[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uh-oh. Cracked allready. I think...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Tim, dear all,

Thanks for all the responses.

I realize it's pretty bold trying put a box on the net without having
extensive admin experience beforehand. But I think I'm learning fast, and
I hope I'll be able to do it without placing any burden on the rest of the
net. That is, except for you guys... :-) Your help is greatly appreciated!

On 23 May 2002, Tim Haynes wrote:

>Kjetil Kjernsmo <kjetil.kjernsmo@astro.uio.no> writes:
>
>> To address this first: It is the gnutella server that causes alarm, so is
>> there anything I could have done that would install gnutella but escape
>> my attention? I certainly never did apt-get install gnutella (I tried
>> apt-get remove gnutella yesterday, with no effect). Is it likely that if
>> I don't know how it got there, has been installed by a cracker? I've
>> tried to telnet 217.77.32.186 6346 but get no connection.
>
>Well if something's got on there that you don't remember installing, can I
>have some of what you're taking? ;)

Hehe... I was sooooo sure it would be at least one copy of Star Wars II,
but no... ;-) There's nothing here... I've walked through the whole disk,
and I can't find anything of any size that I don't know what is. Whatever
it is, it has to be rather small... 

>It's at this point that you should start debugging what's really listening
>on your box from what a scanner says you are. I suggest you nmap yourself
>to see what ports you really have open, and compare against
>        netstat -plant | grep LIST
>(here's your first potential clue: if netstat complains about `-p', it's
>been trojanned.)

It complained about -p when I wasn't root...

OK. This is what nmap says, launched from my workstation:
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
111/tcp    open        sunrpc
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
1024/tcp   open        kdm
1025/tcp   open        listen
6346/tcp   filtered    gnutella

Whereas this is nmap from the machine itself:
kjetil@pooh:~$ nmap pooh

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning:  You are not root -- using TCP pingscan rather than ICMP
Interesting ports on pooh.kjernsmo.net (217.77.32.186):
(The 1545 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
111/tcp    open        sunrpc
139/tcp    open        netbios-ssn
1024/tcp   open        kdm
1025/tcp   open        listen

So, the suspicious gnutella port isn't in the latter. I don't know what
kdm is doing there, BTW. I unselected X and desktop in the initial
tasksel. There seems to have been installed some X stuff nevertheless, but
neither KDE nor kdm has ever been installed on this box. 

So for netstat:
pooh:~# netstat -plant | grep LIST
tcp        0      0 0.0.0.0:1024            0.0.0.0:*         LISTEN 209/rpc.statd
tcp        0      0 0.0.0.0:1025            0.0.0.0:*         LISTEN 236/rpc.mountd
tcp        0      0 0.0.0.0:139             0.0.0.0:*         LISTEN 218/inetd
tcp        0      0 0.0.0.0:110             0.0.0.0:*         LISTEN 218/inetd
tcp        0      0 0.0.0.0:111             0.0.0.0:*         LISTEN 123/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*         LISTEN 6586/apache
tcp        0      0 217.77.32.186:53        0.0.0.0:*         LISTEN 194/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*         LISTEN 194/named
tcp        0      0 0.0.0.0:22              0.0.0.0:*         LISTEN 285/sshd
tcp        0      0 127.0.0.1:953           0.0.0.0:*         LISTEN 201/lwresd
tcp        0      0 0.0.0.0:25              0.0.0.0:*         LISTEN 218/inetd

(slightly reformatted to fit better)

>Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>used gnutella port), try telnetting into it and see what banner, if any, it
>presents.

Nope, nothing... 
pooh:~# telnet 217.77.32.186 6346
Trying 217.77.32.186...
telnet: Unable to connect to remote host: Connection refused
to be sure. 

>At some stage you should probably run _chkrootkit_ on the blighter, too.

Yeah, I've done that several times. chkrootkit was described in "Securing
Debian", so I installed it before moving it, but only ran it just after I
saw the gnutella port. Nothing detected. 

>Do you have an original AIDE database from immediately after it was
>installed?

Uh, don't think so. I installed snort, but didn't take the time to play
with it. I thought that would do the job too... Can I get the required
information from the snort install...? 

>>             I tried to set the suggested PermitRootLogin for ssh to no,
>> but ssh gave me some messsage that I thought meant it did't recognize it.
>
>That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
>see if you get any syntax errors there.

Yeah, I got something weirder now...:
pooh:/etc/ssh# /usr/sbin/sshd -f /etc/ssh/ssh_config
/etc/ssh/ssh_config: line 19: Bad configuration option: ForwardX11
/etc/ssh/ssh_config: line 24: Bad configuration option: FallBackToRsh
/etc/ssh/ssh_config: line 31: Bad configuration option: IdentityFile
/etc/ssh/ssh_config: line 36: Bad configuration option: PreferredAuthentications
/etc/ssh/ssh_config: terminating, 4 bad configuration options

What could be wrong about e.g.:
   ForwardX11 yes

>Here's another idea:
>
> | zsh/scr, potato  5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
> | /usr/sbin/sshd
> | 0c1ef2fb11aa02a3b6af95157038e71b  ssh_1%3a3.0.2p1-9_i386.deb
> | a68ece0b46d2f42b655d0bf6434c317a  /usr/sbin/sshd

They are OK.

>> exploitable. I put the report on <URL:
>> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
>
>That said, you probably want to check the Changelog(.Debian.gz) for ssh -
>I'd be surprised if the patches required hadn't made it down into Testing.

The marked hole was indeed patched, but I couldn't find anything about the
warning (OpenSSH < 3.2.1).


>> If it has been cracked, what should I do? I could run up to my hosts and
>> have them turn it off, I guess. But then what? I have really no clue what
>> happened, and while I could turn off some more services, it seems like
>> the biggest security problems are with ssh and smtp, that is, OpenSSH and
>> Exim, so would a clean reinstall help a lot?
>
><http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>.
>
>First assess whether you really have been breached; if you have, you *must*
>reformat, reinstall, update all packages, firewall, install an IDS (aide)
>and nIDS (snort) - but take a forensic last-minute backup before you do.

Well, yeah, Istill don't know if I've been breached, after all, it is only
the gnutella entry in the nmap I do from my workstation, but then, better
safe than sorry...

Best,

Kjetil
- -- 
Kjetil Kjernsmo
Recent astrophysics graduate                  Problems worthy of attack
University of Oslo, Norway            Prove their worth by hitting back
E-mail: kjetikj@astro.uio.no                                - Piet Hein
Homepage <URL:http://folk.uio.no/kjetikj/>
Webmaster@skepsis.no                            OpenPGP KeyID: 6A6A0BBC

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OSF1)
Comment: For info see http://www.gnupg.org

iD8DBQE87jDrlE/Gp2pqC7wRAkV2AJ0b+VHstC/rayVRb6i4gzp3Fd5siACfSBBR
LleteNVSzvw60ojr3BIF6RA=
=p4tv
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: