[lug] Fun with being hacked

Keith.Herold herold at cslr.Colorado.EDU
Tue Aug 14 11:38:55 MDT 2001 

Well, yeah, I sort of assumed that gdm was a little diversion.  I'm not
using bind, but rpc is running (for nfs, right).  This machine isn't serving
a printer, so it seems unlikely that the printer port was an issue.  We (the
lab) don't have a firewall up, because no one wants to spend the week to a
month necessary to get the thing going, but, since we get hacked every
month, I think I might get a little more insistent.  Unfortunately, I don't
have the previous configuration.  This is research box, but all of the code
I write and the data are in at least three other machines so I typically
don't worry about backing configurations up.  Next time I think I will run
tripwire and put a firewall up on this machine alone.

As for the IP, I don't believe it is the originator, just because the same
hole is being used from many different addresses.  When I came in to check
it out, I found 8 copies of autotelnet running; the source code for the
exploit says that the attack may take more than an hour, so I gather the
punk ran a bunch of copies and thinks he/she will get on later to check it
out.

My version of openssh is only a month or so old; in any case, it will be
time to generate all new keys again.

--Keith
> -----Original Message-----
> From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
> Behalf Of D. Stimits
> Sent: Tuesday, August 14, 2001 11:05 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Fun with being hacked
>
>
> Knowing that the cracker was using gdm to hide doesn't say the attack
> was actually through gdm originally. Making a system account the login
> would tend to be less suspicious (in theory, not reality for gdm) than
> some brand new account. Knowing how they got in would require knowing
> exactly what ports were open and to whom. In this case, the original
> crack might not even be from 161.184.79.143, though this is where it is
> now being used from. Older versions of sshd had one weakness or another.
> Opening bind, rpc, or the printer ports would also be a route in. Do you
> have ipchains or other firewall running? Do you have the configuration
> now, and better yet, also from before the crack?
>
> D. Stimits, stimits at idcomm.com
>
>
> HEROLD wrote:
> >
> > So, I noticed an interesting message in my messages file this morning:
> >
> > Aug 12 04:43:14 pharynx sshd2[812]: connection from "161.184.79.143"
> > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password
> accepted.
> > Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication
> for user gdm
> > accepted.
> > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
> > s161-184-79-143.ab.hsia.telus.net, authenticated.
> >
> > Apparently this has been happening since around the 28th of July.
> >
> > I also found a package called "autotelnet" installed in
> > /tmp/.../autotelnet, which is a hack designed to break into
> telnetd using
> > a buffer overflow (gives root shell of course).
> >
> > Of course, my next actions will be to reformat and reinstall RH7.1, and,
> > once again, apply every RPM in existence.  The problem is that I am not
> > running telnetd, and in fact turned off all the services except sshd
> > (openssh). I
> > did a check on the telnet port and had the connection refused.  It seems
> > to me that the autotelnet was installed afterwards, to probe and attack
> > other machines.  I do not, however, have any idea of how they got in in
> > the first place.
> >
> > Does gdm normally have a passwd?  there is a gdm listed in the user
> > accounts, but I thought that was just so gnome could do it's thing?
> > Should I password it next time?
> >
> > In general, since RH7.1 does not install the xwindows linuxconf, what's
> > a quick way to find out what services are running on a machine?
> >
> > Thanks,
> > Keith
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list