From: Tim Haynes <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Kjetil Kjernsmo <[EMAIL PROTECTED]>
CC: debian-security@lists.debian.org
Subject: Re: Uh-oh. Cracked allready. I think...
Date: 23 May 2002 17:11:26 +0100
MIME-Version: 1.0
Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with
Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700
Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 -0000
Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 -0000
Received: from potato.vegetable.org.uk (195.149.39.120) by
murphy.debian.org with SMTP; 23 May 2002 16:11:41 -0000
Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1
(Debian))id 17AvBW-0000oa-00; Thu, 23 May 2002 17:11:26 +0100
X-Envelope-Sender: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Lines: 78
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01
Resent-Message-ID: <[EMAIL PROTECTED]>
Resent-From: debian-security@lists.debian.org
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/7361
X-Loop: debian-security@lists.debian.org
List-Post: <mailto:debian-security@lists.debian.org>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<mailto:[EMAIL PROTECTED]>
List-Unsubscribe:
<mailto:[EMAIL PROTECTED]>
Precedence: list
Resent-Sender: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC)
FILETIME=[1C308510:01C2027B]
Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:
> To address this first: It is the gnutella server that causes alarm, so
is
> there anything I could have done that would install gnutella but escape
> my attention? I certainly never did apt-get install gnutella (I tried
> apt-get remove gnutella yesterday, with no effect). Is it likely that if
> I don't know how it got there, has been installed by a cracker? I've
> tried to telnet 217.77.32.186 6346 but get no connection.
Well if something's got on there that you don't remember installing, can I
have some of what you're taking? ;)
It's at this point that you should start debugging what's really listening
on your box from what a scanner says you are. I suggest you nmap yourself
to see what ports you really have open, and compare against
netstat -plant | grep LIST
(here's your first potential clue: if netstat complains about `-p', it's
been trojanned.)
Next, if you've got a socket listener or 6346 (IIRC, the most frequently
used gnutella port), try telnetting into it and see what banner, if any, it
presents.
At some stage you should probably run _chkrootkit_ on the blighter, too.
Do you have an original AIDE database from immediately after it was
installed?
> I tried to set the suggested PermitRootLogin for ssh to no,
> but ssh gave me some messsage that I thought meant it did't recognize
it.
That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
see if you get any syntax errors there.
Here's another idea:
| zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
| /usr/sbin/sshd
| 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb
| a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd
> I complied in IPtables in the kernel, but I haven't read up
> on how to use it. I have also installed some of the harden packages.
> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did.
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on <URL:
> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
Bear in mind two things:
a) Debian apply patches in stable as/when required, we don't follow
upstream version#s regardlessly
b) testing is a strange halfway-house between stable and unstable; you can
expect a security fix to make it into Unstable pretty soon (as it
tracks
upstream versions) but it'll be at least a fortnight after that it hits
Testing.
That said, you probably want to check the Changelog(.Debian.gz) for ssh -
I'd be surprised if the patches required hadn't made it down into Testing.
> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue
what
> happened, and while I could turn off some more services, it seems like
> the biggest security problems are with ssh and smtp, that is, OpenSSH
and
> Exim, so would a clean reinstall help a lot?
<http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>.
First assess whether you really have been breached; if you have, you *must*
reformat, reinstall, update all packages, firewall, install an IDS (aide)
and nIDS (snort) - but take a forensic last-minute backup before you do.
~Tim
--
<http://spodzone.org.uk/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
