Re: Machine compromised

From: Jan van Rensburg (jan.van.rensburgat_private)
Date: Tue Jan 15 2002 - 03:24:22 PST

  • Next message: Ryan Russell: "Re: Unusual DNS requests (not related to previous DNS thread)"

    > Hi again,
    > Thanks to everyone that replied. In fact so many replied with helpful
    > suggestions that I can't say thanks to everyone individually. 
    > 
    > To quickly respond to a few questions:
    > 
    > > So why do I get 
    > > 'Operation not
    > > permitted' when I try to do anything to the files?
    > 
    > As the majority of you replied this is due to ext2's extended 
    > attributes.
    > The fix was this:
    > # cd /usr/bin
    > 
    > # lsattr ssh2d
    > lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
    > s---ia-- ssh2d
    > 
    > # chattr -i ssh2d
    > chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
    > 
    > # lsattr ssh2d
    > lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
    > s----a-- ssh2d
    > 
    > # mv ssh2d ssh2d_hack
    > mv: cannot move `ssh2d' to `ssh2d_hack': Operation not permitted
    > 
    > # chattr -a ssh2d
    > chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09
    > 
    > # mv ssh2d ssh2d_hack
    > 
    > # ls -la ssh2*
    > -rwxr-xr-x   1 root     root       205288 Jan  5 14:43 ssh2d_hack
    > 
    > > Considering that I couldn't find any info of how old 
    > UW-IMAP-1.5.1 is
    > > (e.g. http://freshmeat.net/branches/11037/ lists only some 
    > "2000x" and
    > > "2001y" versions)
    > 
    > Yes, sorry I realised my mistake afterwards. It was in fact 2000c. The
    > release 1.5.1 was RedHat's release (as per RPM info). 
    > 
    > > Secondly, if your machine is compromised you cannot trust 
    > the output of
    > > e.g. lsmod.
    > 
    > Yes, I realize this is a problem. Like I said the server is 
    > about 7000 miles
    > from us, so we can't immediately reinstall as we'd like to. 
    > However in the
    > meantime people on that continent really depend on the server 
    > to be able to
    > continue doing business. So what I did in the meantime was upgrade
    > everything on the machine, and copied a trusted version of lsof to the
    > machine to try and verify that there's no backdoors. So far 
    > it looks ok, but
    > I realize one can't be 100% sure. In any case we're 
    > monitoring everything
    > very closely.
    > 
    > > (And you should not scorn the importance of
    > > security updates although you have services blocked by firewall!)
    > 
    > Very good point! At this stage I suspect either exim-2.x or 
    > ssh-1.2.26 (even
    > though it was host based firewalled). I looked at the ssh 
    > situation when all
    > the advisories came out last year, but decided the firewall should be
    > enough. I didn't want to be in a position where I upgraded 
    > ssh remotely and
    > something goes wrong. But yesterday I decided to bite the 
    > bullet and do it,
    > and it worked fine. 
    > 
    > Thanks again to everyone who responded. And also thanks to 
    > Security Focus
    > and The Honeynet Project who are invaluable resources at 
    > times like this.
    > 
    > Regards,
    > Jan
    > 
    > 
    > > -----Original Message-----
    > > From: Jan van Rensburg [mailto:jan.van.rensburgat_private]
    > > Sent: 09 January 2002 07:03
    > > To: incidentsat_private
    > > Subject: Machine compromised
    > > 
    > > 
    > > Hi,
    > > One of our servers that's literally on the other side of the 
    > > globe has been
    > > compromised on Saturday, 5 Jan. I'm not sure how the person 
    > > got in, but it
    > > has to be either exim (early 2.x version), University of 
    > > Washington IMAP/POP
    > > v 1.5.1 or Apache 1.3.9. It could also be that it was through 
    > > ssh-1.2.26,
    > > although this is supposed to be firewall filtered, so I doubt 
    > > it. The base
    > > machine is RedHat-5.2, but a lot has been changed since the 
    > > original install
    > > about 3 years ago. 
    > > ...
    > > 
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 09:02:25 PST