You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install.
j. -- Jeremy L. Gaddis <[EMAIL PROTECTED]> -----Original Message----- From: Ted Knab [mailto:[EMAIL PROTECTED] Behalf Of Thedore Knab Sent: Saturday, January 05, 2002 1:43 AM To: debian-isp@lists.debian.org Subject: Re: BIND exploited ? -UPDATE Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [EMAIL PROTECTED] chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 53/tcp open domain 113/tcp open auth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 53/tcp open domain 79/tcp open finger 98/tcp open linuxconf 111/tcp open sunrpc 113/tcp open auth 513/tcp open login 514/tcp open shell 943/tcp open unknown 1024/tcp open kdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [EMAIL PROTECTED] chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [EMAIL PROTECTED] /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell & #/etc/.../bnc & #/etc/.../snif & #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [EMAIL PROTECTED] chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/.v0id/ptyq /dev/ptyp /dev/ptypr Searching for sniffer's logs, it may take a while... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/linuxconf/install/gnome/.directory /usr/lib/linuxconf/install/gnome/.order /usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist /usr/lib/gopher-data/.Xdefaults /usr/lib/gopher-data/.bash_logout /usr/lib/gopher-data/.bash_profile /usr/lib/gopher-data/.bashrc /usr/lib/gopher-data/.kde /usr/lib/gopher-data/.kderc /usr/lib/gopher-data/Desktop/.directory /usr/lib/gopher-data/.screenrc /lib/modules/2.2.14-5.0/.rhkmvtag /usr/lib/gopher-data/.kde Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is PROMISC Checking `wted'... nothing deleted Checking `z2'... nothing deleted I will keep you all up to date if I find any more new hacked machines. -Ted On Fri, Jan 04, 2002 at 01:43:16PM -0500, Andy Bastien wrote: > On Fri Jan 04, a day that will live in infamy, Russell Coker wrote: > > On Fri, 4 Jan 2002 17:54, Andy Bastien wrote: > > > On Fri Jan 04, a day that will live in infamy, Russell Coker wrote: > > > > On Fri, 4 Jan 2002 03:16, Thedore Knab wrote: > > > > > ?Where do I go from here ? > > > > > > > > Buy new hard drives, install them and install the latest version of your > > > > favourite distribution and configure it in a secure fashion. Make sure > > > > that all passwords are different. > > > > > > Is it really necessary to buy new hard drives? Is there a reason why > > > he can't just reformat his current drives before reinstalling? > > > > Sure he can, if he wants to lose the evidence of what happened and lose the > > possibility to hand the drives over to law enforcement officials (which may > > be demanded of him even if he doesn't want it in the case that his machine > > was used to attack others). > > Good point! Having never dealt with the fuzz after being compromised, > I have to ask what you would do if your server is a file server with > lots of big, expensive drives where a company might not be able to > afford replacing them all? Would they be happy with backups (keeping > in mind that any tools used to backup the server might no longer be > trustworthy)? How about disk images (made with dd, or something > similar) of the drives that contain the system stuff? > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
