[techtalk] bizarre....

Cynthia Dale silly at redhat.com
Sun Dec 12 23:57:26 EST 1999


Hi!
I'm kind of new to the list, and have been lurking, but it's time to get
out and say hi!  Security is one of the most intriguing aspects of the
internet to me, but I like to keep it to the hobby level so I can still
enjoy it (read that: I haven't learned much about encryption. heh.)
Anyhow, I  suggest the following:

1. Unplug your modem or ethernet card or both

2. If your are running Red Hat Linux, run rpm -Va >rpmlist and check that
out for a few things:
MD5 sums
missing files
added files
version numbers of files that are on www.redhat.com/errata for your
release.

If you have Red Hat Linux, and you've updated everything from the errata
and you still got hacked, you got hit by something that's not known about
by the general public.    If that's the case, I would suspect the following
things:

service daemons that run as root
setuid root files if you have users on your server
a silly teenager who might remove your log files from an open rxvt while 
you're not looking just to freak you out (it's happened to me! (:  )

If you're not running Red Hat, it will be a little more difficult.  Check
for suid root files that may have been installed.  Run netstat to see what
kind of connections are outbound.  Check /etc/inetd.conf to see what
services are running, and find out what version they are and check bugtraq
to make sure they're not listed.  Do ps aux |grep root to see what's
running.

It's good to know what got ya so you can plug the hole.  Take a look at
the Firewall HOWTO: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html for
preventative measures. Try your best to find out how it happened, but in
any case, I suggest you 
3. re-install.  Even with RPM and other tools, it's not hard to hide a
daemon or two, or maybe something lurking in your crontab, or something in
a config file that will be accessed by a service running as root, or or
or...  (:

Always paranoid,
Cindy

Cynthia J. Dale
Technical Engineer/FAQ maintainer
Red Hat, Inc.

fnord.


On Mon, 13 Apr 1998 wizard111 at netzero.net wrote:

> Date: Mon, 13 Apr 1998 01:14:14 -0400
> From: wizard111 at netzero.net
> Reply-To: techtalk at linuxchix.org
> To: techtalk at linuxchix.org
> Subject: Re: [techtalk] bizarre....
> 
> Sounds like SOMEONE got into your system. FIRST check your 
> daemons, make sure something isn't running that SHOULDN'T be. 
> THEN check to make sure that what IS running is the proper file 
> (replacement of a valid program with a trojan). THEN check your 
> outbound mail for something that shouldn't be going out (not sent 
> by you or your users (/var/spool/mail from memory, varies from OS 
> to OS though).
> FIRST, change your root password AFTER disconnecting from the 
> net, then make sure nothing goes out after that timestamp (don't 
> need to send a hacker your new password).
> Good luck,
> Steve
> > Okay, so today I was using my ppp connection for several hours, then we
> > went to watch Sunday night Fox and came back.  I have the command to dial
> > aliased to include tail -f /var/log/messages.  I told it to dial, and it
> > said "tail: no such file /var/log/messages."  I said "Uhhhhh...." and
> > tried again, a few times.  I got the same result.  I cd'd to /var/log, and
> > tehre were a total of 3 files there.  And I believe they were all
> > directories.  It got too weird, so I rebooted.  I did it twice, because
> > sendmail was taking ages to start and giving bizarre errors.  So I told it
> > to stop running sendmail and httpd on startup, since I don't even use them
> > anyway.  After the reboot, /var/log/messages reappeared and was fine and
> > ppp worked fine.  So then the problem was that my tty (mingetty) was set
> > to 'dumb' instead of vt100.  I can't figure that one out.  I also
> > periodically get messages (write style) from syslogd in assorted garbage.
> > It is weird high ascii stuff, i think.  There is something about 'not able
> > to piece together parts of message.'  This all started sometime between 8
> > and 10 pm tonight.  I am running ip masquerading and ipchains over a ppp
> > dialup.  Talking to a group of friends who use linux wasn't helpful,
> > except in stopping sendmail and httpd on boot.
> > I'm getting close to going "gyaaaaarrrrrrrrrrrrgh" and hitting it.  Help?
> > 
> > Conni
> > 
> > -- 
> > So they linked their hands and danced 'round in circles and in rows.
> > 			-Loreena McKennitt
> > 
> > http://www.one-eyed-alien.net/~ccovingt
> > 
> > http://www.angelfire.com/anime/Galadriel
> > 
> > 
> > 
> > ************
> > techtalk at linuxchix.org   http://www.linuxchix.org
> > 
> > 
> 
> 
> __________________________________________
> NetZero - Defenders of the Free World
> Get your FREE Internet Access and Email at
> http://www.netzero.net/download/index.html
> 
> ************
> techtalk at linuxchix.org   http://www.linuxchix.org
> 


************
techtalk at linuxchix.org   http://www.linuxchix.org




More information about the Techtalk mailing list