[SunHELP] Tracking Hacker ( THE "SECURITY HOLE")
Ben Ricker
sunhelp at sunhelp.org
Wed May 2 15:03:34 CDT 2001
Ummm....why did you have snmpXdmid running on a box open to the
Internet!? I would suggest you do a security audit ASAP and find out
what you need and get rid of the rest or you will be hacked again. If
you would like, I can help you by scanning the host and telling you what
you have that is dangerous.
Ben Ricker
System Administrator
US-Rx, inc.
Jeff Feller wrote:
> Well,
>
> I know who did the "hackin'" .. They used the snmpXdmid weakness.
>
> http://securityportal.com/list-archive/bugtraq/2001/Mar/0199.html
>
> Just thought I'd let you all know though I'm sure most of you have already
> heard of this vulnerability... If not, check out the URL.
>
> Thanks for the help again guys! :)
>
>
> Jeff Feller
> Director of Network Operations
> BitZ Communications
> P.O. Box 157
> Surrey, ND 58785
>
> On 26 Apr 2001, Ben Ricker wrote:
>
>> I am surprised no one has mentioned step one: get that machine off the
>> network. As someone pointed out, the hacker may be hacking other
>> machines onyour network like crazy. Keeping the machine on the network
>> is just plain crazy talk. What if they get other machines from the
>> company you are piggy backing on and they boot you? What if the hacker
>> commits a more serious crime using your machine as a staging machine?
>> Get it off the network and wipe that puppy.
>>
>> Ben Ricker
>> System Administrator
>> US-Rx, Inc.
>>
>> On 26 Apr 2001 08:01:36 -0700, Justin Brodeur wrote:
>>
>>> I know this is a little late coming to the discussion and it probably
>>> doesn't matter anyway, but before you reboot the machine or do anything to
>>> it (which i'm sure you've already done something to it), you might want to
>>> grab lsof from sunsite and run that and see if there is anything strange
>>> running. I remember one job I was doing the perp used a trojan but hid it
>>> with a hacked version of ps and other system utilities, but when I ran
>>> lsof low and behold there was his sniffer, plugging away in the
>>> background. Just another thing to think about.
>>>
>>> Justin
>>>
>>>
>>> On Wed, 25 Apr 2001, James Fogg wrote:
>>>
>>>> I finally had time to read your message more thoroughly.
>>>>
>>>> It does appear as if the perp could have some sophistication. You need to
>>>> consider some painfull possibilities.
>>>>
>>>> 1) binaries on your SS5 may have been replaced with trojans that will allow the
>>>> intruder to access your system for all sorts of reasons. Some trojans can
>>>> instantly re-enable the intruders access no matter how you dissallow it. The
>>>> only solution is to wipe the drive and re-install. Don't trust anything on the
>>>> machine (other than a pure text file).
>>>>
>>>> 2) The SS5 may have been/is being used as a jumping-off point to access
>>>> machines within your company. This could be especially true if your SS5 is
>>>> trusted by machines within the company or by a firewall (at first I assumed from
>>>> your post you have no firewall, but maybe the SS5 is in a DMZ). If you run or
>>>> use NFS, run as fast as you can and shoot the machine (weapon of choice, a
>>>> smooth-bore cannon).
>>>>
>>>> 3) Since the intruder has dropped a clue, any malicious activitiy has probably
>>>> already been completed.
>>>>
>>>> 4) Check and see if any unexplained processes are running. The intruder may be
>>>> using you as a platform to attack another site, or run a bot in IRC. If you run
>>>> sendmail, the intruder may have used you to send tons of spam.
>>>>
>>>> 5) If you have the skills, run a packet analyzer. Ethereal is an excellent
>>>> choice :=). If you can, run snoop (Solaris) or tcpdump (Linux) on a different
>>>> machine inside the company network (to look for other activity). The logs from
>>>> these programs can be interpreted by Ethereal (COOL, a remote control
>>>> sniffer!). Even if you cannot decipher the output completely, Ethereal will
>>>> annotate the info in a way most people can read. Examine anything you don't
>>>> recognize. The analysis will help you know if the intruder is still active.
>>>>
>>>> Good luck, a post-mortem is never fun.
>>>> btw... does the boss know yet?
>>>>
>>>> On Tue, 24 Apr 2001, THOU SPAKE:
>>>>
>>>>> Hello Sun Admin's,
>>>>>
>>>>> I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
>>>>> message of "you been hacked" was on my screen. Someone some how gained
>>>>> root access and put that in my /etc/motd file. I noticed it was last
>>>>> modified APRIL 24 at "18:52" so I did a last -10 to see who had been on.
>>>>> Apparently they covered up their tracks because it only showed MY logins
>>>>> and NO logins around the time this happened. The only other guy who has
>>>>> root access to this system is on his way home from Denver, CO and has NO
>>>>> ACCESS to the net right now.
>>>>>
>>>>> Which steps can be taken to find out who had done this or at least how
>>>>> they got in?
>>>>>
>>>>> None of my log files in /var/log have any clue.. /var/adm/messages would
>>>>> have had something but everything was removed from the time it happend and
>>>>> before.
>>>>>
>>>>> ANY IDEA's that can help me are **GREATLY** appreciated. After this had
>>>>> happened, I also checked my inetd.conf and probably should have shut down
>>>>> basically ALL ports before hand because the only access anyone needs to
>>>>> this is RARELY ftp and mostly ssh. Thank you!
>>>>>
>>>>>
>>>>>
>>>>> Jeff Feller
>>>>>
>>>>> _______________________________________________
>>>>> SunHELP maillist - SunHELP at sunhelp.org
>>>>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>>>>
>>>> --
>>>> =======================================================
>>>> James D. Fogg, Network Engineer
>>>> Vicinity Corporation - Lebanon, NH
>>>>
>>>> DESK (603) 442-1751 - CELL (603) 252-1864
>>>> PAGER (802) 742-0280 - HOME (603) 526-7729
>>>> EMAIL jfogg at vicinity.com
>>>> =======================================================
>>>> _______________________________________________
>>>> SunHELP maillist - SunHELP at sunhelp.org
>>>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>>>>
>>>>
>>> _______________________________________________
>>> SunHELP maillist - SunHELP at sunhelp.org
>>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>>
>> _______________________________________________
>> SunHELP maillist - SunHELP at sunhelp.org
>> http://www.sunhelp.org/mailman/listinfo/sunhelp
>>
>
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
>
>
More information about the SunHELP
mailing list