Re: nasty tripwire report

From: Gideon Lenkey (glenkey@infotech-nj.com)
Date: Mon Jan 14 2002 - 08:56:22 PST

  • Next message: Nick Drage: "Re: New DNS connection with SYN ACK"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Hi Chester,
    
    On Sun, 13 Jan 2002, Chester Jankowski wrote:
    
    /* It looks like someone wasn't watching their Saturday morning cartoons
    /* yesterday and decided to crack my home Linux box instead. I have included
    /* the juicy bits from the tripwire report below. Now I have several questions
    /* for the security experts here. Is this attack a recognized one?
    
    This really isn't an 'attack' per se, but it looks like a root kit. It
    would appear to be a combination of a library and trojan kit. I don't
    immediately recognize it, but hopefully someone else on the list will.
    
    /* Any suggestions for log analysis to track down the intruder?
    
    If you have any network traces you could probably see where he came from
    and the type of exploit he used to get into your system.  It will most
    likely just be another compromised host, the owner of which you could
    contact as a good neighbor.  You can also grep through your messages log
    file as well as your sendmail log file.  Often times you can see the
    connection from the exploit he used and sometimes an automated exploit
    tool sends an email out after it gains control of your system.
    
    Another option is to set up a sniffer between it and the Internetl on
    your network and wait for him to return (DANDER! DANGER! DANGER! Will
    Robinson). As he changed your sshd though, I suspect he'll come in via
    that route so you won't see the commands he types, but you'll see where
    he connects from.  If do this, be VERY careful to watch outgoing traffic,
    or he may attack someone else from your machine. Be prepared to cut him
    off immediately. If he sees you watching, he may try to damage your
    system to make forensic analysis more difficult.
    
    For a great treatment on how to automate this traffic 'cut-off' on a
    Linux box using IPTables, see:
    
    	http://project.honeynet.org/papers/honeynet/rc.firewall
    
    /* Is the only recovery here a complete re-install?
    
    It's definitely the safest! However, your tripwire looks like it's set up
    pretty good, so you could just restore the files that have changed and
    removed the directories and files that have been added.  You'll want to
    check their checksums again.  I would also move a trusted, statically
    linked copy of lsof onto the system afterwards and carefully examine all
    processes and listening ports.
    
    /* And lastly, is there any place I should report the incident?
    
    If you feel inclined, you should report this to CERT.
    
    	http://www.cert.org/reporting/incident_form.txt
    
    
    - --Gideon
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.5 (GNU/Linux)
    Comment: For info see http://www.gnupg.org
    
    iD8DBQE8Qw27H1ef35JVa+wRArOYAJ9ZyyWCVtLivY5L9Ce6J+CiluimSgCgqb4b
    UldbbX7f3uHaQicZ9Ltn3bM=
    =pX7v
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 09:34:38 PST