[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uh-oh. Cracked allready. I think...

Hash: SHA1

On 24 May 2002, Tim Haynes wrote:

>Unfortunately, the only way to examine all the files on the disk/s is to
>reboot the box off clean r/o media (read: rescue CD), mount them r/o, and
>examine them by hand.

Yeah, I guess so.

>You're highly unlikely to find something with trojanned binaries and/or a
>kernel module sitting there intercepting syscalls saying "we're not
>listening on port NNNN" and "oh look, an exec() call to ps, use ps.fake
>instead" - all 3 of which are possible these days.


>Nah, when you're root if the option completely isn't understood then you've
>got problems. (I mention this only because it was the first thing that gave
>a cracked box away to me.)

Good! :-)

>> OK. This is what nmap says, launched from my workstation:
>> Port       State       Service
>> 22/tcp     open        ssh
>> 25/tcp     open        smtp
>These are generally safe - especially in Testing.


>> 53/tcp     open        domain
>OK, what version of what are you running for this?

According to Nessus:
"The remote bind version is : 9.2.0"
But I guess this need not be accessible from the outside. I'm not running
a name server myself (though I plan to some time...)

>> 80/tcp     open        http
>> 110/tcp    open        pop-3
>> 111/tcp    open        sunrpc
>Portmapper (111) is an absolute liability - I flatly refuse to run it on
>any public-facing box, and it must *never* be externally visible.

*tears rolling* I would like to mount the three partitions where I keep my
web pages over NFS, but my server and I will be on different networks. But
OK.... I installed harden-servers.

>> 137/tcp    filtered    netbios-ns
>> 138/tcp    filtered    netbios-dgm
>> 139/tcp    filtered    netbios-ssn
>You're running samba then?

No, it was installed in tasksel IIRC, I thought I removed it, but
apparently not. I removed samba, but they didn't disappear, something more
I have to do?

>> 6346/tcp   filtered    gnutella
>Hang around, it's "filtered"? That means it never replied to nmap but there
>were other ports that did - the mixture of responses means nmap "knows"
>this port is dropping responses.

It does? 

>I think you have an anomaly, myself.


>> So, the suspicious gnutella port isn't in the latter. I don't know what
>> kdm is doing there, BTW. I unselected X and desktop in the initial
>> tasksel. There seems to have been installed some X stuff nevertheless,
>> but neither KDE nor kdm has ever been installed on this box.
>Ah, good you said that. It's not "kdm" necessarily, it's because it's the
>first port to which a non-privileged app may bind, >=1024. (See why the
>next one is 1025...)

I see. I also got a private response from Berend De Schouwer who explained

>I'd not worry about that lot myself. Unless I've missed something, it's not
>obviously different from the nmap results, is it?

Not that I can tell.

>> >Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>> >used gnutella port), try telnetting into it and see what banner, if any,
>> >it presents.
>> Nope, nothing... 
>> pooh:~# telnet 6346
>> Trying
>> telnet: Unable to connect to remote host: Connection refused
>> to be sure. 
>That's promising. 


>And it didn't turn up in netstat, just when you used a
>particular box to do the nmap?


>Does the port come and go over time at all?

Doesn't seem like it.

>> Yeah, I've done that several times. chkrootkit was described in "Securing
>> Debian", so I installed it before moving it, but only ran it just after I
>> saw the gnutella port. Nothing detected.
>OK. It's not a complete guarantee as it uses potentially-tainted tools, but
>it pushes the odds more in your favour.


>> >Do you have an original AIDE database from immediately after it was
>> >installed?
>> Uh, don't think so. I installed snort, but didn't take the time to play
>> with it. I thought that would do the job too... Can I get the required
>> information from the snort install...?
>Nope, snort is for dynamic logs of dodgy packets going by. 

I see. 

>AIDE is like
>tripwire - stores a database of crypto hashes for files in the filesystem,
>so you compare the database nightly and see what's changed of interest.

Yep, I installed it just after your last e-mail. Also installed

>> What could be wrong about e.g.:
>>    ForwardX11 yes
>Erm, that's a little bit weird. 
> | StrictModes yes
> | X11Forwarding yes
> | X11DisplayOffset 10
> | AllowTcpForwarding yes
>I think you're somehow using an old sshd_config with a proto2-enabled sshd.
>Or a non-free ssh against openssh. Possibly.

Eh, Berend pointed out to me that I was making sshd read ssh_config...
That could be it, but I have been messing a bit with it, so there could be

>Good. OK, in that case, you might want to double-check a few others as
> | c29daf1d9fe836053e9f4f0a67a7a94e  /usr/sbin/chkrootkit
> | c0f2f541bcce2394cb026cfa4ccb5c38  /bin/ps
> | d017f214341677d56ec242a8916f8f45  /usr/bin/top
> | a5c720b6776331b9695d9a1f4f5c2194  /bin/ls
> | f998091a416e9dca4879218cae269bb8  /bin/fuser

All OK.

>You probably haven't been had just yet. 

Sounds good.

>You should keep an eye the
>incoming/outgoing traffic, though; I thought I saw a utility for analysing
>how many hosts/ports a box contacts over time recently, which will help.

OK, I'll search.

>Set up snort and AIDE as a matter of urgency too

They're up. AIDE looked easy to configure, apt seemed to do that. I'll
have a closer look at snort.

>  - I won't promise that
>this is not after the horse has bolted, but I think you're probably OK at
>the moment. But you won't be if you go on with portmap 

Now gone... 

>and dns dangling
>around all over the place, nor will you be aware what's going off if you
>don't start firewalling things properly and keep a close eye on your IDS.

I'll read up on IPtables.

BTW, I just off the phone with my host. They said that as long as I'm on
the case and take it seriously, they're cool. Besides, the Gnutella port
is somewhat limited, so it is limited what kind of damage intruders can do
through that port. 

- -- 
Kjetil Kjernsmo
Recent astrophysics graduate                  Problems worthy of attack
University of Oslo, Norway            Prove their worth by hitting back
E-mail: kjetikj@astro.uio.no                                - Piet Hein
Homepage <URL:http://folk.uio.no/kjetikj/>
Webmaster@skepsis.no                            OpenPGP KeyID: 6A6A0BBC

Version: GnuPG v1.0.6 (OSF1)
Comment: For info see http://www.gnupg.org


To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: