[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uh-oh. Cracked allready. I think...

There is a good chance if you have been rooted, that the attacker installed a rootkit to cover his tracks. I saw a good rootkit detecter on http://freshmeat.net/ . Just do a search for it on there.

From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Reply-To: debian-reply@stirfried.vegetable.org.uk
To: Kjetil Kjernsmo <kjetil.kjernsmo@astro.uio.no>
CC: debian-security@lists.debian.org
Subject: Re: Uh-oh. Cracked allready. I think...
Date: 23 May 2002 17:11:26 +0100
MIME-Version: 1.0
Received: from murphy.debian.org ([]) by hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700
Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 -0000
Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 -0000
Received: from potato.vegetable.org.uk ( by murphy.debian.org with SMTP; 23 May 2002 16:11:41 -0000 Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1 (Debian))id 17AvBW-0000oa-00; Thu, 23 May 2002 17:11:26 +0100
X-Envelope-Sender: piglet@stirfried.vegetable.org.uk
Sender: piglet@potato.vegetable.org.uk
References: <Pine.OSF.3.96.1020523151454.501518E-100000@alnair>
In-Reply-To: <Pine.OSF.3.96.1020523151454.501518E-100000@alnair>
Message-ID: <86off6x2s1.fsf@potato.vegetable.org.uk>
Lines: 78
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01
Resent-Message-ID: <F_v_bC.A.qXE.LTR78@murphy>
Resent-From: debian-security@lists.debian.org
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/7361
X-Loop: debian-security@lists.debian.org
List-Post: <mailto:debian-security@lists.debian.org>
List-Help: <mailto:debian-security-request@lists.debian.org?subject=help>
List-Subscribe: <mailto:debian-security-request@lists.debian.org?subject=subscribe> List-Unsubscribe: <mailto:debian-security-request@lists.debian.org?subject=unsubscribe>
Precedence: list
Resent-Sender: debian-security-request@lists.debian.org
Return-Path: bounce-debian-security=steve11523=hotmail.com@lists.debian.org
X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC) FILETIME=[1C308510:01C2027B]

Kjetil Kjernsmo <kjetil.kjernsmo@astro.uio.no> writes:

> To address this first: It is the gnutella server that causes alarm, so is
> there anything I could have done that would install gnutella but escape
> my attention? I certainly never did apt-get install gnutella (I tried
> apt-get remove gnutella yesterday, with no effect). Is it likely that if
> I don't know how it got there, has been installed by a cracker? I've
> tried to telnet 6346 but get no connection.

Well if something's got on there that you don't remember installing, can I
have some of what you're taking? ;)

It's at this point that you should start debugging what's really listening
on your box from what a scanner says you are. I suggest you nmap yourself
to see what ports you really have open, and compare against
        netstat -plant | grep LIST
(here's your first potential clue: if netstat complains about `-p', it's
been trojanned.)

Next, if you've got a socket listener or 6346 (IIRC, the most frequently
used gnutella port), try telnetting into it and see what banner, if any, it

At some stage you should probably run _chkrootkit_ on the blighter, too.

Do you have an original AIDE database from immediately after it was

>             I tried to set the suggested PermitRootLogin for ssh to no,
> but ssh gave me some messsage that I thought meant it did't recognize it.

That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
see if you get any syntax errors there.

Here's another idea:

 | zsh/scr, potato  5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
 | /usr/sbin/sshd
 | 0c1ef2fb11aa02a3b6af95157038e71b  ssh_1%3a3.0.2p1-9_i386.deb
 | a68ece0b46d2f42b655d0bf6434c317a  /usr/sbin/sshd

>             I complied in IPtables in the kernel, but I haven't read up
> on how to use it. I have also installed some of the harden packages.

> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did.
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on <URL:
> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >

Bear in mind two things:

a) Debian apply patches in stable as/when required, we don't follow
   upstream version#s regardlessly

b) testing is a strange halfway-house between stable and unstable; you can
expect a security fix to make it into Unstable pretty soon (as it tracks
   upstream versions) but it'll be at least a fortnight after that it hits

That said, you probably want to check the Changelog(.Debian.gz) for ssh -
I'd be surprised if the patches required hadn't made it down into Testing.

> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue what
> happened, and while I could turn off some more services, it seems like
> the biggest security problems are with ssh and smtp, that is, OpenSSH and
> Exim, so would a clean reinstall help a lot?


First assess whether you really have been breached; if you have, you *must*
reformat, reinstall, update all packages, firewall, install an IDS (aide)
and nIDS (snort) - but take a forensic last-minute backup before you do.


To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: