[CLUE-Tech] Cracked! Mailog entries; xinetd in RHV7.0

Jim Intriglia jimintriglia at hotmail.com
Mon Mar 26 02:03:34 MST 2001 

>From: Kevin Cullis <kevincu at orci.com>
>Reply-To: clue-tech at clue.denver.co.us
>To: clue-tech at clue.denver.co.us
>Subject: Re: [CLUE-Tech] Cracked! Mailog entries that tipped me off FYI
>Date: Sat, 24 Mar 2001 21:24:44 -0700
>
>Jim,
>
>Interesting stuff.  Which mail log file?  Does Netscape have something
>like this?
>
>Kevin
>

/etc/log/maillog, which was written by sendmail which the cracker was making 
use of... a function of Linux/sendmail. Between the domain being shut down, 
and the mention og 'hack' in the subject line (plus ftp and root access 
evidence in security files) the cracker own this system now (but not for 
long ;-) )

---
I discovered after installing RH V7.0 on a PC that had RH6.2, that V7.0 uses 
xinetd instead of inetd. Good god, talk about a difference between the two 
daemons!

As the etc/services hack mentioned in a previous post re: disabling 
ftp/telnet with inetd, I'm still reading on how to go about manually 
disabling ftp/telnet/finger services. (hacking away, I seem to have disabled 
wu-ftp (Moved the start script out of the xinetd config directory.) but not 
sure if that is the way to go.)

Anyhow, still have to read man pages but also checkout this for more info on 
xinetd:

http://synack.net/xinetd/

-Jim


>Jim Intriglia wrote:
> >
> > Greetings,
> >
> > For those of you that might be interested in logfile info that showed my 
>PC
> > was compromised, the mailog file follows. Nothing showed up in messages
> > BTW...
> >
> > -Jim
> >
> > Mar 19 12:05:08 localhost sendmail[505]: alias database /etc/aliases 
>rebuilt
> > by root
> > Mar 19 12:05:08 localhost sendmail[505]: /etc/aliases: 14 aliases, 
>longest
> > 10 bytes, 152 bytes total
> > Mar 19 12:05:09 localhost sendmail[519]: starting daemon (8.9.3):
> > SMTP+queueing at 01:00:00
> > Mar 20 05:08:26 localhost sendmail[2716]: FAA02716: from=root, size=284,
> > class=0, pri=30284, nrcpts=1,
> > msgid=<200103201308.FAA02716 at localhost.localdomain>, 
>relay=root at localhost
> > Mar 20 05:08:27 localhost sendmail[2720]: FAA02716: to=becys at becys.org,
> > ctladdr=root (0/0), delay=00:00:03, xdelay=00:00:00, mailer=esmtp,
> > relay=mail.becys.org. [64.176.171.107], stat=Deferred: Network is
> > unreachable
> > Mar 20 06:05:10 localhost sendmail[3000]: FAA02716: to=becys at becys.org,
> > ctladdr=root (0/0), delay=00:56:46, xdelay=00:00:00, mailer=esmtp,
> > relay=mail.becys.org. [64.176.171.107], stat=Deferred: Network is
> > unreachable
> > Mar 20 07:05:11 localhost sendmail[3107]: FAA02716: to=becys at becys.org,
> > ctladdr=root (0/0), delay=01:56:47, xdelay=00:00:01, mailer=esmtp,
> > relay=mail.becys.org. [64.176.171.107], stat=Deferred: Network is
> > unreachable
> > Mar 20 09:33:59 localhost sendmail[532]: alias database /etc/aliases 
>rebuilt
> > by root
> > Mar 20 09:33:59 localhost sendmail[532]: /etc/aliases: 14 aliases, 
>longest
> > 10 bytes, 152 bytes total
> > Mar 20 09:34:00 localhost sendmail[546]: starting daemon (8.9.3):
> > SMTP+queueing at 01:00:00
> > Mar 20 09:34:00 localhost sendmail[549]: FAA02716: JAA00549: return to
> > sender: Warning: could not send message for past 4 hours
> > Mar 20 09:34:00 localhost sendmail[549]: JAA00549: to=root, 
>delay=00:00:00,
> > xdelay=00:00:00, mailer=local, stat=Sent
> > Mar 20 10:34:25 localhost sendmail[1134]: FAA02716: to=becys at becys.org,
> > ctladdr=root (0/0), delay=05:26:01, xdelay=00:00:24, mailer=esmtp,
> > relay=mail.becys.org. [64.176.171.107], stat=Data format error
> > Mar 20 10:34:25 localhost sendmail[1134]: FAA02716: KAA01134: return to
> > sender: Data format error
> > Mar 20 10:34:25 localhost sendmail[1134]: KAA01134: to=root, 
>delay=00:00:00,
> > xdelay=00:00:00, mailer=local, stat=Sent
> > Mar 20 13:21:48 localhost sendmail[511]: alias database /etc/aliases 
>rebuilt
> > by root
> > Mar 20 13:21:48 localhost sendmail[511]: /etc/aliases: 14 aliases, 
>longest
> > 10 bytes, 152 bytes total
> > Mar 20 13:21:48 localhost sendmail[525]: starting daemon (8.9.3):
> > SMTP+queueing at 01:00:00
> > Mar 22 09:47:17 localhost sendmail[5344]: JAA05344: from=root, size=286,
> > class=0, pri=30286, nrcpts=1,
> > msgid=<200103221747.JAA05344 at localhost.localdomain>, 
>relay=root at localhost
> > Mar 22 09:47:18 localhost sendmail[5348]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp,
> > relay=mail.rdslink.ro. [193.231.236.20], stat=Deferred: Network is
> > unreachable
> > Mar 22 10:21:53 localhost sendmail[5405]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=00:34:36, xdelay=00:00:01, mailer=esmtp,
> > relay=mail.rdslink.ro. [193.231.236.20], stat=Deferred: Network is
> > unreachable
> > Mar 22 11:21:53 localhost sendmail[5495]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=01:34:36, xdelay=00:00:02, mailer=esmtp,
> > relay=mail.rdslink.ro. [193.231.236.20], stat=Deferred: Network is
> > unreachable
> > Mar 22 12:21:52 localhost sendmail[5521]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=02:34:35, xdelay=00:00:01, mailer=esmtp,
> > relay=mail.rdslink.ro. [193.231.236.20], stat=Deferred: Network is
> > unreachable
> > Mar 22 13:21:52 localhost sendmail[5574]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=03:34:35, xdelay=00:00:01, mailer=esmtp,
> > relay=mail.rdslink.ro. [193.231.236.20], stat=Deferred: Network is
> > unreachable
> > Mar 22 14:21:54 localhost sendmail[5721]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=04:34:37, xdelay=00:00:02, mailer=esmtp,
> > relay=mail.rdslink.ro. [193.231.236.20], stat=Deferred: Network is
> > unreachable
> > Mar 22 14:21:54 localhost sendmail[5721]: JAA05344: OAA05721: return to
> > sender: Warning: could not send message for past 4 hours
> > Mar 22 14:21:54 localhost sendmail[5721]: OAA05721: to=root, 
>delay=00:00:00,
> > xdelay=00:00:00, mailer=local, stat=Sent
> > Mar 22 14:38:42 localhost sendmail[518]: alias database /etc/aliases 
>rebuilt
> > by root
> > Mar 22 14:38:43 localhost sendmail[518]: /etc/aliases: 14 aliases, 
>longest
> > 10 bytes, 152 bytes total
> > Mar 22 14:38:43 localhost sendmail[532]: starting daemon (8.9.3):
> > SMTP+queueing at 01:00:00
> > Mar 22 15:38:49 localhost sendmail[1292]: JAA05344: to=granstone at go.ro,
> > ctladdr=root (0/0), delay=05:51:32, xdelay=00:00:04, mailer=esmtp,
> > relay=relay1.go.ro. [193.231.236.42], stat=Data format error
> > Mar 22 15:38:50 localhost sendmail[1292]: JAA05344: PAA01292: return to
> > sender: Data format error
> > Mar 22 15:38:50 localhost sendmail[1292]: PAA01292: to=root, 
>delay=00:00:00,
> > xdelay=00:00:00, mailer=local, stat=Sent
> > Mar 23 05:23:31 localhost sendmail[517]: alias database /etc/aliases 
>rebuilt
> > by root
> > Mar 23 05:23:31 localhost sendmail[517]: /etc/aliases: 14 aliases, 
>longest
> > 10 bytes, 152 bytes total
> > Mar 23 05:23:32 localhost sendmail[531]: starting daemon (8.9.3):
> > SMTP+queueing at 01:00:00
> > Mar 23 07:27:32 localhost sendmail[516]: alias database /etc/aliases 
>rebuilt
> > by root
> > Mar 23 07:27:32 localhost sendmail[516]: /etc/aliases: 14 aliases, 
>longest
> > 10 bytes, 152 bytes total
> > Mar 23 07:27:32 localhost sendmail[530]: starting daemon (8.9.3):
> > SMTP+queueing at 01:00:00
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > CLUE-Tech at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-tech
>_______________________________________________
>CLUE-Tech mailing list
>CLUE-Tech at clue.denver.co.us
>http://clue.denver.co.us/mailman/listinfo/clue-tech

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

More information about the clue-tech mailing list