Security Incidents: Re: Guess this is a hack attemp

[Alvin Oga <alvin.sec () Maggie Linux-Consulting com>]

hi ya gareth

run the rootkit detectors... and see if it finds anything...
        - audit your box... ( tons of free auditing tools )

        http://www.linux-sec.net
                Audit & tracking/forensics sections

                ( search for rootkit ... easier ?? )

if they were successful...you'd see many symptoms:
        - alterred log files
        - alterred binaries
        - alterred config files
        - extra directories
        - extra files
        - extra processes running that you cannot explain
        - slow response than before
        - bounced emails to root/postmaster
        - blah...blah...

all of those are easy to identify before its becomes a problem
with a good IDS... but a properly hardened box will be even better...

        - they were "Testing" your rpc stuff... for old bugs...

        if you do NOT mount this server from other boxes...
        turn nfs off along with hundreds of other unused services/daemons 

== since you have to ask ... how can you telll...
        - the simple answer is install tripwire or aide or other ids
        and it will tell you they got in... ( which is TOOO late )

        - trick:  only install tripwire/aide/ids on a VIRGIN&Patched
        box... dont bother wasting time after its been online/[h/cr]hacked

have fun
alvin

On Sun, 22 Jul 2001, Gareth Hastings wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for
> ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8
> x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
> 220\220\220\220\220\220
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\
> 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
> 220\220\220\220\220\220
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\
> 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\22
> 0\220\220
>
> How do I know if the attempt succeded or not ? This entry is repeated
> about 50 times. I checked the obvious things like hosts.allow/deny
> being changed. I checked for suid root files and entries in the
> inetd.conf file. Is there anything else I should look for ?
k


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com