Re: Guess this is a hack attemp

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Sun Jul 22 2001 - 17:39:46 PDT

  • Next message: Daniel Martin: "Re: "datapool is a DoS attacks kit" message"

    hi ya gareth
    
    run the rootkit detectors... and see if it finds anything...
    	- audit your box... ( tons of free auditing tools )
    
    	http://www.linux-sec.net
    		Audit & tracking/forensics sections
    
    		( search for rootkit ... easier ?? )
    
    if they were successful...you'd see many symptoms:
    	- alterred log files
    	- alterred binaries
    	- alterred config files
    	- extra directories
    	- extra files
    	- extra processes running that you cannot explain
    	- slow response than before
    	- bounced emails to root/postmaster
    	- blah...blah...
    
    all of those are easy to identify before its becomes a problem
    with a good IDS... but a properly hardened box will be even better...
    
    	- they were "Testing" your rpc stuff... for old bugs...
    
    	if you do NOT mount this server from other boxes...
    	turn nfs off along with hundreds of other unused services/daemons 
    
    == since you have to ask ... how can you telll...
    	- the simple answer is install tripwire or aide or other ids
    	and it will tell you they got in... ( which is TOOO late )
    
    	- trick:  only install tripwire/aide/ids on a VIRGIN&Patched
    	box... dont bother wasting time after its been online/[h/cr]hacked
    
    have fun
    alvin
    
    On Sun, 22 Jul 2001, Gareth Hastings wrote:
    
    >  
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    > 
    > Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for
    > ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8
    > x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22
    > 0\220\220\220\220\220\2
    > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
    > \220\220\220\220\220\22
    > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
    > 220\220\220\220\220\220
    > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
    > 20\220\220\220\220\220\
    > 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
    > 0\220\220\220\220\220\2
    > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
    > \220\220\220\220\220\22
    > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
    > 220\220\220\220\220\220
    > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
    > 20\220\220\220\220\220\
    > 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
    > 0\220\220\220\220\220\2
    > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
    > \220\220\220\220\220\22
    > 0\220\220
    > 
    > How do I know if the attempt succeded or not ? This entry is repeated
    > about 50 times. I checked the obvious things like hosts.allow/deny
    > being changed. I checked for suid root files and entries in the
    > inetd.conf file. Is there anything else I should look for ?
    > 
    k
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:47:37 PDT