 
 
 

I am getting hacked like its going out of style.

Post by SeattleNe » Wed, 28 Mar 2001 06:51:41


Hi Justin!
Yes that book is too old, one of the best places for up to date info is
right here on this newsgroup! Now you need to do a complete fresh install. I
do not know what version you have and it matters because different distros
have different ways of removing services like telnet. (telnet = bad)  When
you are doing the install do not add FTP if you are not going to use it, do
not install sendmail if you are not going to use it etc. etc. You can always
add services later once you know how to secure them. For a very fast
firewall fix go to sourceforge and look up Seattle Firewall. It is a program
that will set up your ipchains for you, it is very easy to use if you read
the docs. You will not learn how to write the chains yourself as it does it
for you but you can learn them later once you have a secure box on the net.
Also many of the posts here have links to many web pages with more up to
date info than any book that takes months to publish. But remember don't try
to fix your box with the current version as you will never be sure it's
actually your box! Thanks

Quote:> Background on questions:
> I am ending my third month using linux. When I had gotten bakc from
> spring break my comuter was going haywire, when I shutdown, and
> restarted I realized that my root password had changed and so started a
> week of getting things back in line (harware trouble complicated my
> efforts at restoring root access.) Upon inspection , I've realized my
> system has been inudated with intruders for at least a month with what
> apears to me to be two completely different hakcing incidents (one
> around the 27th of february where some suspect files apear in the '/'
> directory, the intruder erased log files from this time as well and one
> around the tenth  to 17th of march in which they took over my system
> over spring break for who knows what reasom.

> Question one:
> Right now I have started going through some security books my brother
> had, I have found "Practical Unix Security" by Garfinkel and Spafford,
> but it is copywrighted for 1991, is it still worth going through or has
> too much changed?

> Question two:
> I need a quick security fix until I learn something anbout security,
> will shutting down Telnet do it? How do I shut it down? And does the
> default Linux FTP program pose a security risk to me as well? (I haven't
> been able to log onto my computer via FTP so right now I am assuming it
> is safe)

> a good security book recomendation would help me out as well.

> As always, thank you in advance for any information.
> Regards,
> -Justin Kelly

 
 
 

I am getting hacked like its going out of style.

Post by Manfred Bart » Wed, 28 Mar 2001 07:24:20



> Background on questions:
> I am ending my third month using linux. When I had gotten bakc from
> spring break my comuter was going haywire, when I shutdown, and
> restarted I realized that my root password had changed and so
> started a week of getting things back in line (harware trouble
> complicated my efforts at restoring root access.) Upon inspection ,
> I've realized my system has been inudated with intruders for at
> least a month with what apears to me to be two completely different
> hakcing incidents (one around the 27th of february where some
> suspect files apear in the '/' directory, the intruder erased log
> files from this time as well and one around the tenth to 17th of
> march in which they took over my system over spring break for who
> knows what reasom.

> Question one:
> Right now I have started going through some security books my
> brother had, I have found "Practical Unix Security" by Garfinkel and
> Spafford, but it is copywrighted for 1991, is it still worth going
> through or has too much changed?

That book is still relevant because the basic principles have not
changed.  Some of the newer countermeasures in particular against
DOS attacks are not covered (f.e. SYN cookies), but that is of no
consequence to a client-only system.

Quote:> Question two:
> I need a quick security fix until I learn something anbout security,
> will shutting down Telnet do it?

No.  Your system is thouroughly infested with probably dozens of
backdoors, trojans, sniffers etc...  Most of the important system
utilities will now lie to you (ps, netstat, syslog, etc...).  

The only solution is to wipe the disk (mke2fs) and install from
scratch.  Then implement a firewall before coming back on-line.

Quote:> a good security book recomendation would help me out as well.

I am not sure that I would spend money on a book now.  There are a
lot of sites with more up-to-date information.  F.e.:

        <http://www.enteract.com/~lspitz/linux.html>
        <http://www.bastille-linux.org/>

There are links to many other sites.
My own mini firewall is here:

        <http://logi.cc/linux/minimalIPChainsRules.txt>

For the moment I also suggest to stay with ipchains, move to
netfilter (iptables) when that is more mature.

--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

I am getting hacked like its going out of style.

Post by Dimitri Mazi » Wed, 28 Mar 2001 07:39:05


...

Quote:>Question one:
>Right now I have started going through some security books my brother
>had, I have found "Practical Unix Security" by Garfinkel and Spafford,
>but it is copywrighted for 1991, is it still worth going through or has
>too much changed?

Yes, it is worth going through and whoever tells you otherwise hasn't
a clue. Also Security-HOWTO and Securing and Optimizing Linux: RedHat
Edition - A Hands On Guide (http://www.linuxdoc.org, howto and guides
resp.) Then proceed to ipchains howto (or packet filtering howto at
http://netfilter.kernelnotes.org if you're running 2.4 kernel).

Quote:>Question two:
>I need a quick security fix until I learn something anbout security,
>will shutting down Telnet do it? How do I shut it down? And does the
>default Linux FTP program pose a security risk to me as well? (I haven't
>been able to log onto my computer via FTP so right now I am assuming it
>is safe)

Download the docs listed above and unplug your modem. Once you finished
reading, you'll know what to do next.

Dima
--

http://www.bmrb.wisc.edu/descript/gpgkey.dmaziuk.ascii -- GnuPG 1.0.4 public key
I'm going to exit now since you don't want me to replace the printcap. If you
change your mind later, run                      -- magicfilter config script

 
 
 

I am getting hacked like its going out of style.

Post by DVHando » Wed, 28 Mar 2001 07:40:51


Format ALL partitions RIGHT NOW.  The reason: you don't know what has been
changed.  The attacker(s) might have left behind files that allow them to get
back in.  If you need to backup any files, unplug the network/modem cables.  DO
NOT back up ANY executables, or the system databases such as /etc/passwd and
/etc/shadow...  Reinstall the operating system, and obtain the latest security
fixes.  Then restore your files.
After you finish reading this, the computer should begin shutting down.
 
 
 

I am getting hacked like its going out of style.

Post by Luke Voge » Wed, 28 Mar 2001 08:34:43



> Justin you can shutdown telent by commenting telnet out of  /etc/inetd.conf

> then kill -HUP <pid of inetd>

> if you want to use telnet install tcp wrappers if you have 7.0 its already
> pre installed you can just edit /etc/hosts.deny and put
> ALL:ALL
> to deny everybody from your network

> then on  /etc/hosts.allow
> you can put
> in.telnetd: ip address
> so you can allow certain people from your network

> thats it
> t its probably a good idea if you install openssh coz this also include scp
> secure copy so you can block your ftp port aswell. If you have redhat 7.0
> openssh is already pre-installed but you might wanna go to redhat and
> download the lates patches

... and all of the above is a total waste of time because you can bet
that the cracker(s) have installed backdoors and trojans that will allow
them to gain root any time THEY want!

Make a backup of your data, format the disk, re-install from secure
media, disable all unknown/wanted services, install a firewall, then
_maybe_ connect to the net again if you feel confident that the box is
tight.

Please dont waste your time and ours by trying to "fix" it up.  You can
never be sure you have removed all backdoors and trojans.

--
Regards
Luke
------
On the requirements it said: Windows 98 or better - so I installed Linux
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 

I am getting hacked like its going out of style.

Post by john anselm » Wed, 28 Mar 2001 09:12:15




> > Justin you can shutdown telent by commenting telnet out of  /etc/inetd.conf

> > then kill -HUP <pid of inetd>

> > if you want to use telnet install tcp wrappers if you have 7.0 its already
> > pre installed you can just edit /etc/hosts.deny and put
> > ALL:ALL
> > to deny everybody from your network

> > then on  /etc/hosts.allow
> > you can put
> > in.telnetd: ip address
> > so you can allow certain people from your network

> > thats it
> > t its probably a good idea if you install openssh coz this also include scp
> > secure copy so you can block your ftp port aswell. If you have redhat 7.0
> > openssh is already pre-installed but you might wanna go to redhat and
> > download the lates patches

> ... and all of the above is a total waste of time because you can bet
> that the cracker(s) have installed backdoors and trojans that will allow
> them to gain root any time THEY want!

> Make a backup of your data, format the disk, re-install from secure
> media, disable all unknown/wanted services, install a firewall, then
> _maybe_ connect to the net again if you feel confident that the box is
> tight.

> Please dont waste your time and ours by trying to "fix" it up.  You can
> never be sure you have removed all backdoors and trojans.

> --
> Regards
> Luke
> ------
> On the requirements it said: Windows 98 or better - so I installed Linux
> ------
> http://www.bell-bird.com.au
> PLEASE NOTE: Spamgard (tm) installed.

> ------

I agree with Luke
 
 
 

I am getting hacked like its going out of style.

Post by Justin Kell » Wed, 28 Mar 2001 09:20:51


Thank you all, I have since my being hacked installed redhat on a newer
and bigger  hardrive, but am currently using this since there wasan
issue with internet access and IPmasking a windows box I have (but this
isa different story for a different group). . .

I will reinstall on this new fresh drive in a way to correct the network
situation. I had mounted my current hacked drive onto it the new fresh
one when I zeroed out my root password. Should I worry about the new
drive being compromised just because I mounted my old one onto it?

I just can't understand why someone would do this.

if no one minds could you clue me in as to what is going on in these log
files? (note: flea is no user of mine) I would try to post the contents
of a file I am sure is a file placed on my system by a hacker, but it
would not be prudent at this time.

===================================== cron log file
======================

Mar 10 07:50:00 UpsilonAndromeda CROND[8541]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 08:00:00 UpsilonAndromeda CROND[8568]: (root) CMD
(/usr/lib/sa/sa1 600 6 &)
Mar 10 08:00:00 UpsilonAndromeda CROND[8570]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 08:01:00 UpsilonAndromeda CROND[8578]: (root) CMD (run-parts
/etc/cron.hourly)
Mar 10 08:10:00 UpsilonAndromeda CROND[10063]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:19:21 UpsilonAndromeda crontab[10068]: (flea) REPLACE (flea)
Mar 10 08:20:00 UpsilonAndromeda CROND[10073]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:25:00 UpsilonAndromeda CROND[10089]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 08:30:00 UpsilonAndromeda CROND[11584]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:35:00 UpsilonAndromeda CROND[11591]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 08:40:00 UpsilonAndromeda CROND[11602]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:45:00 UpsilonAndromeda CROND[11609]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 08:50:00 UpsilonAndromeda CROND[11613]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:55:00 UpsilonAndromeda CROND[11615]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)

=================================== messages log file
========================

Mar 10 07:03:26 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 07:10:00 UpsilonAndromeda CROND[8526]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 07:20:00 UpsilonAndromeda CROND[8529]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 07:30:00 UpsilonAndromeda CROND[8535]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 07:33:26 UpsilonAndromeda rhnsd[8536]: running program
/usr/sbin/rhn_check
Mar 10 07:33:28 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 07:40:00 UpsilonAndromeda CROND[8538]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 07:50:00 UpsilonAndromeda CROND[8541]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 07:59:13 UpsilonAndromeda kernel: Packet log: inp DENY eth0
PROTO=6 64.229.31.120:2129 24.6.242.15:24452 L=48 S=0x00 I=32780
F=0x4000 T=115 SYN (#2)
Mar 10 07:59:16 UpsilonAndromeda kernel: Packet log: inp DENY eth0
PROTO=6 64.229.31.120:2129 24.6.242.15:24452 L=48 S=0x00 I=33292
F=0x4000 T=115 SYN (#2)
Mar 10 07:59:22 UpsilonAndromeda kernel: Packet log: inp DENY eth0
PROTO=6 64.229.31.120:2129 24.6.242.15:24452 L=48 S=0x00 I=36876
F=0x4000 T=115 SYN (#2)
Mar 10 07:59:34 UpsilonAndromeda kernel: Packet log: inp DENY eth0
PROTO=6 64.229.31.120:2129 24.6.242.15:24452 L=48 S=0x00 I=44812
F=0x4000 T=115 SYN (#2)
Mar 10 07:59:35 UpsilonAndromeda PAM_unix[8544]: (system-auth) session
opened for user flea by (uid=0)
Mar 10 07:59:35 UpsilonAndromeda  -- flea[8544]: LOGIN ON pts/2 BY flea
FROM 213.4.16.199
Mar 10 08:00:00 UpsilonAndromeda CROND[8568]: (root) CMD
(/usr/lib/sa/sa1 600 6 &)
Mar 10 08:00:00 UpsilonAndromeda CROND[8570]: (root) CMD (   /sbin/rmmod
-as)
Mar 10 08:01:00 UpsilonAndromeda CROND[8578]: (root) CMD (run-parts
/etc/cron.hourly)
Mar 10 08:03:28 UpsilonAndromeda rhnsd[10061]: running program
/usr/sbin/rhn_check
Mar 10 08:03:33 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 08:10:00 UpsilonAndromeda CROND[10063]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:19:21 UpsilonAndromeda crontab[10068]: (flea) REPLACE (flea)
Mar 10 08:19:37 UpsilonAndromeda PAM_unix[10069]: (system-auth) session
opened for user x by flea(uid=550)
Mar 10 08:20:00 UpsilonAndromeda CROND[10073]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:20:00 UpsilonAndromeda PAM_unix[10069]: (system-auth) session
closed for user x
Mar 10 08:25:00 UpsilonAndromeda CROND[10089]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 08:30:00 UpsilonAndromeda CROND[11584]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:33:33 UpsilonAndromeda rhnsd[11588]: running program
/usr/sbin/rhn_check
Mar 10 08:33:37 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 08:35:00 UpsilonAndromeda CROND[11591]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 08:39:56 UpsilonAndromeda PAM_unix[11599]: (system-auth) session
opened for user x by flea(uid=550)
Mar 10 08:40:00 UpsilonAndromeda CROND[11602]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:41:27 UpsilonAndromeda PAM_unix[11599]: (system-auth) session
closed for user x
Mar 10 08:43:01 UpsilonAndromeda PAM_unix[8544]: (system-auth) session
closed for user flea
Mar 10 08:45:00 UpsilonAndromeda CROND[11609]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 08:50:00 UpsilonAndromeda CROND[11613]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 08:55:00 UpsilonAndromeda CROND[11615]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 09:00:00 UpsilonAndromeda CROND[11619]: (root) CMD
(/usr/lib/sa/sa1 600 6 &)
Mar 10 09:00:00 UpsilonAndromeda CROND[11620]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 09:01:00 UpsilonAndromeda CROND[11625]: (root) CMD (run-parts
/etc/cron.hourly)
Mar 10 09:03:37 UpsilonAndromeda rhnsd[11627]: running program
/usr/sbin/rhn_check
Mar 10 09:03:39 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 09:05:00 UpsilonAndromeda CROND[11629]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 09:10:00 UpsilonAndromeda CROND[11639]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 14:10:22 UpsilonAndromeda rpc.statd[443]: gethostbyname error for
^X??^X??^Y??^Y??^Z??^Z??^[??^[??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?|Y?A^P?A^Ht?A^D??t?^Af?3^B?Y^L?A^N??A^H^P?I^D?A^D^L^^Af?3^Df?3^E0^A^Df???^?1?
Mar 10 09:15:01 UpsilonAndromeda CROND[11646]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 09:20:00 UpsilonAndromeda CROND[11656]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 09:25:00 UpsilonAndromeda CROND[11696]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 09:30:00 UpsilonAndromeda CROND[11727]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 09:33:39 UpsilonAndromeda rhnsd[11742]: running program
/usr/sbin/rhn_check
Mar 10 09:33:43 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 09:35:00 UpsilonAndromeda CROND[11749]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 09:40:00 UpsilonAndromeda CROND[11756]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 14:40:30 UpsilonAndromeda rpc.statd[443]: gethostbyname error for
^X??^X??^Y??^Y??^Z??^Z??^[??^[??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?|Y?A^P?A^Ht?A^D??t?^Af?3^B?Y^L?A^N??A^H^P?I^D?A^D^L^^Af?3^Df?3^E0^A^Df???^?1?
Mar 10 09:45:00 UpsilonAndromeda CROND[11758]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 09:50:00 UpsilonAndromeda CROND[11762]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 09:55:00 UpsilonAndromeda CROND[11764]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 10:00:00 UpsilonAndromeda CROND[11768]: (root) CMD
(/usr/lib/sa/sa1 600 6 &)
Mar 10 10:00:00 UpsilonAndromeda CROND[11769]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 10:01:00 UpsilonAndromeda CROND[11774]: (root) CMD (run-parts
/etc/cron.hourly)
Mar 10 10:03:43 UpsilonAndromeda rhnsd[11776]: running program
/usr/sbin/rhn_check
Mar 10 10:03:45 UpsilonAndromeda rhnsd[888]: command returned: ERROR:
unable to read system id.
Mar 10 10:05:00 UpsilonAndromeda CROND[11778]: (flea) CMD
("/tmp/.c/bchk" >/dev/null 2>&1)
Mar 10 10:10:00 UpsilonAndromeda CROND[11788]: (root) CMD (  
/sbin/rmmod -as)
Mar 10 10:15:00 UpsilonAndromeda CROND[11810]: ...

read more »

 
 
 

I am getting hacked like its going out of style.

Post by Luke Voge » Wed, 28 Mar 2001 09:17:30



> I agree with Luke

:)

--
Regards
Luke
------
On the requirements it said: Windows 98 or better - so I installed Linux
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 

I am getting hacked like its going out of style.

Post by Justin Kell » Wed, 28 Mar 2001 09:37:52



> Thank you all, I have since my being hacked installed redhat on a newer
> and bigger  hardrive, but am currently using this since there wasan
> issue with internet access and IPmasking a windows box I have (but this
> isa different story for a different group). . .

Yikes let me clear this up. I am currently running on the hacked drive,
since i have no network problems with it. (also my new drive won't load
lilo) anyway. . .
 
 
 

I am getting hacked like its going out of style.

Post by Luke Voge » Wed, 28 Mar 2001 10:01:09



> I just can't understand why someone would do this.

Fun.

Quote:> if no one minds could you clue me in as to what is going on in these log
> files? (note: flea is no user of mine) I would try to post the contents
> of a file I am sure is a file placed on my system by a hacker, but it
> would not be prudent at this time.

> ===================================== cron log file
> ======================
> Mar 10 08:19:21 UpsilonAndromeda crontab[10068]: (flea) REPLACE (flea)

Updated his cron file ...

Quote:> Mar 10 08:20:00 UpsilonAndromeda CROND[10073]: (root) CMD (
> /sbin/rmmod -as)

This is probably normal

Quote:> Mar 10 08:25:00 UpsilonAndromeda CROND[10089]: (flea) CMD
> ("/tmp/.c/bchk" >/dev/null 2>&1)

He's running a program in /tmp/.c called bchk ... Better check this out!

Quote:> Mar 10 08:30:00 UpsilonAndromeda CROND[11584]: (root) CMD (
> /sbin/rmmod -as)
> Mar 10 08:35:00 UpsilonAndromeda CROND[11591]: (flea) CMD
> ("/tmp/.c/bchk" >/dev/null 2>&1)

... every 10 minutes ...

Quote:> =================================== messages log file
> ========================
<snip>
> Mar 10 07:59:35 UpsilonAndromeda  -- flea[8544]: LOGIN ON pts/2 BY flea
> FROM 213.4.16.199

He may not be one of your users, but he sure has access to your system!
...

Quote:> Mar 10 08:19:21 UpsilonAndromeda crontab[10068]: (flea) REPLACE (flea)

... updated his crontab file again.

Quote:> Mar 10 08:19:37 UpsilonAndromeda PAM_unix[10069]: (system-auth) session
> opened for user x by flea(uid=550)

He has opened another user account "x" .... (God knows how many others?)
... whats the bet that "x" has root priveleges? ...

Quote:> Mar 10 08:20:00 UpsilonAndromeda CROND[10073]: (root) CMD (
> /sbin/rmmod -as)
> Mar 10 08:20:00 UpsilonAndromeda PAM_unix[10069]: (system-auth) session
> closed for user x

... (only on for 23 secs) ... updating something perhaps? ...

Quote:> Mar 10 08:39:56 UpsilonAndromeda PAM_unix[11599]: (system-auth) session
> opened for user x by flea(uid=550)
> Mar 10 08:40:00 UpsilonAndromeda CROND[11602]: (root) CMD (
> /sbin/rmmod -as)
> Mar 10 08:41:27 UpsilonAndromeda PAM_unix[11599]: (system-auth) session
> closed for user x
> Mar 10 08:43:01 UpsilonAndromeda PAM_unix[8544]: (system-auth) session
> closed for user flea

hmmm ... in and out of "x" in 37 secs ... and now he logs off too.

Quote:> Mar 10 08:45:00 UpsilonAndromeda CROND[11609]: (flea) CMD
> ("/tmp/.c/bchk" >/dev/null 2>&1)
> Mar 10 08:50:00 UpsilonAndromeda CROND[11613]: (root) CMD (
> /sbin/rmmod -as)
> Mar 10 08:55:00 UpsilonAndromeda CROND[11615]: (flea) CMD
> ("/tmp/.c/bchk" >/dev/null 2>&1)
> Mar 10 09:00:00 UpsilonAndromeda CROND[11619]: (root) CMD
> (/usr/lib/sa/sa1 600 6 &)

Whats this I wonder?

Quote:> Mar 10 14:10:22 UpsilonAndromeda rpc.statd[443]: gethostbyname error for
> ^X??^X??^Y??^Y??^Z??^Z??^[??^[??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?|Y?A^P?A^Ht?A^D??t?^Af?3^B?Y^L?A^N??A^H^P?I^D?A^D^L^^Af?3^Df?3^E0^A^Df???^?1?

... 5 hours later and someone just tried an rpc.statd buffer overflow
...

Quote:> Mar 10 14:40:30 UpsilonAndromeda rpc.statd[443]: gethostbyname error for
> ^X??^X??^Y??^Y??^Z??^Z??^[??^[??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?|Y?A^P?A^Ht?A^D??t?^Af?3^B?Y^L?A^N??A^H^P?I^D?A^D^L^^Af?3^Df?3^E0^A^Df???^?1?

and again ...

--
Regards
Luke
------
On the requirements it said: Windows 98 or better - so I installed Linux
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 

I am getting hacked like its going out of style.

Post by Justin Kell » Wed, 28 Mar 2001 10:01:42



> Hi Justin!
> Yes that book is too old, one of the best places for up to date info is
> right here on this newsgroup! Now you need to do a complete fresh install. I
> do not know what version you have and it matters because different distros
> have different ways of removing services like telnet.

RH 7.0

(telnet = bad)  When

Quote:> you are doing the install do not add FTP if you are not going to use it, do
> not install sendmail if you are not going to use it etc. etc. You can always
> add services later once you know how to secure them. For a very fast
> firewall fix go to sourceforge and look up Seattle Firewall. It is a program
> that will set up your ipchains for you, it is very easy to use if you read
> the docs. You will not learn how to write the chains yourself as it does it
> for you but you can learn them later once you have a secure box on the net.

This does sound interesting, what are the implications for Gnutella
(decentralized Napster) and Apache? I have a static IP and 'was' running
a little webserver. . . I also networked in a windows machine. What are
the implications for these?

Quote:> Also many of the posts here have links to many web pages with more up to
> date info than any book that takes months to publish. But remember don't try
> to fix your box with the current version as you will never be sure it's
> actually your box!  

I've been know as mister "I don't need no stinking firewall" I guess I
should get one.

Thank you.
-Justin Kelly

 
 
 

I am getting hacked like its going out of style.

Post by Ian Jone » Wed, 28 Mar 2001 10:10:49


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Quote:> > Thank you all, I have since my being hacked installed redhat on a
> > newer and bigger  hardrive, but am currently using this since
> > there wasan issue with internet access and IPmasking a windows
> > box I have (but this isa different story for a different group).
> > . .

> Yikes let me clear this up. I am currently running on the hacked
> drive, since i have no network problems with it. (also my new drive
> won't load lilo) anyway. . .

Yikes, indeed. Forgive me if I misunderstand you, but are you saying
that despite the fine advice you have recieved in this forum the
compromised box is still up and available to attack me?? Please
unplug it if this is the case.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOr/ol8AVSpfzXItKEQL7lQCg7cr774/512oFqf3FG2zBVH6zLUgAn2OZ
3RnA03hpGaLb6KnkaPGvrRsD
=KXlc
-----END PGP SIGNATURE-----

 
 
 

I am getting hacked like its going out of style.

Post by Luke Voge » Wed, 28 Mar 2001 10:20:16



> Yikes, indeed. Forgive me if I misunderstand you, but are you saying
> that despite the fine advice you have recieved in this forum the
> compromised box is still up and available to attack me?? Please
> unplug it if this is the case.

... seconded ... alternatively Justin, why dont you post your passwords
to the net so we can play too?

--
Regards
Luke
------
On the requirements it said: Windows 98 or better - so I installed Linux
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------