RE: need further help with break in

From: Ingram (Vailat_private)
Date: Thu Aug 01 2002 - 07:42:38 PDT

Next message: Seth Arnold: "Re: need further help with break in"

Previous message: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Next in thread: Seth Arnold: "Re: need further help with break in"
Reply: Seth Arnold: "Re: need further help with break in"
Reply: Stephen Samuel: "Re: need further help with break in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

greetings community,

first thx for all comments on my topic!

As most ppl suggest, i installed a clean OpenBSD 3.1 with the same
modifications as the hacked box. After that i´ve done a md5/diff
on /bin /sbin /usr/bin /usr/sbin and /etc

See the results:
laboratory# diff org.bin.md5 hacked.bin.md5
Nothing changed.

laboratory# diff org.sbin.md5 hacked.sbin.md5
Nothing changed.

laboratory# diff hacked.usr_sbin.md5 org.usr_sbin.md5
52c52
< MD5 (sendmail) = 14003b72c1930d27d3dc2140abee57c1
---
> MD5 (sendmail) = c860ba9f317adedc6b5a31f416cc0253

that doesn´t look normal...


laboratory# diff hacked.usr_bin.md5 org.usr_bin.md5
121c122
< MD5 (hoststat) = 14003b72c1930d27d3dc2140abee57c1
---
> MD5 (hoststat) = c860ba9f317adedc6b5a31f416cc0253
123,124c124,125
< MD5 (htdigest) = e1fb58fbd203761e24218c6859ab720b
< MD5 (htpasswd) = e5d13570cf10a82a17829fa026f572b1
---
> MD5 (htdigest) = 05dc3c9981cafbeaae629cd951771fa0
> MD5 (htpasswd) = e9e1295b5fb7e811273e6b483cfa653a
173c174
< MD5 (mailq) = 14003b72c1930d27d3dc2140abee57c1
---
> MD5 (mailq) = c860ba9f317adedc6b5a31f416cc0253
194c195
< MD5 (newaliases) = 14003b72c1930d27d3dc2140abee57c1
---
> MD5 (newaliases) = c860ba9f317adedc6b5a31f416cc0253
237c238
< MD5 (purgestat) = 14003b72c1930d27d3dc2140abee57c1
---
> MD5 (purgestat) = c860ba9f317adedc6b5a31f416cc0253
280c281
< MD5 (slogin) = f8309f1329802e30c7e6badf3896cfa4
---
> MD5 (slogin) = 9862a890469ac61404368f546514f8bd

I think 'slogin' is the most interessting, or? And what sense can it
make to modify 'newaliases'?

laboratory# diff hacked.etc.md5 org.etc.md5
3,4c3,4
< MD5 (afs) = fa7c92fa2f02235c0817abbfeb234d5e
< MD5 (amd) = 6fb94cf970b930ebc631a066443a3611
---
> MD5 (afs) = d41d8cd98f00b204e9800998ecf8427e
> MD5 (amd) = d41d8cd98f00b204e9800998ecf8427e
15c15
< MD5 (disklabels) = a0d014dedbbd3577582f274773e50e13
---
> MD5 (disklabels) = d41d8cd98f00b204e9800998ecf8427e
32c33
< MD5 (isakmpd) = 5a2f38c156ce43a609559267188ade4e
---
> MD5 (isakmpd) = d41d8cd98f00b204e9800998ecf8427e
34,35c35,36
< MD5 (kerberosIV) = 068823fab8be82aa4a1e7481b1509539
< MD5 (kerberosV) = 126d5c3e93230fba29019c41d507ad12
---
> MD5 (kerberosIV) = d41d8cd98f00b204e9800998ecf8427e
> MD5 (kerberosV) = d41d8cd98f00b204e9800998ecf8427e
43c43
< MD5 (mail) = 9af3877d5d53ca7818cd7ba3d2acb3ba
---
> MD5 (mail) = d41d8cd98f00b204e9800998ecf8427e
50c50
< MD5 (motd) = 17a018fa675e25ce1feaa36709013387
---
> MD5 (motd) = 815e405c511be5a2251ed78250ff95c1
62c62
< MD5 (photuris) = 645773a40af157d3617197278b1e1c0b
---
> MD5 (photuris) = d41d8cd98f00b204e9800998ecf8427e
64c64
< MD5 (ppp) = 4a033b4279c0a4fe94c6de549f947d53
---
> MD5 (ppp) = d41d8cd98f00b204e9800998ecf8427e
75,76c75,76
< MD5 (resolv.conf) = 5b65a710a3851fe4fd7b4b7dc1f1350f
< MD5 (rmt) = f5188d3308f7472e732c1284611a0a7a
---
> MD5 (resolv.conf) = 3f74584cfb9e655d661bb21828402533
> MD5 (rmt) = 85b608982cf9daf7943849a06ca426cd
81c81
< MD5 (skel) = e7fafa172cbe2e1a8a5e48a799e33595
---
> MD5 (skel) = d41d8cd98f00b204e9800998ecf8427e
83,86c83,86
< MD5 (sliphome) = 57a9b9e33c04356cac2dca1d67b12714
---
> MD5 (sliphome) = d41d8cd98f00b204e9800998ecf8427e
88,91c88,91
< MD5 (tcfs) = 9a42fbe8555a8778bf17d0c00688e1e4
< MD5 (termcap) = 7d61a145c235dcfba8168631c0d3a2bb
---
> MD5 (tcfs) = d41d8cd98f00b204e9800998ecf8427e
> MD5 (termcap) = ce2da96ded3fa67d5c6d3a3b8b7ef8eb

I cutted some entrys (master.passwd, resolv.conf,mygate,...) which i know
that
they cannot be the same (other configs in it). 

I expected to find trojaned ps, netstat, etc. but nothing. Hmm maybe the
attacker did _not_ use a rootkit (strange?) or he has used some exotic
one.

Is there anything else i could do to get more Information?

Thanks for any help!

btw, some ppl asked my via email if i plan to track this guy:
no i will not track this guy down, i just want to learn as much as
possible about this hack. It was my own fault, i did not patch it quick
enough.

regards
Ingram



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Seth Arnold: "Re: need further help with break in"
Previous message: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Next in thread: Seth Arnold: "Re: need further help with break in"
Reply: Seth Arnold: "Re: need further help with break in"
Reply: Stephen Samuel: "Re: need further help with break in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 08:36:29 PDT