[CLUE-Tech] network issues

Adam Bultman adamb at glaven.org
Mon Oct 13 14:09:35 MDT 2003 

Are you doing this tonight, or sometime in the future? 

I'd like to look around..  

It is odd however, that they are getting in. Did you watch traffic on the 
irc server before you took the box down?

-- 
adamb at glaven.org
[ www.glaven.org ]

On Mon, 13 Oct 2003, Mike Staver wrote:

> > The important ones are: 
> > 
> > S.5.....   /bin/netstat
> > S.5.....   /sbin/ifconfig
> > SM5.....   /bin/ps
> > S.5.....   /usr/bin/ssh
> > S.5.....   /sbin/iptables
> > S.5.....   /usr/sbin/sshd
> > 
> > Those are all critical system binaries that have a md5 checksum that
> > no longer matches whats in the rpm database (ie, they have been
> > replaced). 
> > 
> > So is your firewall on the local machine? If so, then with iptables
> > replaced it will only work as the intruder wants. 
> 
> No, it's not - I have a Cisco box with access list firewalls blocking 
> all ports to this box except 53 and 80.  So, I'm at a loss of how 
> someone could have used ssh to comprimise this box. I'm also confused as 
> to why someone would install an IRC client on this box if they can't use 
> it, unless they are using it over 80 or 53.
> 
> > Did you use the same passwords when you re-installed? 
> > If the intruder sniffed your passwords when you logged in via ssh (see
> > the ssh and sshd above) they could be getting in via that. 
> 
> Yeah, I used all new passwords.
> 
> >>>Also, try www.chkrootikit.org - the application will check for the
> >>>presence of a root kit and let you know which one it has found.
> > 
> Here are my results from that:
> 
> Checking `lkm'... You have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... Checking `w55808'... not infected
> Checking `wted'... 1 deletion(s) between Wed Oct  1 17:09:54 2003 and 
> Fri Oct 10 15:31:36 2003
> nothing deleted
> Checking `scalper'... not infected
> Checking `slapper'... not infected
> Checking `z2'... user root deleted or never loged from lastlog!
> 
> So, once again, I'll be rebuilding this box.... and putting tripwire on 
> it immediately, and again, changing my administrator passwords on my 
> network.
>

More information about the clue-tech mailing list