Re: was I cracked? (rpc.statd, new version)

To: Alvin Oga <aoga@Mail.Linux-Consulting.com>, kath <kath@kathweb.net>
Cc: debian-security@lists.debian.org
Subject: Re: was I cracked? (rpc.statd, new version)
From: Lukas Eppler <lukas.eppler@tempobrain.com>
Date: Thu, 12 Jul 2001 09:35:44 +0100
Message-id: <[🔎] 01071209354400.00854@io>
In-reply-to: <[🔎] Pine.LNX.3.96.1010711195003.23526B-100000@Maggie.Linux-Consulting.com>
References: <[🔎] Pine.LNX.3.96.1010711195003.23526B-100000@Maggie.Linux-Consulting.com>

Thank you all for the hints.
I think I will install tripwire for the future. I didn't have it up to now, 
so for the moment it does not tell me much. The hacked machine is the only 
one with 2.2 I control, so checking the binaries would involve unpacking debs 
by hand, I guess. I have looked at creation times and setuid flags, and I 
have run a portscan from outside and haven't found anything unusual.
So as Ethan said, I think I survived...

I have tried the exploit myself from outside on my machine. It produced a 
similar entry in the logs, the script reported to have 'failed', and my shy 
test command (touch /blah) was not executed. This seems evidence to me that 
it was actually the old rpc.statd hole he/she tried to crack, and I know my 
version is safe (not because my own attack failed, but because debian says 
so).
I will
 - install tripwire to observe more
 - remove nfs-common (the machine is a fresh install, I couldn't go over all 
the services yet)

Thank you for your help

Lukas

On Thursday, 12. July 2001 03.55, Alvin Oga wrote:
> i like  a simple/stupid solution
> 	tar zcvf /safe_place_off_line/original_binaries.tgz \
> 	/bin /lib /sbin/usr/{bin,sbin,lib}  /etc
>
> 	( its a quickie test... to compare the current binaries
> 	( against what was the original
>
> if you still not sure... that they ADDED some of their own
> apps .... than run tripwire.... and wait and wait..
> but than you'd have an answer if you have a good tripwire db going
>
> dozen different ways to identify if they got in and what they
> changed... choose your preferred way...
>
> c ua
> alvin
>
> On Wed, 11 Jul 2001, kath wrote:
> > You can check for modified binaries with tripwire.
> >
> > If this was a decent hacker or even a script kiddie using a good tool,
> > they probably would have purged your logs of all evidence.
> >
> > So either:
> >
> > a) They are second rate
> > or
> > b) They didn't get in

-- 
Tempobrain AG - Dufourstrasse 179 - 8008 Zürich
http://www.tempobrain.com | icq # 5856 2285
+44 20 7233 6206 | +44 79 8037 7312
+41  1 389 29 29 | +41 76 373 07 87

Reply to:

References:
- Re: was I cracked? (rpc.statd, new version)
  - From: Alvin Oga <aoga@Mail.Linux-Consulting.com>

Prev by Date: snort rules (Was: Attack alert from snort)
Next by Date: secured bind default?
Previous by thread: Re: was I cracked? (rpc.statd, new version)
Next by thread: RE: was I cracked? (rpc.statd, new version)
Index(es):
- Date
- Thread