Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: RH6 boxes cracked

Re: RH6 boxes cracked

From: Osvaldo J. Filho <ojaneri_at_UOL.COM.BR>
Date: Thu, 4 Jan 2001 18:07:51 -0500

On Wed, 3 Jan 2001, D. Scott Barninger wrote:

> Hello,
>
> I am still trying to determine all that has been done but here is what I
> know at the moment. If anyone has seen similar attacks please let me
> know what to look for. For starters there appears to be a trojanized su
> binary installed. When calling su there is a delay of approximately 6-8
> seconds after entering the root password before a shell prompt is
> returned. A log message indicates that "call_pam_xauth" successfully
> forked a child (returned 1). At that point a check on the /dev directory
> shows most everything has altered user/group and/or permissions. The tty
> from which the su command was issued is now owned by my user rather than
> root as well as /dev/hdb. /dev/tty* is now writeable by group etc.
> Reinstalling the dev and sh-utils packages corrects things until the
> next time su is run. The same is true on 2 other boxes from which I
> typically rlogin over the internal network (primary box is a MASQ
> gateway). About 2 days prior to discovering this I got port-scanned and
> logged rejected packets on a netbios port (I did have netbios service
> exposed for remote connections).
>
> Any insights would be greatly appreciated.
>
> Scott
>
This kind of attack is basically a common one. Looks like the attacker
scanned a large block of IPs looking for something vulnerable, and then
some hours laters (or days) it exploited the machines that had a flaw
(unfortunately yours were one of these) and installed a root kit to keep
access for him.

Try a
# rpm --verify -a

to check on your RPM database all files that were changed. You will have a
good look on whats missing/changed. Check the RPM manual to see what the
output means (SUM/Date/Size/etc altered, missing, etc)

Try installing lsof (if installed, install from a secure source) and
checking all binded ports, may be a DDoS Agent running or a Bind Shell.
# lsof -i tcp
# lsof -i udp

Any further help, please contact me at email. 

---
Osvaldo J. Filho
Unix Security Specialist
ojaneri_at_proteus.com.br
Proteus Security Systems
http://www.proteus.com.br / http://www.proteus-sec.com
---
Received on Jan 03 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos