[lug] Interesting Crash Report

D. Stimits stimits at idcomm.com
Wed Mar 21 13:39:47 MST 2001


rm at mamma.varadinet.de wrote:
> 
> On Wed, Mar 21, 2001 at 12:57:02PM -0700, D. Stimits wrote:
> [...]
> > lsof on my machine is in /usr/sbin, it might be in /sbin on some
> > machines. It is a target for crackers, since it can expose them. lsof
> > looks at an open file, and tells about the process that is opening it.
> 
> Yes, once the machine is 'tainted' you can't trust anything.
> I've a set of binaries of some of the most usefull 'forensic'
> programs that i copy to a suspicious machine (into some private
> directory that i put first (!) in my path). Also it's a wise idea
> to use a clean version of libc (some stripped down version will
> do). Some candidates are: a good shell (statically linked one pre-
> fered), lsof, sshd (start it on a non-privileged port with your
> own config file and te login program that you brought with you),
> /usr/bin/passwd, lsmod etc. Some of these programs need to be built
> for the target machine, so it's a good idea to save them right after
> you first installed the system.
> 
> Still then, most of these program depend on kernel functions and
> those can be 'patched' unless you disabled loadable module support
> in you kernel configuration (not a bad idea for exposed server).
> Once an intruder is root he/she/it(?) can insert modules that will
> hide certain files/directories/processes and even hide some kernel
> modules themself. I spent most of last weekend analyzing code from
> a root kit that does exactly that (poor scriptkiddy: he had three
> month of free access to the server and wasn't able to become root ;-)
> He/she brought in als sorts of cracking software not being aware
> that all of it was written for 2.2.x kernel and the server was
> running 2.0.38. Now i have a nice fresh collection of code and
> a long traceback of netlogs ...)

I'd turn over information to the police or FBI. Even if they can't prove
where they were from, the code collection would be interesting. Or if
not to the police, there are several security organizations that collect
info such as that, e.g., www.securityportal.com.

FYI, while I was working on emails here, I had one attempted stealth
scan from:
Name:    171cm187.hkcable.com.hk
Address:  61.10.171.187


> 
>  Ralf
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list