[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I'm afraid I've been cracked.

hi ya steve

do the lsof and netstat thing
and am curious....

try:
egrep -i "failed|failure|refused|not allowed|illegal port|blocked|denied|passwd"\
  /var/log/messages*

try:   last, w, who, tooo

check the binaries tooo...
	top, ps, ls, last, w, who, netstat, passwd, login, etc...

have fun
alvin

am beginning to think this (untested) script might be useful..
especially if one hates getting daily tripwire reports that
are not necessarily true "warning/danger" emails...

> >         #!/bin/sh
> >         #
> >         # Example script to check binaries...( untested )
> >         #
> >         #
> >         LST1="/etc/passwd /etc/shadow /bin/login /usr/bin/passwd"
> >         LST2="/bin/ls /usr/bin/top /usr/bin/w /usr/bin/who /usr/bin/last"
> >         LST3="/bin/ps /bin/netstat /sbin/ifconfig /sbin/route"
> >         LIST="$LST1 $LST2 $LST3"
> >         #
> >         # Initialize
> >         #
> >         if [ $1 eq "-init" ] ; then
> >           sum=`tar -cf - $LIST | sum`
> >           echo "$sum" > /Some_Secure_place/check_sum.txt
> >         fi
> >         #
> >         res=cat /Some_Secure_place/check_sum.txt
> >         #
> >         #
> >         check=`tar -cf - $LIST | sum`
> >         #
> >         if [ $res  != $check ]; then
> >           mail -s "Binaries been Modified"
secure_bin_chk@secure_site.com
> >                 < /dev/null
> >                 #       or send a msg to a pager...etc..etc..
> >         fi
> >         #
> >         # end of file
> >
>


On Wed, 27 Sep 2000, Steve Juranich wrote:

> Well, I wasn't paying a whole lot of attention and I had every unnecessary
> port closed... or so I thought.  I was still running the portmapper.  So
> when I ssh'd home today and nmapped myself, a couple of mysterious processes
> popped up.
> 
> To begin with: I nmapped my box and saw, much to my dismay:
> 
> Port    State       Protocol  Service
> 22      open        tcp        ssh             
> 111     open        tcp        sunrpc          
> 515     open        tcp        printer         
> 1527    open        tcp        tlisrv          
> 6000    open        tcp        X11             
> 
> As soon as I killed the portmapper, port 111 (the portmapper) and port 1527
> (the mystery process) both died.  Then later today, I ssh'd home again and
> saw:
> 
> Port    State       Protocol  Service
> 22      open        tcp        ssh             
> 515     open        tcp        printer         
> 2027    open        tcp        shadowserver    
> 6000    open        tcp        X11             
> 
> Then, by looking through /var/log/auth.log, I see that every morning at
> around 7:35, three sessions are being opened.  Two for user 'news' by
> (uid=0) and one for user 'nobody' also by (uid=0).
> 
> I plan on removing nntp from my box immediately, since I don't use my box as
> a server in any way.  Can anybody please explain to me what's going on?
> Has my box been compromised?  What do I do?
> 
> Copious thanks in advance for any help.
> 
> ----------------------------------------------------------------------
> Stephen W. Juranich                         sjuranic@ee.washington.edu
> Electrical Engineering         http://students.washington.edu/sjuranic
> University of Washington             http://rcs.ee.washington.edu/ssli
> 
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
Reply to: