[SunHELP] Tracking Hacker ?

Jeff Feller sunhelp at sunhelp.org
Tue Apr 24 22:59:25 CDT 2001 

Well, uhhh, no .. unfortunately I have no firewall protecting this
machine.  It is a machine I have colocated at my place of work.  It is
used as a webserver and mail server - nothing more.  I generally shut off
all ports like telnet, ftp, etc but for some reason when I set this one up
I didn't - I think it's because the other guy who has root said I was to
paranoid and told me to keep telnet open ?  

Nothing was out of the usual for /etc/passwd.  In fact, after this had
happened, I also locked accounts that aren't ever used temporarily because
if they aren't used - do they need to be active? :)  

I'll check with our system administrator no the log thing, but I'm willing
to be we keep no logs on our router.

I'll keep lookin' around perhaps looking for all / any files modified on
"Apr 24" at 18:52 or so.. Otherwise, from the looks of it, the ONLY file I
see that were touched so far were /etc/motd, /var/adm/messages and the
wtmp or utmp files I assume since there is nothing in "last" ... 

Thank you!  I know, I know.. I need to get tighter security on EVERY
machine on the net.  The only "SECURE SERVER" is one that is not plugged
in :)


Jeff Feller
Director of Network Operations
BitZ Communications
P.O. Box 157
Surrey, ND  58785

On Tue, 24 Apr 2001, Kurt Huhn wrote:

> > Hello Sun Admin's,
> >
> > I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
> > message of "you been hacked" was on my screen.  Someone some how gained
> > ANY IDEA's that can help me are **GREATLY** appreciated.  After this had
> > happened, I also checked my inetd.conf and probably should have shut down
> > basically ALL ports before hand because the only access anyone needs to
> > this is RARELY ftp and mostly ssh.  Thank you!
> 
> I'm going to assume that you have a firewall of some kind, and haven't just
> put a naked box on the internet - the technological equivalent of wearing
> nothing but socks to a swordfight...
> 
> At any rate, check your firewall logs for accesses to that computer.
> Failing that, you *might* be able to check the access logs of your router -
> but some routers don't log.
> 
> You can also check /etc/passwd - see if there's something in there that
> looks odd - a user that didn't exist before...
> 
> My suspicion is that someone managed to brute force the box by guessing that
> your root user was "root" and just pointing a brute-forcer (like brutus) at
> your box via FTP.  From that point, it's easy to open an SSH session with
> the newly found root password and cause all types of ruckus.  They may have
> poked around a little, found out that the Linux root-kit that they tried to
> install didn't work, and decided to clean up and leave you a nice message -
> just for shits and giggles...
> 
> Kurt
> 
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
>

More information about the SunHELP mailing list