Re: Hacked - is it my turn?

To: debian-security@lists.debian.org
Subject: Re: Hacked - is it my turn?
From: Jim Richardson <warlock@eskimo.com>
Date: Mon, 2 Feb 2004 20:03:30 -0800
Message-id: <[🔎] i5j3f1-ijc.ln1@grendel.myth>
References: <[🔎] 20040202180440.3b241356.graumann@caltech.edu> <[🔎] Pine.LNX.3.96.1040202182349.26070A-100000@Maggie.Linux-Consulting.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 03 Feb 2004 03:50:06 +0100,
 Alvin Oga <aoga@ns.Linux-Consulting.com> wrote:
>
> hi ya johannes
>
> On Mon, 2 Feb 2004, Johannes Graumann wrote:
>
>> > > Checking 'bindshell'... INFECTED [PORTS:  1524 31337]
>> At this point I believe to be able to attribute this to portsentry
>> running - '/etc/init.d/portsentry stop' makes it go away,
>> '/etc/init.d/portsentry start' makes it reappear and I can create the
>> message on a pristine system by installing portsentry (running in the
>> default configuration).
>
> odd that portsentry does that... oh welll ... 
>

portsentry opens and attaches to ports, it's "famous" for setting off
false alarms for security tests. IMHO, it's a poor tool for using in
securing a system, but it's probably better than nothing. Although you'd
be far better off with snort. 

  
>> > 'tiger' also reports - while performing signature check of system
>> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
>> > and /usr/bin/inetd don not match. This can not be confirmed by aide
>> > (cd-burned database, unsafe binary) or debsums (unsafe binary).
>> Javier stated as well:
>> > Do _not_ rely on that if you are _not_ using a stable system.... (and
>> > really, even then, unless you've regenerated the database yourself).
>> This is a testing/unstable system.
>
> that doesn't explain why the semi-important binaries are not as
> you expected ... you still need to confirm the size/md5 of the binaries
> against a clean system and/or patched updated/upgraded box
>  
>> If you don't buy this: please let me know and why. Since We are talking
>> 20+ systems being dependent on one of the machines in question, I'm
>> considering myself biased due to installation anxiety.
>
> maybe its time to spend an extra $300 for a 2nd backup machine and
> keep it offline or more protected behind another secure firewall
>  	- and also time to put all your binaries compressed onto cdrom
> 	so that you can trivially compare binaries in a few seconds
> 	and know if its been hacked or not
>
> 	- you'd also need to know which binaries changed on which date
> 	from which package :-)

Aide does a nice job of this, if you maintain a copy of the aide.db
offsite, and check that too. On my machines, I do a series of tests

Nightly aide, chkrootkit and tiger tests, verify local aide.db md5sum
matches remote backup, and run the logs. 

I am setting up snort, for the purposes mostly of practice. These are
web/mail servers, so I have a limited number of ports I have to have
open, everything else is firewalled off. 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAHx2Sd90bcYOAWPYRAqSwAJ0YPQCQZ5fvtsWMDRkRLTrKjcjdPQCdEtMe
ahSRcZMY49OsTRoWIaCtQac=
=XqM4
-----END PGP SIGNATURE-----

-- 
Jim Richardson     http://www.eskimo.com/~warlock
It is dark.  Your .sig has been eaten by a grue.

Reply to:

References:
- Re: Hacked - is it my turn?
  - From: Johannes Graumann <graumann@caltech.edu>
- Re: Hacked - is it my turn?
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

Prev by Date: Re: Hacked - is it my turn? - interesting
Next by Date: Re: Hacked - is it my turn?
Previous by thread: Re: Hacked - is it my turn?
Next by thread: help me
Index(es):
- Date
- Thread