Re: Help with virus/hackers

Re: Help with virus/hackers

[Alan Cox]

> Can anyone offer any advice or insight?

Without knowing what services were publically accessible, and internally
accessible (since you dont know if someone used something like a windows
worm to attack from the inside) no. 

cert have good general faq's on cleaning up after attackers and also
track attacks for patterns so do notify them.

Re: Help with virus/hackers

[Richard B. Johnson]

On Thu, 17 Apr 2003, joe briggs wrote:

> Please redirect me if this is not the appropriate place for this post.
>
> I have several Debian/Woody/2.4.19 webserver/firewalls at various locations
> that seem to have been hacked or victum of a worm or virus.  It is hard to
> articulate exactly the symptoms since it quickly brings the system down, but
> here is what I know so far:
>
[SNIPPED...]

It is unlikely that one of those Windows worms or virii affected
your system. It is more likely that you simply have a trashed
file-system. To check for an invasion, do the following.

(1) Disconnect the network wire.
(2) Boot with init=/bin/bash
(3) `fsck` each file-system slice by hand. Look in /etc/fstab
     to get them all.
(4)  Execute `mount -a` to mount all the slices in the correct
     order.
(5)  Examine /etc/inetd.conf (if one exists). If you see an
     unusual entry near the end, you have been 'rooted'. Newer
     systems use xinetd and won't get invaded this way.
(6)  Check /etc/passwd for a strange account.
(7)  Check /bin/login for a new file-date.
(8)  Check /usr/sbin/sendmail for a new file-date.
     Check /usr/sbin/inetd      ""
     Check /usr/sbin/xinetd     ""
     Check /usr/sbin/syslogd    ""
     Check /usr/sbin/klogd      ""
     Check /usr/sbin/in.*       ""

If any of these files have recent writes, tar off all user-data
and completely install Linux again (from a distribution) from scratch.
Do not use a recent backup. It could have already been invaded.

If none of these have recent writes, just change the password on
the root account and be happy. You just has some file-system
corruption and you can fix up /etc/DIR_COLORS (for your color-ls
problem) and fix /etc/profile or /root/.bashrc, /root/.profile
to fix the bad environment variables created by these scripts.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

Re: Help with virus/hackers

[Alan Cox]

On Iau, 2003-04-17 at 14:55, Richard B. Johnson wrote:
> (2) Boot with init=/bin/bash

Doesnt help you
> (5)  Examine /etc/inetd.conf (if one exists). If you see an
>      unusual entry near the end, you have been 'rooted'. Newer
>      systems use xinetd and won't get invaded this way.
Wrong. Old xinetd < 2.3.10 has remote root exploits and real
ones circulate
> (6)  Check /etc/passwd for a strange account.
Rootkits patch other stuff
> (7)  Check /bin/login for a new file-date.
> (8)  Check /usr/sbin/sendmail for a new file-date.
>      Check /usr/sbin/inetd      ""
>      Check /usr/sbin/xinetd     ""
>      Check /usr/sbin/syslogd    ""
>      Check /usr/sbin/klogd      ""
>      Check /usr/sbin/in.*       ""

Rootkits know about avoiding this

> If none of these have recent writes, just change the password on
> the root account and be happy. You just has some file-system
> corruption and you can fix up /etc/DIR_COLORS (for your color-ls
> problem) and fix /etc/profile or /root/.bashrc, /root/.profile
> to fix the bad environment variables created by these scripts.

Never do this. You don't know what else has changed on the system. You
should always (barring odd exceptions) do a full reinstall. Also clean
user executable files if neccessary (roots .login is often archived and
people rerun exploits from it...)

See the cert documents on recovering from an attack

Re: Help with virus/hackers

[Alan Cox]

On Iau, 2003-04-17 at 14:55, Richard B. Johnson wrote:
> (2) Boot with init=/bin/bash

Doesnt help you
> (5)  Examine /etc/inetd.conf (if one exists). If you see an
>      unusual entry near the end, you have been 'rooted'. Newer
>      systems use xinetd and won't get invaded this way.
Wrong. Old xinetd < 2.3.10 has remote root exploits and real
ones circulate
> (6)  Check /etc/passwd for a strange account.
Rootkits patch other stuff
> (7)  Check /bin/login for a new file-date.
> (8)  Check /usr/sbin/sendmail for a new file-date.
>      Check /usr/sbin/inetd      ""
>      Check /usr/sbin/xinetd     ""
>      Check /usr/sbin/syslogd    ""
>      Check /usr/sbin/klogd      ""
>      Check /usr/sbin/in.*       ""

Rootkits know about avoiding this

> If none of these have recent writes, just change the password on
> the root account and be happy. You just has some file-system
> corruption and you can fix up /etc/DIR_COLORS (for your color-ls
> problem) and fix /etc/profile or /root/.bashrc, /root/.profile
> to fix the bad environment variables created by these scripts.

Never do this. You don't know what else has changed on the system. You
should always (barring odd exceptions) do a full reinstall. Also clean
user executable files if neccessary (roots .login is often archived and
people rerun exploits from it...)

See the cert documents on recovering from an attack

Help with virus/hackers

[joe briggs]

Please redirect me if this is not the appropriate place for this post.

I have several Debian/Woody/2.4.19 webserver/firewalls at various locations 
that seem to have been hacked or victum of a worm or virus.  It is hard to 
articulate exactly the symptoms since it quickly brings the system down, but 
here is what I know so far:

1) There is no more output to /var/log/syslog.  The contents of the file is 
'0'.
2) 'last' works, but with no unexpected ftp or telnet logins.
3) Windows systems on the inside seem to have been infected with the 
W23.HLLW.ULTIMAX worm that propagates through Windows networking.  Samba was 
indeed running on the servers.
4) If I telnet into the server and 'ls', I get:
ls: uncrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable

But I can su to root.

5) On some systems I rebooted and got the console errors "can't open 
/etc/console/boottime.kmap.gz", and it can't seem to mount the the filesystem 
and complete the boot.

The first machine went down last Friday in San Antonio TX last Friday.  Then 
within a few hours two more went down that was on the same DSL providers's 
network.  Today I experienced the problem on a server in Manchester NH.

Can anyone offer any advice or insight?
-- 
Joe Briggs
Briggs Media Systems
105 Burnsen Ave.
Manchester NH 01304 USA
TEL/FAX 603-232-3115 MOBILE 603-493-2386
www.briggsmedia.com

Re: Help with virus/hackers

[John Jasen]

If you really want to examine the remains of a compromise, boot from a 
CD-based distro or something like that, and mount the partitions 
read-only.

If you don't want to, or have no idea what you're looking at, as Alan 
said, recover and verify user data, then reformat and reinstall.


On 17 Apr 2003, Alan Cox wrote:

> > (7)  Check /bin/login for a new file-date.
> > (8)  Check /usr/sbin/sendmail for a new file-date.
> >      Check /usr/sbin/inetd      ""
> >      Check /usr/sbin/xinetd     ""
> >      Check /usr/sbin/syslogd    ""
> >      Check /usr/sbin/klogd      ""
> >      Check /usr/sbin/in.*       ""
> 
> Rootkits know about avoiding this

Oh, yes. If you were running tripwire, and being good about keeping the 
database somewhere on read-only media, you might be able to detect file 
modifications. Place emphasis on might. 

> Never do this. You don't know what else has changed on the system. You
> should always (barring odd exceptions) do a full reinstall. Also clean
> user executable files if neccessary (roots .login is often archived and
> people rerun exploits from it...)

I'm trying to think up one of those odd situations ...

-- 
-- John E. Jasen (jjasen@realityfailure.org)
-- User Error #2361: Please insert coffee and try again.

Re: Help with virus/hackers

[John Bradford]

> 
> On Iau, 2003-04-17 at 14:55, Richard B. Johnson wrote:
> > (2) Boot with init=/bin/bash
> 
> Doesnt help you
> > (5)  Examine /etc/inetd.conf (if one exists). If you see an
> >      unusual entry near the end, you have been 'rooted'. Newer
> >      systems use xinetd and won't get invaded this way.
> Wrong. Old xinetd < 2.3.10 has remote root exploits and real
> ones circulate
> > (6)  Check /etc/passwd for a strange account.
> Rootkits patch other stuff
> > (7)  Check /bin/login for a new file-date.
> > (8)  Check /usr/sbin/sendmail for a new file-date.
> >      Check /usr/sbin/inetd      ""
> >      Check /usr/sbin/xinetd     ""
> >      Check /usr/sbin/syslogd    ""
> >      Check /usr/sbin/klogd      ""
> >      Check /usr/sbin/in.*       ""
> 
> Rootkits know about avoiding this
> 
> > If none of these have recent writes, just change the password on
> > the root account and be happy. You just has some file-system
> > corruption and you can fix up /etc/DIR_COLORS (for your color-ls
> > problem) and fix /etc/profile or /root/.bashrc, /root/.profile
> > to fix the bad environment variables created by these scripts.
> 
> Never do this. You don't know what else has changed on the system. You
> should always (barring odd exceptions) do a full reinstall. Also clean
> user executable files if neccessary (roots .login is often archived and
> people rerun exploits from it...)

Also, note that any data stored on that machine is potentially
compromised, such as passwords for other boxes, etc.  You should
really also change all of those.  If the box was a firewall, the
rulesets also become known, etc.

I've often wondered whether it would be worth connecting a very large
serial EEPROM to a serial port interface, and have it effectively
appear as a solid state printer, (to that you could cheaply log to an
unmodifyable device).  Has anybody ever tried this?

John.

Re: Help with virus/hackers

[Alan Cox]

On Iau, 2003-04-17 at 16:45, John Bradford wrote:
> I've often wondered whether it would be worth connecting a very large
> serial EEPROM to a serial port interface, and have it effectively
> appear as a solid state printer, (to that you could cheaply log to an
> unmodifyable device).  Has anybody ever tried this?

Linux supports console on printer. Its not totally foolproof (there is
a famous story of someone who simply reprinted the past two days of logs
edited so the admins wouldnt realise when they looked) but it works pretty
well. Just use a dot-matrix printer save keeping HP, Lexmark or Xerox in
business 8)

Re: Help with virus/hackers

[Christopher Curtis]

John Bradford wrote:

> I've often wondered whether it would be worth connecting a very large
> serial EEPROM to a serial port interface, and have it effectively
> appear as a solid state printer, (to that you could cheaply log to an
> unmodifyable device).  Has anybody ever tried this?

I suspect there are better solutions; namely another host running 
something like passlogd with the xmit wires cut and the hosts sending 
udp broadcast messages (or plug it into the monitor port of the switch). 
  Also, since the poster was running Woody, apt-cron'ing security might 
also lend itself to usefulness, along with apt-listchanges and maybe a 
little expect script.

rgds,
Chris

Re: Help with virus/hackers

[John Bradford]

> > I've often wondered whether it would be worth connecting a very large
> > serial EEPROM to a serial port interface, and have it effectively
> > appear as a solid state printer, (to that you could cheaply log to an
> > unmodifyable device).  Has anybody ever tried this?
> 
> Linux supports console on printer. Its not totally foolproof (there is
> a famous story of someone who simply reprinted the past two days of logs
> edited so the admins wouldnt realise when they looked)

!!!  You can't be serious :-)

> but it works pretty well. Just use a dot-matrix printer save keeping
> HP, Lexmark or Xerox in business 8)

Aren't you concerned with all of the trees that will be cut down to
make that paper, though?

I think 1 tree = about 50 reams.  Let's say you get through a ream a
day, that's a tree every couple of months!

Maybe there is a way to encode the data in the rings of the tree while
it's still growing, that would be the ultimate WORM device :-) :-)
:-).

John.

RE: Help with virus/hackers

[Kenny Mann]

http://www.openitx.com/g/networkadmin-select.asp

That mail list would probably be more appropriate.
Openitx also has allot of mail list.. Perhaps one of them may be even
more appropriate.

--KM

-----Original Message-----
From: Kenny Mann 
Sent: Thursday, April 17, 2003 1:13 PM
To: John Bradford; Alan Cox
Cc: root@chaos.analogic.com; joe briggs; linux-kernel@vger.kernel.org
Subject: RE: Help with virus/hackers


Perhaps this:
Using FTP to connect to another secured computer which has only that
service running. Write-only (no read, etc) is what is used to send to
it. This file will remain open until time X. Where X equals when that
file will close and another file will begin. Random names or perhaps
based on date/time. Everything Y amount of time, it will burn to a CD
that directory or perhaps only new files added. (all but the last file
which is currently
open)
When that directory (minues the open file) size hits a certain size, it
will either ask for another CD or auto-create another CD and move
previous logs there. (or perhaps when that directory hits a certain size
it moves the old logs there and then burns them instead of every Y time)

Any suggestions/flames?

>> Linux supports console on printer. Its not totally foolproof (there
is 
>> a famous story of someone who simply reprinted the past two days of
>> logs edited so the admins wouldnt realise when they looked)
>!!!  You can't be serious :-)
Hmm, true or not... Better safe than sorry. :-) If that person knows
about It they are bound it try and figure something out.

Perhaps if you see a massive directory size difference (increased size)
That might be something to set it off... (assuming you follow the idea
above)

--KM

-----Original Message-----
From: John Bradford [mailto:john@grabjohn.com] 
Sent: Thursday, April 17, 2003 1:01 PM
To: Alan Cox
Cc: John Bradford; root@chaos.analogic.com; joe briggs;
'linux-kernel@vger.kernel.org'
Subject: Re: Help with virus/hackers


> > I've often wondered whether it would be worth connecting a very
> > large serial EEPROM to a serial port interface, and have it 
> > effectively appear as a solid state printer, (to that you could 
> > cheaply log to an unmodifyable device).  Has anybody ever tried 
> > this?
> 
> Linux supports console on printer. Its not totally foolproof (there is

> a famous story of someone who simply reprinted the past two days of
> logs edited so the admins wouldnt realise when they looked)

!!!  You can't be serious :-)

> but it works pretty well. Just use a dot-matrix printer save keeping
> HP, Lexmark or Xerox in business 8)

Aren't you concerned with all of the trees that will be cut down to make
that paper, though?

I think 1 tree = about 50 reams.  Let's say you get through a ream a
day, that's a tree every couple of months!

Maybe there is a way to encode the data in the rings of the tree while
it's still growing, that would be the ultimate WORM device :-) :-) :-).

John.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel"
in the body of a message to majordomo@vger.kernel.org More majordomo
info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel"
in the body of a message to majordomo@vger.kernel.org More majordomo
info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

RE: Help with virus/hackers

[Kenny Mann]

Perhaps this:
Using FTP to connect to another secured computer which has only that
service running.
Write-only (no read, etc) is what is used to send to it. This file will
remain open until time X.
Where X equals when that file will close and another file will begin.
Random names or perhaps based on date/time.
Everything Y amount of time, it will burn to a CD that directory or
perhaps only new files added. (all but the last file which is currently
open)
When that directory (minues the open file) size hits a certain size, it
will either ask for another CD or auto-create another CD and move
previous logs there. (or perhaps when that directory hits a certain size
it moves the old logs there and then burns them instead of every Y time)

Any suggestions/flames?

>> Linux supports console on printer. Its not totally foolproof (there
is 
>> a famous story of someone who simply reprinted the past two days of 
>> logs edited so the admins wouldnt realise when they looked)
>!!!  You can't be serious :-)
Hmm, true or not... Better safe than sorry. :-) If that person knows
about
It they are bound it try and figure something out.

Perhaps if you see a massive directory size difference (increased size)
That might be something to set it off... (assuming you follow the idea
above)

--KM

-----Original Message-----
From: John Bradford [mailto:john@grabjohn.com] 
Sent: Thursday, April 17, 2003 1:01 PM
To: Alan Cox
Cc: John Bradford; root@chaos.analogic.com; joe briggs;
'linux-kernel@vger.kernel.org'
Subject: Re: Help with virus/hackers


> > I've often wondered whether it would be worth connecting a very 
> > large serial EEPROM to a serial port interface, and have it 
> > effectively appear as a solid state printer, (to that you could 
> > cheaply log to an unmodifyable device).  Has anybody ever tried 
> > this?
> 
> Linux supports console on printer. Its not totally foolproof (there is

> a famous story of someone who simply reprinted the past two days of 
> logs edited so the admins wouldnt realise when they looked)

!!!  You can't be serious :-)

> but it works pretty well. Just use a dot-matrix printer save keeping 
> HP, Lexmark or Xerox in business 8)

Aren't you concerned with all of the trees that will be cut down to make
that paper, though?

I think 1 tree = about 50 reams.  Let's say you get through a ream a
day, that's a tree every couple of months!

Maybe there is a way to encode the data in the rings of the tree while
it's still growing, that would be the ultimate WORM device :-) :-) :-).

John.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel"
in the body of a message to majordomo@vger.kernel.org More majordomo
info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Help with virus/hackers

[Leonard Milcin, Jr]

Kenny Mann wrote:

>Another method, that just popped to mind, is perhaps having
>Some form of a network share somewhere to which only write access
>Is granted. No on could list the files, no one could read the files
>(except for admin of course!). I'm unsure if it's possible to allow
>Only additions to files and no deletions... Just a thought.
>
>Samba Masters> Would this be possible via samba?
>

Yes, it is possible,  at least using ftp. If you create ftp, or ftp-like 
service that
allow only storing data in one particular directory for each user 
account (or server
account if we would like to name it this way) and no listing directory 
or reading
files (just a matter of file/dir permissions) then we got the solution. 
Server must
ensure that no one could read or delete a file.

It is even possible to create service with anonymous login. It should serve
one directory, for writing only (no read or list operations) as in 
previous case.
Users should store files with uniqe names, to prevent write errors when new
file have the same name as previously created.

It meets all your requirements. And it is possible to configure almost 
all common
ftp deamons to do their work this way.

Leonard Milcin, Jr

RE: Help with virus/hackers

[Kenny Mann]

>I've often wondered whether it would be worth connecting a
>very large serial EEPROM to a serial port interface, and
>have it effectively appear as a solid state printer, (to
>that you could cheaply log to an unmodifyable device).
>Has anybody ever tried this?

>John.

Dot Matrix or an old printer would come in handy here with
a (near-)infinite number of paper feed. :-)
A friend of mine has done the same thing, except with web logs.
Mostly so he can watch where his children go, however the same
could be done about hackers. Only exception is if someone knows
about it. If they know about it, most likely they know someone
who has physical access. If it was a rootkit that got you, then
you are safe. I'm sure the rest should be obvious.

In a nutshell... Yes it can be done and is one of the safer
methods, but more paranoid (which can be a good thing :-)


If you desire to know the method to accomplish this, I would
be happy to give them to you.


Another method, that just popped to mind, is perhaps having
Some form of a network share somewhere to which only write access
Is granted. No on could list the files, no one could read the files
(except for admin of course!). I'm unsure if it's possible to allow
Only additions to files and no deletions... Just a thought.

Samba Masters> Would this be possible via samba?

--KM