[SunHELP] Tracking Hacker ?

James Fogg sunhelp at sunhelp.org
Wed Apr 25 10:38:21 CDT 2001 

I finally had time to read your message more thoroughly.

It does appear as if the perp could have some sophistication. You need to
consider some painfull possibilities.

1) binaries on your SS5 may have been replaced with trojans that will allow the
intruder to access your system for all sorts of reasons. Some trojans can
instantly re-enable the intruders access no matter how you dissallow it. The
only solution is to wipe the drive and re-install. Don't trust anything on the
machine (other than a pure text file).

2) The SS5 may have been/is being used as a jumping-off point to access
machines within your company. This could be especially true if your SS5 is
trusted by machines within the company or by a firewall (at first I assumed from
your post you have no firewall, but maybe the SS5 is in a DMZ). If you run or
use NFS, run as fast as you can and shoot the machine (weapon of choice, a
smooth-bore cannon).

3) Since the intruder has dropped a clue, any malicious activitiy has probably
already been completed.

4) Check and see if any unexplained processes are running. The intruder may be
using you as a platform to attack another site, or run a bot in IRC. If you run
sendmail, the intruder may have used you to send tons of spam.

5) If you have the skills, run a packet analyzer. Ethereal is an excellent
choice :=). If you can, run snoop (Solaris) or tcpdump (Linux) on a different
machine inside the company network (to look for other activity). The logs from
these programs can be interpreted by Ethereal (COOL, a remote control
sniffer!). Even if you cannot decipher the output completely, Ethereal will
annotate the info in a way most people can read. Examine anything you don't
recognize. The analysis will help you know if the intruder is still active.

Good luck, a post-mortem is never fun.
btw... does the boss know yet?

On Tue, 24 Apr 2001, THOU SPAKE:
> Hello Sun Admin's,
> 
> I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
> message of "you been hacked" was on my screen.  Someone some how gained
> root access and put that in my /etc/motd file.  I noticed it was last
> modified APRIL 24 at "18:52" so I did a last -10 to see who had been on.
> Apparently they covered up their tracks because it only showed MY logins
> and NO logins around the time this happened.  The only other guy who has
> root access to this system is on his way home from Denver, CO and has NO
> ACCESS to the net right now.
> 
> Which steps can be taken to find out who had done this or at least how
> they got in?  
> 
> None of my log files in /var/log have any clue.. /var/adm/messages would
> have had something but everything was removed from the time it happend and
> before.  
> 
> ANY IDEA's that can help me are **GREATLY** appreciated.  After this had
> happened, I also checked my inetd.conf and probably should have shut down
> basically ALL ports before hand because the only access anyone needs to
> this is RARELY ftp and mostly ssh.  Thank you!
> 
> 
> 
> Jeff Feller
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
-- 
=======================================================
	 James D. Fogg, Network Engineer
	Vicinity Corporation - Lebanon, NH

     DESK (603) 442-1751 - CELL (603) 252-1864
     PAGER (802) 742-0280 - HOME (603) 526-7729
            EMAIL jfogg at vicinity.com
=======================================================

More information about the SunHELP mailing list