Re: Guess this is a hack attemp

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Sun Jul 22 2001 - 17:39:46 PDT

Next message: Daniel Martin: "Re: "datapool is a DoS attacks kit" message"

Previous message: Jon O .: "Wide-scale Code Red Damage Assessment and Report"
In reply to: Gareth Hastings: "Guess this is a hack attemp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya gareth

run the rootkit detectors... and see if it finds anything...
	- audit your box... ( tons of free auditing tools )

	http://www.linux-sec.net
		Audit & tracking/forensics sections

		( search for rootkit ... easier ?? )

if they were successful...you'd see many symptoms:
	- alterred log files
	- alterred binaries
	- alterred config files
	- extra directories
	- extra files
	- extra processes running that you cannot explain
	- slow response than before
	- bounced emails to root/postmaster
	- blah...blah...

all of those are easy to identify before its becomes a problem
with a good IDS... but a properly hardened box will be even better...

	- they were "Testing" your rpc stuff... for old bugs...

	if you do NOT mount this server from other boxes...
	turn nfs off along with hundreds of other unused services/daemons 

== since you have to ask ... how can you telll...
	- the simple answer is install tripwire or aide or other ids
	and it will tell you they got in... ( which is TOOO late )

	- trick:  only install tripwire/aide/ids on a VIRGIN&Patched
	box... dont bother wasting time after its been online/[h/cr]hacked

have fun
alvin

On Sun, 22 Jul 2001, Gareth Hastings wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for
> ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8
> x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
> 220\220\220\220\220\220
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\
> 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
> 220\220\220\220\220\220
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\
> 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\22
> 0\220\220
> 
> How do I know if the attempt succeded or not ? This entry is repeated
> about 50 times. I checked the obvious things like hosts.allow/deny
> being changed. I checked for suid root files and entries in the
> inetd.conf file. Is there anything else I should look for ?
> 
k


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Daniel Martin: "Re: "datapool is a DoS attacks kit" message"
Previous message: Jon O .: "Wide-scale Code Red Damage Assessment and Report"
In reply to: Gareth Hastings: "Guess this is a hack attemp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:47:37 PDT