Re: Uh-oh. Cracked allready. I think...

[Tim Haynes <debian@stirfried.vegetable.org.uk>]

Kjetil Kjernsmo <kjetil.kjernsmo@astro.uio.no> writes:

> To address this first: It is the gnutella server that causes alarm, so is
> there anything I could have done that would install gnutella but escape
> my attention? I certainly never did apt-get install gnutella (I tried
> apt-get remove gnutella yesterday, with no effect). Is it likely that if
> I don't know how it got there, has been installed by a cracker? I've
> tried to telnet 217.77.32.186 6346 but get no connection.

Well if something's got on there that you don't remember installing, can I
have some of what you're taking? ;)

It's at this point that you should start debugging what's really listening
on your box from what a scanner says you are. I suggest you nmap yourself
to see what ports you really have open, and compare against
        netstat -plant | grep LIST
(here's your first potential clue: if netstat complains about `-p', it's
been trojanned.)

Next, if you've got a socket listener or 6346 (IIRC, the most frequently
used gnutella port), try telnetting into it and see what banner, if any, it
presents.

At some stage you should probably run _chkrootkit_ on the blighter, too.

Do you have an original AIDE database from immediately after it was
installed?

>             I tried to set the suggested PermitRootLogin for ssh to no,
> but ssh gave me some messsage that I thought meant it did't recognize it.

That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
see if you get any syntax errors there.

Here's another idea:

 | zsh/scr, potato  5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
 | /usr/sbin/sshd
 | 0c1ef2fb11aa02a3b6af95157038e71b  ssh_1%3a3.0.2p1-9_i386.deb
 | a68ece0b46d2f42b655d0bf6434c317a  /usr/sbin/sshd

>             I complied in IPtables in the kernel, but I haven't read up
> on how to use it. I have also installed some of the harden packages.
 
> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did.
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on <URL:
> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >

Bear in mind two things:

a) Debian apply patches in stable as/when required, we don't follow
   upstream version#s regardlessly

b) testing is a strange halfway-house between stable and unstable; you can
   expect a security fix to make it into Unstable pretty soon (as it tracks
   upstream versions) but it'll be at least a fortnight after that it hits
   Testing.

That said, you probably want to check the Changelog(.Debian.gz) for ssh -
I'd be surprised if the patches required hadn't made it down into Testing.

> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue what
> happened, and while I could turn off some more services, it seems like
> the biggest security problems are with ssh and smtp, that is, OpenSSH and
> Exim, so would a clean reinstall help a lot?

<http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>.

First assess whether you really have been breached; if you have, you *must*
reformat, reinstall, update all packages, firewall, install an IDS (aide)
and nIDS (snort) - but take a forensic last-minute backup before you do.

~Tim
-- 
<http://spodzone.org.uk/>


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org