> Hi again, > Thanks to everyone that replied. In fact so many replied with helpful > suggestions that I can't say thanks to everyone individually. > > To quickly respond to a few questions: > > > So why do I get > > 'Operation not > > permitted' when I try to do anything to the files? > > As the majority of you replied this is due to ext2's extended > attributes. > The fix was this: > # cd /usr/bin > > # lsattr ssh2d > lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 > s---ia-- ssh2d > > # chattr -i ssh2d > chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 > > # lsattr ssh2d > lsattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 > s----a-- ssh2d > > # mv ssh2d ssh2d_hack > mv: cannot move `ssh2d' to `ssh2d_hack': Operation not permitted > > # chattr -a ssh2d > chattr 1.12, 9-Jul-98 for EXT2 FS 0.5b, 95/08/09 > > # mv ssh2d ssh2d_hack > > # ls -la ssh2* > -rwxr-xr-x 1 root root 205288 Jan 5 14:43 ssh2d_hack > > > Considering that I couldn't find any info of how old > UW-IMAP-1.5.1 is > > (e.g. http://freshmeat.net/branches/11037/ lists only some > "2000x" and > > "2001y" versions) > > Yes, sorry I realised my mistake afterwards. It was in fact 2000c. The > release 1.5.1 was RedHat's release (as per RPM info). > > > Secondly, if your machine is compromised you cannot trust > the output of > > e.g. lsmod. > > Yes, I realize this is a problem. Like I said the server is > about 7000 miles > from us, so we can't immediately reinstall as we'd like to. > However in the > meantime people on that continent really depend on the server > to be able to > continue doing business. So what I did in the meantime was upgrade > everything on the machine, and copied a trusted version of lsof to the > machine to try and verify that there's no backdoors. So far > it looks ok, but > I realize one can't be 100% sure. In any case we're > monitoring everything > very closely. > > > (And you should not scorn the importance of > > security updates although you have services blocked by firewall!) > > Very good point! At this stage I suspect either exim-2.x or > ssh-1.2.26 (even > though it was host based firewalled). I looked at the ssh > situation when all > the advisories came out last year, but decided the firewall should be > enough. I didn't want to be in a position where I upgraded > ssh remotely and > something goes wrong. But yesterday I decided to bite the > bullet and do it, > and it worked fine. > > Thanks again to everyone who responded. And also thanks to > Security Focus > and The Honeynet Project who are invaluable resources at > times like this. > > Regards, > Jan > > > > -----Original Message----- > > From: Jan van Rensburg [mailto:jan.van.rensburgat_private] > > Sent: 09 January 2002 07:03 > > To: incidentsat_private > > Subject: Machine compromised > > > > > > Hi, > > One of our servers that's literally on the other side of the > > globe has been > > compromised on Saturday, 5 Jan. I'm not sure how the person > > got in, but it > > has to be either exim (early 2.x version), University of > > Washington IMAP/POP > > v 1.5.1 or Apache 1.3.9. It could also be that it was through > > ssh-1.2.26, > > although this is supposed to be firewall filtered, so I doubt > > it. The base > > machine is RedHat-5.2, but a lot has been changed since the > > original install > > about 3 years ago. > > ... > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 09:02:25 PST