[CLUE-Tech] Hacker question

Crawford Rainwater crawford.rainwater at itec-co.com
Thu Jul 31 17:49:59 MDT 2003 

A couple of wild guesses to look at here.

- What does "last" show you on the box (might want to
  cut and paste this to the list for more input)?  Might
  have an IP addy that is unusual for tracing purposes.

- Do you have ssh1 disabled and only ssh2?

- Is there a (from memory here) in /root/.ssh a "key_athorize2"
  (might have the spelling wrong on the file) that has a current
  date?  Could indicate that a new key is placed there by your visitor.

The latter two are an interesting access issue with ssh2 that I
know of (again, not in front of a Linux machine at the moment for
the correct file name there).  This allows a remote root user access
without root password, just via the ssh key.

Might want to look up a few tools on SourceForge for the hacking
end, then think about Bastille and/or SE Linux for hardening things.

HTH.

--- Crawford

> -----Original Message-----
> From: clue-tech-admin at clue.denver.co.us
> [mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Mike Staver
> Sent: Thursday, July 31, 2003 5:28 PM
> To: CLUE LUG
> Subject: [CLUE-Tech] Hacker question
> 
> 
> I have had 3 RedHat 7.3 boxes apparently comprised on my network this 
> week alone.  I have no clue if I need to contact the FBI on this issue 
> (I just tried, and they said they didn't know if a crime had even been 
> committed), but I don't think they are going to worry about my pidley 
> little network here.  So, my company is own it's own - and here are some 
> stats on my box:
> 
> RedHat 7.3
> Kernel 2.4.20-19.7smp
> openssh-3.1p1-6
> openssh-server-3.1p1-6
> openssh-clients-3.1p1-6
> samba-2.2.7-3.7.3
> apache-1.3.27-2
> openssl-devel-0.9.6b-32.7
> openssl-0.9.6b-32.7
> openssl-perl-0.9.6b-32.7
> mod_ssl-2.8.12-2
> 
> Now, if we scan the machines in question, this is what ports are open:
> 
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host blah (xx.xx.xx.xx) appears to be up ... good.
> Initiating SYN Stealth Scan against www1.globaltaxnetwork.com 
> (xx.xx.xx.xx)
> Adding open port 80/tcp
> Adding open port 19/tcp
> Adding open port 22/tcp
> Adding open port 139/tcp
> Adding open port 443/tcp
> Adding open port 111/tcp
> The SYN Stealth Scan took 0 seconds to scan 1601 ports.
> For OSScan assuming that port 19 is open and port 1 is closed and 
> neither are firewalled
> Interesting ports on blah (xx.xx.xx.xx):
> (The 1595 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 19/tcp     open        chargen                
> 22/tcp     open        ssh                    
> 80/tcp     open        http                   
> 111/tcp    open        sunrpc                 
> 139/tcp    open        netbios-ssn            
> 443/tcp    open        https                  
> Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> Uptime 3.032 days (since Mon Jul 28 14:51:01 2003)
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=1104306 (Good luck!)
> IPID Sequence Generation: All zeros
> 
> Whoever comprimised my machine, did it with only ports 443 and 80 open 
> to it through my firewall.  I have no idea how this happened.  I have 
> the latest apache from RedHat, is that verion suseptible to a buffer 
> overflow of some kind that I'm unaware of?  My RedHat 9 boxes are fine - 
> only the 7.3 boxes have been affected, 3 of them so far this week.  And 
> what happens when these boxes get comprimised is that my routers get 
> shut down because they are apparently ddos'n grc.com.  I see a lot of 
> ircd traffic on port 6667, and many other ports as well.  The machines 
> the ircd traffic is coming from are:
> 
> undernet.irc.rcn.net
> undernet.tiscali.be
> ircu.bredband.com
> minotor.spale.com
> proxyscan.undernet.org
> 
> Besides upgrading to RedHat 9 on these boxes (which isn't an option 
> yet), how can I protect myself, and who should I report this activity 
> to?? I now don't get to go home tonite to spend time with my family, I'm 
> forced to rebuild these damned boxes from scratch once again. 
> 
> -- 
> 
>                                 -Mike Staver
>                                  staver at fimble.com
>                                  mstaver at globaltaxnetwork.com
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options: 
http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list