There is a good chance if you have been rooted, that the attacker installed a rootkit to cover his tracks. I saw a good rootkit detecter on http://freshmeat.net/ . Just do a search for it on there.
>From: Tim Haynes <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Kjetil Kjernsmo <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: Uh-oh. Cracked allready. I think... >Date: 23 May 2002 17:11:26 +0100 >MIME-Version: 1.0 >Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with >Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700 >Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 -0000 >Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 -0000 >Received: from potato.vegetable.org.uk (195.149.39.120) by >murphy.debian.org with SMTP; 23 May 2002 16:11:41 -0000 >Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1 >(Debian))id 17AvBW-0000oa-00; Thu, 23 May 2002 17:11:26 +0100 >X-Envelope-Sender: [EMAIL PROTECTED] >Sender: [EMAIL PROTECTED] >References: <Pine.OSF.3.96.1020523151454.501518E-100000@alnair> >In-Reply-To: <Pine.OSF.3.96.1020523151454.501518E-100000@alnair> >Message-ID: <[EMAIL PROTECTED]> >Lines: 78 >User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 >X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01 >Resent-Message-ID: <F_v_bC.A.qXE.LTR78@murphy> >Resent-From: [EMAIL PROTECTED] >X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/7361 >X-Loop: [EMAIL PROTECTED] >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >List-Subscribe: ><mailto:[EMAIL PROTECTED]?subject=subscribe> >List-Unsubscribe: ><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >Precedence: list >Resent-Sender: [EMAIL PROTECTED] >Return-Path: [EMAIL PROTECTED] >X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC) >FILETIME=[1C308510:01C2027B] > >Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > > > To address this first: It is the gnutella server that causes alarm, so >is > > there anything I could have done that would install gnutella but escape > > my attention? I certainly never did apt-get install gnutella (I tried > > apt-get remove gnutella yesterday, with no effect). Is it likely that if > > I don't know how it got there, has been installed by a cracker? I've > > tried to telnet 217.77.32.186 6346 but get no connection. > >Well if something's got on there that you don't remember installing, can I >have some of what you're taking? ;) > >It's at this point that you should start debugging what's really listening >on your box from what a scanner says you are. I suggest you nmap yourself >to see what ports you really have open, and compare against > netstat -plant | grep LIST >(here's your first potential clue: if netstat complains about `-p', it's >been trojanned.) > >Next, if you've got a socket listener or 6346 (IIRC, the most frequently >used gnutella port), try telnetting into it and see what banner, if any, it >presents. > >At some stage you should probably run _chkrootkit_ on the blighter, too. > >Do you have an original AIDE database from immediately after it was >installed? > > > I tried to set the suggested PermitRootLogin for ssh to no, > > but ssh gave me some messsage that I thought meant it did't recognize >it. > >That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and >see if you get any syntax errors there. > >Here's another idea: > > | zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh* > | /usr/sbin/sshd > | 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb > | a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd > > > I complied in IPtables in the kernel, but I haven't read up > > on how to use it. I have also installed some of the harden packages. > > > Last night, I thought my system was running quite well, though I had > > noticed gnutella running. I figured it was time to run nessus, so I did. > > It seems to report many holes, some holes that I guess would be > > exploitable. I put the report on <URL: > > http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html > > >Bear in mind two things: > >a) Debian apply patches in stable as/when required, we don't follow > upstream version#s regardlessly > >b) testing is a strange halfway-house between stable and unstable; you can > expect a security fix to make it into Unstable pretty soon (as it >tracks > upstream versions) but it'll be at least a fortnight after that it hits > Testing. > >That said, you probably want to check the Changelog(.Debian.gz) for ssh - >I'd be surprised if the patches required hadn't made it down into Testing. > > > If it has been cracked, what should I do? I could run up to my hosts and > > have them turn it off, I guess. But then what? I have really no clue >what > > happened, and while I could turn off some more services, it seems like > > the biggest security problems are with ssh and smtp, that is, OpenSSH >and > > Exim, so would a clean reinstall help a lot? > ><http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>. > >First assess whether you really have been breached; if you have, you *must* >reformat, reinstall, update all packages, firewall, install an IDS (aide) >and nIDS (snort) - but take a forensic last-minute backup before you do. > >~Tim >-- ><http://spodzone.org.uk/> > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
