Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:
> To address this first: It is the gnutella server that causes alarm, so is
> there anything I could have done that would install gnutella but escape
> my attention? I certainly never did apt-get install gnutella (I tried
> apt-get remove gnutella yesterday, with no effect). Is it likely that if
> I don't know how it got there, has been installed by a cracker? I've
> tried to telnet 217.77.32.186 6346 but get no connection.
Well if something's got on there that you don't remember installing, can I
have some of what you're taking? ;)
It's at this point that you should start debugging what's really listening
on your box from what a scanner says you are. I suggest you nmap yourself
to see what ports you really have open, and compare against
netstat -plant | grep LIST
(here's your first potential clue: if netstat complains about `-p', it's
been trojanned.)
Next, if you've got a socket listener or 6346 (IIRC, the most frequently
used gnutella port), try telnetting into it and see what banner, if any, it
presents.
At some stage you should probably run _chkrootkit_ on the blighter, too.
Do you have an original AIDE database from immediately after it was
installed?
> I tried to set the suggested PermitRootLogin for ssh to no,
> but ssh gave me some messsage that I thought meant it did't recognize it.
That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
see if you get any syntax errors there.
Here's another idea:
| zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
| /usr/sbin/sshd
| 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb
| a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd
> I complied in IPtables in the kernel, but I haven't read up
> on how to use it. I have also installed some of the harden packages.
> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did.
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on <URL:
> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
Bear in mind two things:
a) Debian apply patches in stable as/when required, we don't follow
upstream version#s regardlessly
b) testing is a strange halfway-house between stable and unstable; you can
expect a security fix to make it into Unstable pretty soon (as it tracks
upstream versions) but it'll be at least a fortnight after that it hits
Testing.
That said, you probably want to check the Changelog(.Debian.gz) for ssh -
I'd be surprised if the patches required hadn't made it down into Testing.
> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue what
> happened, and while I could turn off some more services, it seems like
> the biggest security problems are with ssh and smtp, that is, OpenSSH and
> Exim, so would a clean reinstall help a lot?
<http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>.
First assess whether you really have been breached; if you have, you *must*
reformat, reinstall, update all packages, firewall, install an IDS (aide)
and nIDS (snort) - but take a forensic last-minute backup before you do.
~Tim
--
<http://spodzone.org.uk/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
