[SunHELP] Tracking Hacker ?
Jeff Feller
sunhelp at sunhelp.org
Tue Apr 24 22:59:25 CDT 2001
Well, uhhh, no .. unfortunately I have no firewall protecting this
machine. It is a machine I have colocated at my place of work. It is
used as a webserver and mail server - nothing more. I generally shut off
all ports like telnet, ftp, etc but for some reason when I set this one up
I didn't - I think it's because the other guy who has root said I was to
paranoid and told me to keep telnet open ?
Nothing was out of the usual for /etc/passwd. In fact, after this had
happened, I also locked accounts that aren't ever used temporarily because
if they aren't used - do they need to be active? :)
I'll check with our system administrator no the log thing, but I'm willing
to be we keep no logs on our router.
I'll keep lookin' around perhaps looking for all / any files modified on
"Apr 24" at 18:52 or so.. Otherwise, from the looks of it, the ONLY file I
see that were touched so far were /etc/motd, /var/adm/messages and the
wtmp or utmp files I assume since there is nothing in "last" ...
Thank you! I know, I know.. I need to get tighter security on EVERY
machine on the net. The only "SECURE SERVER" is one that is not plugged
in :)
Jeff Feller
Director of Network Operations
BitZ Communications
P.O. Box 157
Surrey, ND 58785
On Tue, 24 Apr 2001, Kurt Huhn wrote:
> > Hello Sun Admin's,
> >
> > I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
> > message of "you been hacked" was on my screen. Someone some how gained
> > ANY IDEA's that can help me are **GREATLY** appreciated. After this had
> > happened, I also checked my inetd.conf and probably should have shut down
> > basically ALL ports before hand because the only access anyone needs to
> > this is RARELY ftp and mostly ssh. Thank you!
>
> I'm going to assume that you have a firewall of some kind, and haven't just
> put a naked box on the internet - the technological equivalent of wearing
> nothing but socks to a swordfight...
>
> At any rate, check your firewall logs for accesses to that computer.
> Failing that, you *might* be able to check the access logs of your router -
> but some routers don't log.
>
> You can also check /etc/passwd - see if there's something in there that
> looks odd - a user that didn't exist before...
>
> My suspicion is that someone managed to brute force the box by guessing that
> your root user was "root" and just pointing a brute-forcer (like brutus) at
> your box via FTP. From that point, it's easy to open an SSH session with
> the newly found root password and cause all types of ruckus. They may have
> poked around a little, found out that the Linux root-kit that they tried to
> install didn't work, and decided to clean up and leave you a nice message -
> just for shits and giggles...
>
> Kurt
>
>
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
>
More information about the SunHELP
mailing list