[SunHELP] Tracking Hacker ( THE "SECURITY HOLE")

Ben Ricker sunhelp at sunhelp.org
Wed May 2 15:03:34 CDT 2001 

Ummm....why did you have snmpXdmid running on a box open to the 
Internet!? I would suggest you do a security audit ASAP and find out 
what you need and get rid of the rest or you will be hacked again. If 
you would like, I can help you by scanning the host and telling you what 
you have that is dangerous.

Ben Ricker
System Administrator
US-Rx, inc.

Jeff Feller wrote:

> Well,
> 
> I know who did the "hackin'" .. They used the snmpXdmid weakness.
> 
> http://securityportal.com/list-archive/bugtraq/2001/Mar/0199.html
> 
> Just thought I'd let you all know though I'm sure most of you have already
> heard of this vulnerability... If not, check out the URL.  
> 
> Thanks for the help again guys! :)
> 
> 
> Jeff Feller
> Director of Network Operations
> BitZ Communications
> P.O. Box 157
> Surrey, ND  58785
> 
> On 26 Apr 2001, Ben Ricker wrote:
> 
>> I am surprised no one has mentioned step one: get that machine off the
>> network. As someone pointed out, the hacker may be hacking other
>> machines onyour network like crazy. Keeping the machine on the network
>> is just plain crazy talk. What if they get other machines from the
>> company you are piggy backing on and they boot you? What if the hacker
>> commits a more serious crime using your machine as a staging machine?
>> Get it off the network and wipe that puppy. 
>> 
>> Ben Ricker
>> System Administrator
>> US-Rx, Inc.
>> 
>> On 26 Apr 2001 08:01:36 -0700, Justin Brodeur wrote:
>> 
>>> I know this is a little late coming to the discussion and it probably
>>> doesn't matter anyway, but before you reboot the machine or do anything to
>>> it (which i'm sure you've already done something to it), you might want to
>>> grab lsof from sunsite and run that and see if there is anything strange
>>> running. I remember one job I was doing the perp used a trojan but hid it
>>> with a hacked version of ps and other system utilities, but when I ran
>>> lsof low and behold there was his sniffer, plugging away in the
>>> background. Just another thing to think about.
>>> 
>>> Justin
>>> 
>>> 
>>> On Wed, 25 Apr 2001, James Fogg wrote:
>>> 
>>>> I finally had time to read your message more thoroughly.
>>>> 
>>>> It does appear as if the perp could have some sophistication. You need to
>>>> consider some painfull possibilities.
>>>> 
>>>> 1) binaries on your SS5 may have been replaced with trojans that will allow the
>>>> intruder to access your system for all sorts of reasons. Some trojans can
>>>> instantly re-enable the intruders access no matter how you dissallow it. The
>>>> only solution is to wipe the drive and re-install. Don't trust anything on the
>>>> machine (other than a pure text file).
>>>> 
>>>> 2) The SS5 may have been/is being used as a jumping-off point to access
>>>> machines within your company. This could be especially true if your SS5 is
>>>> trusted by machines within the company or by a firewall (at first I assumed from
>>>> your post you have no firewall, but maybe the SS5 is in a DMZ). If you run or
>>>> use NFS, run as fast as you can and shoot the machine (weapon of choice, a
>>>> smooth-bore cannon).
>>>> 
>>>> 3) Since the intruder has dropped a clue, any malicious activitiy has probably
>>>> already been completed.
>>>> 
>>>> 4) Check and see if any unexplained processes are running. The intruder may be
>>>> using you as a platform to attack another site, or run a bot in IRC. If you run
>>>> sendmail, the intruder may have used you to send tons of spam.
>>>> 
>>>> 5) If you have the skills, run a packet analyzer. Ethereal is an excellent
>>>> choice :=). If you can, run snoop (Solaris) or tcpdump (Linux) on a different
>>>> machine inside the company network (to look for other activity). The logs from
>>>> these programs can be interpreted by Ethereal (COOL, a remote control
>>>> sniffer!). Even if you cannot decipher the output completely, Ethereal will
>>>> annotate the info in a way most people can read. Examine anything you don't
>>>> recognize. The analysis will help you know if the intruder is still active.
>>>> 
>>>> Good luck, a post-mortem is never fun.
>>>> btw... does the boss know yet?
>>>> 
>>>> On Tue, 24 Apr 2001, THOU SPAKE:
>>>> 
>>>>> Hello Sun Admin's,
>>>>> 
>>>>> I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
>>>>> message of "you been hacked" was on my screen.  Someone some how gained
>>>>> root access and put that in my /etc/motd file.  I noticed it was last
>>>>> modified APRIL 24 at "18:52" so I did a last -10 to see who had been on.
>>>>> Apparently they covered up their tracks because it only showed MY logins
>>>>> and NO logins around the time this happened.  The only other guy who has
>>>>> root access to this system is on his way home from Denver, CO and has NO
>>>>> ACCESS to the net right now.
>>>>> 
>>>>> Which steps can be taken to find out who had done this or at least how
>>>>> they got in?  
>>>>> 
>>>>> None of my log files in /var/log have any clue.. /var/adm/messages would
>>>>> have had something but everything was removed from the time it happend and
>>>>> before.  
>>>>> 
>>>>> ANY IDEA's that can help me are **GREATLY** appreciated.  After this had
>>>>> happened, I also checked my inetd.conf and probably should have shut down
>>>>> basically ALL ports before hand because the only access anyone needs to
>>>>> this is RARELY ftp and mostly ssh.  Thank you!
>>>>> 
>>>>> 
>>>>> 
>>>>> Jeff Feller
>>>>> 
>>>>> _______________________________________________
>>>>> SunHELP maillist  -  SunHELP at sunhelp.org
>>>>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>>>> 
>>>> -- 
>>>> =======================================================
>>>>      James D. Fogg, Network Engineer
>>>>     Vicinity Corporation - Lebanon, NH
>>>> 
>>>>      DESK (603) 442-1751 - CELL (603) 252-1864
>>>>      PAGER (802) 742-0280 - HOME (603) 526-7729
>>>>             EMAIL jfogg at vicinity.com
>>>> =======================================================
>>>> _______________________________________________
>>>> SunHELP maillist  -  SunHELP at sunhelp.org
>>>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>>>> 
>>>> 
>>> _______________________________________________
>>> SunHELP maillist  -  SunHELP at sunhelp.org
>>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>> 
>> _______________________________________________
>> SunHELP maillist  -  SunHELP at sunhelp.org
>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>> 
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> 
>

More information about the SunHELP mailing list