-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Tim, dear all,
Thanks for all the responses. I realize it's pretty bold trying put a box on the net without having extensive admin experience beforehand. But I think I'm learning fast, and I hope I'll be able to do it without placing any burden on the rest of the net. That is, except for you guys... :-) Your help is greatly appreciated! On 23 May 2002, Tim Haynes wrote: >Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > >> To address this first: It is the gnutella server that causes alarm, so is >> there anything I could have done that would install gnutella but escape >> my attention? I certainly never did apt-get install gnutella (I tried >> apt-get remove gnutella yesterday, with no effect). Is it likely that if >> I don't know how it got there, has been installed by a cracker? I've >> tried to telnet 217.77.32.186 6346 but get no connection. > >Well if something's got on there that you don't remember installing, can I >have some of what you're taking? ;) Hehe... I was sooooo sure it would be at least one copy of Star Wars II, but no... ;-) There's nothing here... I've walked through the whole disk, and I can't find anything of any size that I don't know what is. Whatever it is, it has to be rather small... >It's at this point that you should start debugging what's really listening >on your box from what a scanner says you are. I suggest you nmap yourself >to see what ports you really have open, and compare against > netstat -plant | grep LIST >(here's your first potential clue: if netstat complains about `-p', it's >been trojanned.) It complained about -p when I wasn't root... OK. This is what nmap says, launched from my workstation: Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 1024/tcp open kdm 1025/tcp open listen 6346/tcp filtered gnutella Whereas this is nmap from the machine itself: kjetil@pooh:~$ nmap pooh Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Warning: You are not root -- using TCP pingscan rather than ICMP Interesting ports on pooh.kjernsmo.net (217.77.32.186): (The 1545 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 139/tcp open netbios-ssn 1024/tcp open kdm 1025/tcp open listen So, the suspicious gnutella port isn't in the latter. I don't know what kdm is doing there, BTW. I unselected X and desktop in the initial tasksel. There seems to have been installed some X stuff nevertheless, but neither KDE nor kdm has ever been installed on this box. So for netstat: pooh:~# netstat -plant | grep LIST tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 209/rpc.statd tcp 0 0 0.0.0.0:1025 0.0.0.0:* LISTEN 236/rpc.mountd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6586/apache tcp 0 0 217.77.32.186:53 0.0.0.0:* LISTEN 194/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 194/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 285/sshd tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 201/lwresd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 218/inetd (slightly reformatted to fit better) >Next, if you've got a socket listener or 6346 (IIRC, the most frequently >used gnutella port), try telnetting into it and see what banner, if any, it >presents. Nope, nothing... pooh:~# telnet 217.77.32.186 6346 Trying 217.77.32.186... telnet: Unable to connect to remote host: Connection refused to be sure. >At some stage you should probably run _chkrootkit_ on the blighter, too. Yeah, I've done that several times. chkrootkit was described in "Securing Debian", so I installed it before moving it, but only ran it just after I saw the gnutella port. Nothing detected. >Do you have an original AIDE database from immediately after it was >installed? Uh, don't think so. I installed snort, but didn't take the time to play with it. I thought that would do the job too... Can I get the required information from the snort install...? >> I tried to set the suggested PermitRootLogin for ssh to no, >> but ssh gave me some messsage that I thought meant it did't recognize it. > >That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and >see if you get any syntax errors there. Yeah, I got something weirder now...: pooh:/etc/ssh# /usr/sbin/sshd -f /etc/ssh/ssh_config /etc/ssh/ssh_config: line 19: Bad configuration option: ForwardX11 /etc/ssh/ssh_config: line 24: Bad configuration option: FallBackToRsh /etc/ssh/ssh_config: line 31: Bad configuration option: IdentityFile /etc/ssh/ssh_config: line 36: Bad configuration option: PreferredAuthentications /etc/ssh/ssh_config: terminating, 4 bad configuration options What could be wrong about e.g.: ForwardX11 yes >Here's another idea: > > | zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh* > | /usr/sbin/sshd > | 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb > | a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd They are OK. >> exploitable. I put the report on <URL: >> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html > > >That said, you probably want to check the Changelog(.Debian.gz) for ssh - >I'd be surprised if the patches required hadn't made it down into Testing. The marked hole was indeed patched, but I couldn't find anything about the warning (OpenSSH < 3.2.1). >> If it has been cracked, what should I do? I could run up to my hosts and >> have them turn it off, I guess. But then what? I have really no clue what >> happened, and while I could turn off some more services, it seems like >> the biggest security problems are with ssh and smtp, that is, OpenSSH and >> Exim, so would a clean reinstall help a lot? > ><http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>. > >First assess whether you really have been breached; if you have, you *must* >reformat, reinstall, update all packages, firewall, install an IDS (aide) >and nIDS (snort) - but take a forensic last-minute backup before you do. Well, yeah, Istill don't know if I've been breached, after all, it is only the gnutella entry in the nmap I do from my workstation, but then, better safe than sorry... Best, Kjetil - -- Kjetil Kjernsmo Recent astrophysics graduate Problems worthy of attack University of Oslo, Norway Prove their worth by hitting back E-mail: [EMAIL PROTECTED] - Piet Hein Homepage <URL:http://folk.uio.no/kjetikj/> [EMAIL PROTECTED] OpenPGP KeyID: 6A6A0BBC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OSF1) Comment: For info see http://www.gnupg.org iD8DBQE87jDrlE/Gp2pqC7wRAkV2AJ0b+VHstC/rayVRb6i4gzp3Fd5siACfSBBR LleteNVSzvw60ojr3BIF6RA= =p4tv -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
