On Thu, Mar 01, 2001 at 09:32:19AM +0100, Runar Bell wrote: > 1) I noticed that somebody had logged in to my computer using my username. > I can't see how they could have discovered my password (7 letters, <snip> > > 2) When inspecting /var/log/messages I noticed quite a lot of attempts to > send a buffer overflow (or something like that) on the port running > rcp.statd. Is there some security hole there I am not aware of? I have <snip> OK, here's what I think happened here. They broke in to your system via a vulnerable rpc.statd. They might have installed some non-obvious back door. It is hard to guess this point. However, that doesn't explain the unauthorized login to your account. I suspect that what they did was either replace sshd with one that provides a back door or installed an RSA key in your .ssh/authorized_keys file. The latter action is particularly devious, as that file probably won't get re-created when you re-install your system or upgrade ssh or something like that. Most people keep their home directory intact. With the RSA key in place, though, they can log in as you without needing your password. Once they've got access to your system there's a whole new list of root exploits available to them. > 3) I couldn't find any "obvious" back-doors, but that doesn't necessarily > mean that there were none, so be on the safe side, I re-installed linux, > and am now using SSH2.4 from www.ssh.com. Hopefully I won't have to do > this again. :-) I would not bother with this. Provided you've got security.debian.org in your apt.sources list and subscribe to debian-security-annouce you'll have an easier time reacting to any newly discovered ssh vulnerabilities. With an unsupported version of SSH you'll have to monitor their site and watch for security updates, then build them by hand. > I am definitely going to install some sort of firewall, are there any > recommendations? ipchaining is not supported in my kernel as of now, so I > will compile a new kernel when I get the time. But, are there any > documentation available discussing recommendations regarding security? (I > am not paranoid, but would like it to be as hard as possible to get > unauthorized access to my computer) Ipchains works. Also, for services that you do want open, use tcp_wrappers (man 5 hosts_access). It also helps to have access to a portscanner on a non-local host. Run something like nmap against your machine and see what shows up. This is what a potential cracker will see when they are watching your machine. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpElpZvTBBxl.pgp
Description: PGP signature