From: Tim Haynes <firstname.lastname@example.org>
To: Kjetil Kjernsmo <email@example.com>
Subject: Re: Uh-oh. Cracked allready. I think...
Date: 23 May 2002 17:11:26 +0100
Received: from murphy.debian.org ([188.8.131.52]) by hotmail.com with
Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700
Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 -0000
Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 -0000
Received: from potato.vegetable.org.uk (184.108.40.206) by
murphy.debian.org with SMTP; 23 May 2002 16:11:41 -0000
Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1
(Debian))id 17AvBW-0000oa-00; Thu, 23 May 2002 17:11:26 +0100
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01
X-Mailing-List: <firstname.lastname@example.org> archive/latest/7361
X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC)
Kjetil Kjernsmo <email@example.com> writes:
> To address this first: It is the gnutella server that causes alarm, so
> there anything I could have done that would install gnutella but escape
> my attention? I certainly never did apt-get install gnutella (I tried
> apt-get remove gnutella yesterday, with no effect). Is it likely that if
> I don't know how it got there, has been installed by a cracker? I've
> tried to telnet 220.127.116.11 6346 but get no connection.
Well if something's got on there that you don't remember installing, can I
have some of what you're taking? ;)
It's at this point that you should start debugging what's really listening
on your box from what a scanner says you are. I suggest you nmap yourself
to see what ports you really have open, and compare against
netstat -plant | grep LIST
(here's your first potential clue: if netstat complains about `-p', it's
Next, if you've got a socket listener or 6346 (IIRC, the most frequently
used gnutella port), try telnetting into it and see what banner, if any, it
At some stage you should probably run _chkrootkit_ on the blighter, too.
Do you have an original AIDE database from immediately after it was
> I tried to set the suggested PermitRootLogin for ssh to no,
> but ssh gave me some messsage that I thought meant it did't recognize
That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
see if you get any syntax errors there.
Here's another idea:
| zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
| 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb
| a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd
> I complied in IPtables in the kernel, but I haven't read up
> on how to use it. I have also installed some of the harden packages.
> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did.
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on <URL:
> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
Bear in mind two things:
a) Debian apply patches in stable as/when required, we don't follow
upstream version#s regardlessly
b) testing is a strange halfway-house between stable and unstable; you can
expect a security fix to make it into Unstable pretty soon (as it
upstream versions) but it'll be at least a fortnight after that it hits
That said, you probably want to check the Changelog(.Debian.gz) for ssh -
I'd be surprised if the patches required hadn't made it down into Testing.
> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue
> happened, and while I could turn off some more services, it seems like
> the biggest security problems are with ssh and smtp, that is, OpenSSH
> Exim, so would a clean reinstall help a lot?
First assess whether you really have been breached; if you have, you *must*
reformat, reinstall, update all packages, firewall, install an IDS (aide)
and nIDS (snort) - but take a forensic last-minute backup before you do.
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact