Been hacked and need advice

Been hacked and need advice

Post by Steve Ledfor » Tue, 29 Feb 2000 04:00:00



The title says it all for my problem and I need some advice. I have a
RedHat 6.1 box that I use for my business and is configured as a
firewall, router, web server and email server. The box was hijacked this
past week and I was informed of it by some other businesses that were
being hacked from my box. I'm not a happy camper right now since I had
to completely rebuild my box (ain't paranoia great?!?!) and I'm still
trying to figure out how they did it.

The person was smart enough to gain access but not smart enough to cover
their tracks. I have the logs in the secure log as well as the syslogs
that show me what they did but I don't know how and that's where I need
some help. The first entry from my syslog shows a change of the password
for account adm through the PAM module. From that point the person
creates some other accounts and groups and all hell breaks loose.

My secure log shows several telnet connection attempts from the same IP
and ultimately a successful login with account adm all within a span of
a couple of minutes. My box had the hosts.deny firewall rule of ALL:ALL
and my hosts.allow file had in.httpd:ALL and in.telnetd opened for some
IPs that I use for remote access for maintenance. In going through the
"crime scene" my hosts.deny file was completely deleted, how and when I
don't know, but it should have prevented the IP address being even given
a prompt if it had existed.

Anyway, first question, is the adm account a default account created on
a RH6.1 install? And if so, does it also come with a default password?
Second, with the firewall rules that I had are there some other back
doors to PAM or other services that let them change the password file?
Any other advice?

Also, before anyone gets on a soapbox, yes, I understand that I need to
add something like tripwire and logwatch, etc. The new install has that
now....

Thanks

 
 
 

Been hacked and need advice

Post by ViperGt » Tue, 29 Feb 2000 04:00:00


U can try to read this document.... i think u will be able to fix u're
problem after .
Good Luck dude :)))

Steve Ledford a crit dans le message

Quote:>The title says it all for my problem and I need some advice. I have a
>RedHat 6.1 box that I use for my business and is configured as a
>firewall, router, web server and email server. The box was hijacked this
>past week and I was informed of it by some other businesses that were
>being hacked from my box. I'm not a happy camper right now since I had
>to completely rebuild my box (ain't paranoia great?!?!) and I'm still
>trying to figure out how they did it.

>The person was smart enough to gain access but not smart enough to cover
>their tracks. I have the logs in the secure log as well as the syslogs
>that show me what they did but I don't know how and that's where I need
>some help. The first entry from my syslog shows a change of the password
>for account adm through the PAM module. From that point the person
>creates some other accounts and groups and all hell breaks loose.

>My secure log shows several telnet connection attempts from the same IP
>and ultimately a successful login with account adm all within a span of
>a couple of minutes. My box had the hosts.deny firewall rule of ALL:ALL
>and my hosts.allow file had in.httpd:ALL and in.telnetd opened for some
>IPs that I use for remote access for maintenance. In going through the
>"crime scene" my hosts.deny file was completely deleted, how and when I
>don't know, but it should have prevented the IP address being even given
>a prompt if it had existed.

>Anyway, first question, is the adm account a default account created on
>a RH6.1 install? And if so, does it also come with a default password?
>Second, with the firewall rules that I had are there some other back
>doors to PAM or other services that let them change the password file?
>Any other advice?

>Also, before anyone gets on a soapbox, yes, I understand that I need to
>add something like tripwire and logwatch, etc. The new install has that
>now....

>Thanks


 
 
 

Been hacked and need advice

Post by ViperGt » Tue, 29 Feb 2000 04:00:00


Damn... i forgot the link ;)

http://rootshell.com/archive-j457nxiqi3gq59dv/200001/userhelper.txt.html

Cya :)

Steve Ledford a crit dans le message

Quote:>The title says it all for my problem and I need some advice. I have a
>RedHat 6.1 box that I use for my business and is configured as a
>firewall, router, web server and email server. The box was hijacked this
>past week and I was informed of it by some other businesses that were
>being hacked from my box. I'm not a happy camper right now since I had
>to completely rebuild my box (ain't paranoia great?!?!) and I'm still
>trying to figure out how they did it.

>The person was smart enough to gain access but not smart enough to cover
>their tracks. I have the logs in the secure log as well as the syslogs
>that show me what they did but I don't know how and that's where I need
>some help. The first entry from my syslog shows a change of the password
>for account adm through the PAM module. From that point the person
>creates some other accounts and groups and all hell breaks loose.

>My secure log shows several telnet connection attempts from the same IP
>and ultimately a successful login with account adm all within a span of
>a couple of minutes. My box had the hosts.deny firewall rule of ALL:ALL
>and my hosts.allow file had in.httpd:ALL and in.telnetd opened for some
>IPs that I use for remote access for maintenance. In going through the
>"crime scene" my hosts.deny file was completely deleted, how and when I
>don't know, but it should have prevented the IP address being even given
>a prompt if it had existed.

>Anyway, first question, is the adm account a default account created on
>a RH6.1 install? And if so, does it also come with a default password?
>Second, with the firewall rules that I had are there some other back
>doors to PAM or other services that let them change the password file?
>Any other advice?

>Also, before anyone gets on a soapbox, yes, I understand that I need to
>add something like tripwire and logwatch, etc. The new install has that
>now....

>Thanks

 
 
 

Been hacked and need advice

Post by Bill Unr » Wed, 01 Mar 2000 04:00:00



Quote:>>Anyway, first question, is the adm account a default account created on
>>a RH6.1 install? And if so, does it also come with a default password?

Yes, it is default, UID of 3. No it has a * password. He has to have
done some hack to get in.

Quote:>>Second, with the firewall rules that I had are there some other back
>>doors to PAM or other services that let them change the password file?
>>Any other advice?

>>Also, before anyone gets on a soapbox, yes, I understand that I need to
>>add something like tripwire and logwatch, etc. The new install has that

Actually, you can use rpm to do something similar.
you do not have quite the same control, but it at least "knows" what
should have been on your system.
rpm -Va|grep '^..5'
will give all the files which have changed. Of course it does not tell
you about new rogue files which have been added. I find tripwire a bit
of a pain. Everytime you make some system alterations you need to rerun
it, or you will get a huge bunch of "changes" listed, hiding any real
changes you should beware of.
Quote:>>now....

>>Thanks

 
 
 

Been hacked and need advice

Post by Edd Flamme » Fri, 03 Mar 2000 04:00:00


I recently have a very simaler break-in on a RH 6.1 box. They one who got me
was able to cover their tracks pretty well (blanked all the log files). The
only evidence left was a poorly done 'root' kit, and a directory
/var/named/ADMROCKS. I checked this on bugtraq and the CERT website and
found it to be a mark of an exploit that targets the name server (bind). If
you are running that service that could be a possiblity. It's a buffer
overflow that results in the attacker being able to run code as root. RH has
a patch for it and i would recommend geting from thier website and
installing it ( and the others that are there). I know I have learned first
hand to doulbe check the list of patches constantly..


Quote:> The title says it all for my problem and I need some advice. I have a
> RedHat 6.1 box that I use for my business and is configured as a
> firewall, router, web server and email server. The box was hijacked this
> past week and I was informed of it by some other businesses that were
> being hacked from my box. I'm not a happy camper right now since I had
> to completely rebuild my box (ain't paranoia great?!?!) and I'm still
> trying to figure out how they did it.

> The person was smart enough to gain access but not smart enough to cover
> their tracks. I have the logs in the secure log as well as the syslogs
> that show me what they did but I don't know how and that's where I need
> some help. The first entry from my syslog shows a change of the password
> for account adm through the PAM module. From that point the person
> creates some other accounts and groups and all hell breaks loose.

> My secure log shows several telnet connection attempts from the same IP
> and ultimately a successful login with account adm all within a span of
> a couple of minutes. My box had the hosts.deny firewall rule of ALL:ALL
> and my hosts.allow file had in.httpd:ALL and in.telnetd opened for some
> IPs that I use for remote access for maintenance. In going through the
> "crime scene" my hosts.deny file was completely deleted, how and when I
> don't know, but it should have prevented the IP address being even given
> a prompt if it had existed.

> Anyway, first question, is the adm account a default account created on
> a RH6.1 install? And if so, does it also come with a default password?
> Second, with the firewall rules that I had are there some other back
> doors to PAM or other services that let them change the password file?
> Any other advice?

> Also, before anyone gets on a soapbox, yes, I understand that I need to
> add something like tripwire and logwatch, etc. The new install has that
> now....

> Thanks

 
 
 

Been hacked and need advice

Post by Filip M. Gieszczykiewi » Sat, 04 Mar 2000 04:00:00



Quote:>I recently have a very simaler break-in on a RH 6.1 box. They one who got me
>was able to cover their tracks pretty well (blanked all the log files). The
>only evidence left was a poorly done 'root' kit, and a directory
>/var/named/ADMROCKS. I checked this on bugtraq and the CERT website and
>found it to be a mark of an exploit that targets the name server (bind). If
>you are running that service that could be a possiblity. It's a buffer
>overflow that results in the attacker being able to run code as root. RH has

[snip]

AND, while you're still paranoid, go and patch your kernel to make
buffer overflows a heck of a lot harder to exploit:

       http://www.openwall.com/linux/

Nifty.

Cheers,
Filip G.

 
 
 

Been hacked and need advice

Post by Michael Erskin » Mon, 06 Mar 2000 04:00:00


Provide the log extracts to the FBI crime center because it is raw
information they may find usefull.

 Save copies of the logs because it is evidence you may find usefull.

Complain to the ISP from whence the attack came because he can either track
down the culprit OR discover that he in turn has been cracked.

Look at the .bash_history files on ALL user accounts.

-m-


> The title says it all for my problem and I need some advice. I have a
> RedHat 6.1 box that I use for my business and is configured as a
> firewall, router, web server and email server. The box was hijacked this
> past week and I was informed of it by some other businesses that were
> being hacked from my box. I'm not a happy camper right now since I had
> to completely rebuild my box (ain't paranoia great?!?!) and I'm still
> trying to figure out how they did it.

> The person was smart enough to gain access but not smart enough to cover
> their tracks. I have the logs in the secure log as well as the syslogs
> that show me what they did but I don't know how and that's where I need
> some help. The first entry from my syslog shows a change of the password
> for account adm through the PAM module. From that point the person
> creates some other accounts and groups and all hell breaks loose.

> My secure log shows several telnet connection attempts from the same IP
> and ultimately a successful login with account adm all within a span of
> a couple of minutes. My box had the hosts.deny firewall rule of ALL:ALL
> and my hosts.allow file had in.httpd:ALL and in.telnetd opened for some
> IPs that I use for remote access for maintenance. In going through the
> "crime scene" my hosts.deny file was completely deleted, how and when I
> don't know, but it should have prevented the IP address being even given
> a prompt if it had existed.

> Anyway, first question, is the adm account a default account created on
> a RH6.1 install? And if so, does it also come with a default password?
> Second, with the firewall rules that I had are there some other back
> doors to PAM or other services that let them change the password file?
> Any other advice?

> Also, before anyone gets on a soapbox, yes, I understand that I need to
> add something like tripwire and logwatch, etc. The new install has that
> now....

> Thanks

 
 
 

Been hacked and need advice

Post by Michael Pao » Mon, 06 Mar 2000 04:00:00


Start here:
http://www.cert.org/tech_tips/root_compromise.html
And since you're running RedHat be sure to also check out:
http://www.redhat.com/support/errata/
and for 6.1:
http://www.redhat.com/support/errata/rh61-errata-security.html

Also, if you want a very secure firewall, it should have absolute
minimal stuff on it - i.e. just what's necessary to run the firewall -
it should be exceedingly stripped down (one learns this in firewall
101).

This also illustrates yet again why one should never counter-attack an
attacking site.  Besides legalities and such, most attacking sites are
in fact compromised victim sites.  (Yes, sites most commonly learn
they've been compromised when someone else contacts them about attacks
coming from the compromised site.)



> The title says it all for my problem and I need some advice. I have a
> RedHat 6.1 box that I use for my business and is configured as a
> firewall, router, web server and email server. The box was hijacked this
> past week and I was informed of it by some other businesses that were
> being hacked from my box. I'm not a happy camper right now since I had

--

 
 
 

1. I am being HACKED!! I need security info.

I was just surfin' the web last night, when I noticed a lot of
disk activity. Upon doing "top" there was a "find" command
running. I did a "netstat" and found a foreign host that was NOT
my ISP. When I did a "tail -f /var/log/messages" found that user
"nobody" had logged in. I immediately killed the PPP connection. I
fired up the PPP connection again, & it wasn't long, there
appeared to be more activity. I found "gawk" running via "top".
I'm not that familiar with some of these processes, and not sure
what they may be doing.

When I started my machine today, I noticed in /var/log/messages
something about a query, and to send the results to a certain IP
(I have more details not to be given out here). Is this a sniffer
of some kind, how do I get rid of it?

When I installed RedHat 5.0, I set up a couple of accounts for
myself, but I did not touch the other accounts. Do I need to
change the passwords on each account, or are some of the accounts
not even needed?

If someone will take the time to respond to me privately, via
e-mail, I will provide more details. I know Linux is a very secure
OS, I'm just wondering if maybe I need to do some configuration to
ensure myself of this.

--
TB

      Speed Costs...Unless, of course, you're using Linux
             >/<The Choice of a GNU Generation>/<

2. Making vfat mounts accessible to users other than root.

3. Need advice for gpm hack

4. INN news expire

5. hacking ethernet driver advice needed

6. Strange kernel message about power saving mode

7. I am fed up with Gate$ and need some advice on which distribution to get!

8. Cross Dev. Sys 80C167 Solaris

9. I need/am looking for advice on performance testing tools for smp/scsi system

10. Am I being hacked?

11. am i hacked ??? / strange IP

12. How do I know if I am being hacked[violated]?