[lug] Fun with being hacked

Tue Aug 14 12:14:03 MDT 2001

My general sense has been that you probably want to reformat.  The problem
is that you can't always tell if other hacked stuff has been installed.
RH's upgrade/reinstall process only installs packages that are newer than
the ones which exist on the machine; if one of the packages already
installed is bad, 7.1 won't do anything about it.  And of course, that
probably means that the machine is not secure.

--Keith

> -----Original Message-----
> From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
> Behalf Of Holshouser, David
> Sent: Tuesday, August 14, 2001 12:02 PM
> To: 'lug at lug.boulder.co.us'
> Subject: RE: [lug] Fun with being hacked
>
>
> in a case like this (or any other case of hacking for that matter), is it
> sufficient to boot to the CD for the latest version of your
> distribution and
> do an upgrade, or is a format required?
>
> > -----Original Message-----
> > From: Keith.Herold [mailto:herold at cslr.Colorado.EDU]
> > Sent: Tuesday, August 14, 2001 11:39 AM
> > To: lug at lug.boulder.co.us
> > Subject: RE: [lug] Fun with being hacked
> >
> >
> > Well, yeah, I sort of assumed that gdm was a little
> > diversion.  I'm not
> > using bind, but rpc is running (for nfs, right).  This
> > machine isn't serving
> > a printer, so it seems unlikely that the printer port was an
> > issue.  We (the
> > lab) don't have a firewall up, because no one wants to spend
> > the week to a
> > month necessary to get the thing going, but, since we get hacked every
> > month, I think I might get a little more insistent.
> > Unfortunately, I don't
> > have the previous configuration.  This is research box, but
> > all of the code
> > I write and the data are in at least three other machines so
> > I typically
> > don't worry about backing configurations up.  Next time I
> > think I will run
> > tripwire and put a firewall up on this machine alone.
> >
> > As for the IP, I don't believe it is the originator, just
> > because the same
> > hole is being used from many different addresses.  When I
> > came in to check
> > it out, I found 8 copies of autotelnet running; the source
> > code for the
> > exploit says that the attack may take more than an hour, so I
> > gather the
> > punk ran a bunch of copies and thinks he/she will get on
> > later to check it
> > out.
> >
> > My version of openssh is only a month or so old; in any case,
> > it will be
> > time to generate all new keys again.
> >
> > --Keith
> > > -----Original Message-----
> > > From: lug-admin at lug.boulder.co.us
> > [mailto:lug-admin at lug.boulder.co.us]On
> > > Behalf Of D. Stimits
> > > Sent: Tuesday, August 14, 2001 11:05 AM
> > > To: lug at lug.boulder.co.us
> > > Subject: Re: [lug] Fun with being hacked
> > >
> > >
> > > Knowing that the cracker was using gdm to hide doesn't say
> > the attack
> > > was actually through gdm originally. Making a system
> > account the login
> > > would tend to be less suspicious (in theory, not reality
> > for gdm) than
> > > some brand new account. Knowing how they got in would
> > require knowing
> > > exactly what ports were open and to whom. In this case, the original
> > > crack might not even be from 161.184.79.143, though this is
> > where it is
> > > now being used from. Older versions of sshd had one
> > weakness or another.
> > > Opening bind, rpc, or the printer ports would also be a
> > route in. Do you
> > > have ipchains or other firewall running? Do you have the
> > configuration
> > > now, and better yet, also from before the crack?
> > >
> > > D. Stimits, stimits at idcomm.com
> > >
> > >
> > > HEROLD wrote:
> > > >
> > > > So, I noticed an interesting message in my messages file
> > this morning:
> > > >
> > > > Aug 12 04:43:14 pharynx sshd2[812]: connection from
> > "161.184.79.143"
> > > > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password
> > > accepted.
> > > > Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication
> > > for user gdm
> > > > accepted.
> > > > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
> > > > s161-184-79-143.ab.hsia.telus.net, authenticated.
> > > >
> > > > Apparently this has been happening since around the 28th of July.
> > > >
> > > > I also found a package called "autotelnet" installed in
> > > > /tmp/.../autotelnet, which is a hack designed to break into
> > > telnetd using
> > > > a buffer overflow (gives root shell of course).
> > > >
> > > > Of course, my next actions will be to reformat and
> > reinstall RH7.1, and,
> > > > once again, apply every RPM in existence.  The problem is
> > that I am not
> > > > running telnetd, and in fact turned off all the services
> > except sshd
> > > > (openssh). I
> > > > did a check on the telnet port and had the connection
> > refused.  It seems
> > > > to me that the autotelnet was installed afterwards, to
> > probe and attack
> > > > other machines.  I do not, however, have any idea of how
> > they got in in
> > > > the first place.
> > > >
> > > > Does gdm normally have a passwd?  there is a gdm listed
> > in the user
> > > > accounts, but I thought that was just so gnome could do
> > it's thing?
> > > > Should I password it next time?
> > > >
> > > > In general, since RH7.1 does not install the xwindows
> > linuxconf, what's
> > > > a quick way to find out what services are running on a machine?
> > > >
> > > > Thanks,
> > > > Keith
> > > >
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug