[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help: rpc.statd attack



On Fri, Jun 15, 2001 at 03:41:39PM -0400, Michael Stutz wrote:
> 
> what I'd like to know from you all is a) was this failed -- is there
> any way of knowing whether or not I've been cracked and b) what should
> I do next?
> 

Yes, it is a failed crack attempt.  You know it failed because if it
succeeded then rpc.statd would have crashed before writing the log to
syslog.

The best way to try and find out whether you've been cracked or not (in
future cases) is to install something like tripwire, which walks all
over your filesystems generating a database of attributes of all the
files and directories.  Then, to check for possible damage, you run an
integrity check in which tripwire walks all over the same files and
compares their attributes against those in its database.  It alerts you
of any differences.

Tripwire is not completely failsafe, though.  No security tool is.  It
is possible to mis-configure tripwire (at least in the new 2.xx version)
and have it fail to check some important files.  It is also possible for
the intruder to update tripwire's database once he's made the
modifications.  You can protect against that by putting the tripwire
database on a read only medium, like a floppy disk with the write tab
moved to the write protected position.  Even then, though, it's possible
that the intruder used a kernel module rootkit (knark, for example) to
*really* hide their changes.  If knark is used correctly, tripwire and
other related tools can't detect the changes.

What you should do now is make sure you're running an up to date
installation of Debian.  Ensure that you have a security source in
/etc/apt/sources.list.  For example:
deb http://security.debian.org/ stable/updates main
and run apt-get update && apt-get dist-upgrade.  Then install tripwire
and learn how to use it.  I suggest that you install the free (GPL free) 
2.x.x version, available at www.tripwire.org.  Then read the security
HOWTO at http://www.linuxdoc.org/HOWTO/Security-HOWTO.html

That should be enough to get you started, I think.  Remember that the
only secure computer is one that is locked in a safe and not plugged in.
You really need to keep security in mind all the time, since any
computer used by people (or even visible to people) can potentially be
abused.  You can never really say "This box is secure.  I am done."
You'll be proven wrong before you know it.

noah
-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpWk13NE9eOv.pgp
Description: PGP signature


Reply to: