Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi!
I suspect my system has been compromised just a couple of hours ago
My system began to behave in a very strange manner: slower and slower until I got a system unable to do anything (the keyboard didn't seem to work, and the same for any program I tried)
I finally reset-ed the computer; after that I couldn't reboot mandrake 9.1 (the system I was using)
I've checked several things, among them I checked the /etc/passwd file. It was modified today and It has two new entries with 0 UID; the /etc/shadow file has also been modified today... is this normal?
My questions
could you tell me if my system has been compromised?
if yes, What can I do to stop him/her/they?
I need to recover the control; I WORK with my computer, so how can I be (reasonably) sure he/she/they doesn't hurt me anymore?
Well, I'm reading a couple of references but is difficult to learn in this situation (I mean, usually one needs time to learn such things, but now, someone is maybe prowling about my system and I need to regain the control soon)
First and foremost, you should disconnect the machine from the network completely and don't use it for any other puposes than to do forensics. Anything you need to download should be done on a separate system and transfered via floppy/cdrom/etc. It's likely that if your new guest realizes that you know he/she is there, they will try to erase their tracks.
First they don't sound particularly stealthy, but you do have to realize that they have root access and could have changes any of the system files, so you must treat the output of any of the system files as potentially fraudelent. What were the users added?
Start out looking for signs of their activity by checking your system logs. /var/log/secure and /var/log/messages are usually good places to look. Check to see what commands root has run using the last command. Also look for failed logins using the lastb command. Also look at the output of the netstat -al and lsof -i commands to see if there are any new daemons/backdoors listening that shouldn't. If you have tripwire installed, run a system check to see what else has changed.
Download chkrootkit on a separate system and put it on a cd-rw or read-only floppy. Mount the disk/floppy and run chkrootkit on your system. This should find any rootkits, signs of commonly trojaned files, sniffers or other signs of compromise. You might also want to download a copy of the F.I.R.E cdrom-based forensics distro. It has some excellent tools on it that will allow you to disect your system a little more fully.
Hopefully that will have turned up some signs of what's happened on your system. Once that's been completed it would be wise to save a copy of the hard-drive in case any future analysis is required. Then backup essential non-binary files that you've visually inspected for alteration and format and re-install the OS from scratch. I know it's tempting to just keep on using the system, but you can never be fully sure that the system is clean once someone has compromised you. Chalk it up as a learning lesson and stay vigilant about your security in the future (firewalling, keeping up with patches, etc).
---EDIT----
Sorry brainfart. The last command will show you recent system logins, which will give you an idea of when the last time your guest visited. To see recently executed commands. check their .bash_history files as well as use the history command to see what stuff you've executed..
Last edited by Capt_Caveman; 11-24-2003 at 11:06 AM.
First of all, thank you very much; in these situations one appreciates the help
Quote:
First and foremost, you should disconnect the machine from the network completely and don't use it for any other puposes than to do forensics. Anything you need to download should be done on a separate system and transfered via floppy/cdrom/etc. It's likely that if your new guest realizes that you know he/she is there, they will try to erase their tracks.
Well, I know it, but this is a problem: I cannot have access to internet without my machine, so, at the moment I'm online. I need it to repair this mess. But, as I told before, mandrake9.1 (the system compromised) doesnt boot anymore it is dead; fortunately I had installed slack9.1 some weeks ago, and it works perfectly (I'm there now); I don't see anything unusual under slack. Isn't secure to do what I am doing? (consider that now I have another IP address, (dynamic IP); moreover now it is another OS)
Quote:
First they don't sound particularly stealthy, but you do have to realize that they have root access and could have changes any of the system files, so you must treat the output of any of the system files as potentially fraudelent. What were the users added?
These are the users, as they are in the '/etc/passwd' file
And they have remove every regular user but the one I use (which was logged in at the time of the attack and the superuser)
I have checked the directory '/var/tmp' and there is a lot of stuff; doing 'ls -al' returns
Code:
drwxr-xr-x 3 root root 4096 Nov 24 09:52
drwxrwxrwt 5 root root 4096 Nov 24 10:03 .
drwxr-xr-x 24 root root 4096 May 26 16:23 ..
drwxrwxrwx 2 root root 4096 Nov 24 09:52 ...
drwxr-xr-x 3 root root 4096 Nov 24 10:05 .s
'...' is empty, but inside '.s':
Code:
drwxr-xr-x 3 root root 4096 Nov 24 10:05 .
drwxrwxrwt 5 root root 4096 Nov 24 10:03 ..
drwxrwxr-x 10 root root 4096 Nov 24 10:06 .ps
-rw-r--r-- 1 root root 658353 Aug 16 2002 psy.tgz
with many interesting things... even documentation!!!
It seems there is a program/package called 'psyBNC 2.3' (I have just discover this; I will read more and post anything interesting about this)
I was looking for failed logins with no luck; is it possible they have exploited a weak point of my system without trying to log in? (I didn't have firewall, this could make things easier)
I found many moviments around the time in which the attack was performed. In the 'syslog' file . For instance
Code:
Nov 24 09:50:59 theNameOfMySystem smbd[1773]: [2003/11/24 09:50:59, 0] lib/util.c:smb_panic(1094)
Nov 24 09:50:59 theNameOfMySystem smbd[1773]: PANIC: internal error
Nov 24 09:50:59 theNameOfMySystem smbd[1773]:
Nov 24 09:51:01 theNameOfMySystem smbd[1768]: [2003/11/24 09:51:01, 0] lib/fault.c:fault_report(38)
Nov 24 09:51:01 theNameOfMySystem smbd[1768]: =========================================================
======
Nov 24 09:51:01 theNameOfMySystem smbd[1768]: [2003/11/24 09:51:01, 0] lib/fault.c:fault_report(39)
Nov 24 09:51:01 theNameOfMySystem smbd[1768]: INTERNAL ERROR: Signal 11 in pid 1768 (2.2.7a)
Nov 24 09:51:01 theNameOfMySystem smbd[1768]: Please read the file BUGS.txt in the distribution
Nov 24 09:51:01 theNameOfMySystem smbd[1768]: [2003/11/24 09:51:01, 0]
But not only this kind of messages, many other dued to smbd (Samba!?!?) (some of them contain an IP address, and there are many. I couldn't compare every address, but they are different)
I also found several files replaced (mostly binaries and configuration files). For instance
Code:
-rwxr-xr-x 1 root root 22744 Nov 24 10:40 chgrp
-rwxr-xr-x 1 root root 22936 Nov 24 10:40 chmod
-rwxr-xr-x 1 root root 24728 Nov 24 10:40 chown
-rwxr-xr-x 1 root root 53196 Nov 24 10:40 cp
-rwxr-xr-x 1 root root 32108 Nov 24 10:06 dd
-rwxr-xr-x 1 root root 36844 Nov 24 10:40 df
-rwxr-xr-x 1 root root 302456 Nov 24 10:40 gawk
-rwxr-xr-x 1 root root 79724 Nov 24 10:40 grep
-rwxr-xr-x 1 root root 13792 Nov 24 10:40 hostname
-rwxr-xr-x 1 root root 18776 Nov 24 10:40 id
-rwxr-xr-x 1 root root 26296 Nov 24 10:40 ln
-rwxr-xr-x 1 root root 82060 Nov 24 10:40 ls
-rwxr-xr-x 1 root root 23544 Nov 24 10:40 mkdir
-rwxr-xr-x 1 root root 23180 Nov 24 10:40 mknod
-rwxr-xr-x 1 root root 8568 Nov 24 10:40 mktemp
-rwxr-xr-x 1 root root 57100 Nov 24 10:40 mv
-r-xr-xr-x 1 root root 15820 Nov 24 10:40 procps3-kill
-rwxr-xr-x 1 root root 34456 Nov 24 10:40 rm
-rwxr-xr-x 1 root root 16280 Nov 24 10:40 rmdir
-rwxr-xr-x 1 root root 14808 Nov 24 10:40 sync
Does all of this indicate I have a virus? or is it a person who ran a script? (I think/hope it isn't worse)
What else could it be?
I want to recover the functionality of my system, but I also need to be sure they don't repeat the same whenever they like, so I would like to discover what happened. Is it reasonable to expect this?
Any ideas?
I'll continue reading, but more help will be appreciated
1) Ideally you shouldn't do anything on that machine but forensics, but booting the slackware kernel is better than booting the mandrake one if necessary. Download chkrootkit and run it on the slackware machine . The best way to do this is to boot with a cdrom-based linux distrobution like knoppix, FIRE, etc and then mount the Mandrake system as a readonly file system, then you can dig around in it. Verifying that the Slackware system isn't compromised and then mounting Mandrake is probably not so good. Technically, although there are 2 OS's on the system, the intruder could have mounted the Slackware filesystem and compromised it as well. So I guess you can see why it's ideal to use an OS that is completely independent of the one on that system. Despite having a new ip address, many hacking tools are designed to "dial home" to an IRC channel or other means by which it can tell the cracker where it is and when it comes back online. So don't rely on that to protect you.
2) The new users, along with the strange dirs in /var/tmp, is a pretty sure sign of being hacked.
3) From what I can determine, the psyBNC thing is an IRC tool designed to anonymize your connection. Whether it was truely being used for IRC or someother purpose, I can't really tell you. I wouldn't be surprised if it was being used to anonymize your system so that it could connect to an IRC channel and act as a zombie without being identifiable. While that's interesting, I'm sure there's probably alot more that you haven't found.
4) Not sure if the samba error messages are telling you anything important or not. Did you have samba running before this happened. It could be one of 3 things, either samba being exploited, the cracker started a samba daemon or something unrelated. Looks suspictiously like an exploit against samba though. Might be worth while to keep a copy of the ip addreses though.
5) The changed files are all your "poster-child" targets of a rootkit that installs trojaned binaries of system files. Likely that all of those files have been replaced with versions that are designed to hide the files that the cracker has installed. It's actually surprising that the ls command showed those files in /var/tmp at all. Could be that they installed a rootkit and then uploaded the psyBNC package afterwards. Either way, they still look pretty sloppy (which can be either a good thing or a very bad thing...more on that later.
6) My money is on a rootkit. Alot of them will unpack the tools needed to take control of the system and then delete all traces itself either directly or by hiding the presence of the files through some means (trojaned ls command, special kernel module, etc). I would highly recommend that you download either the forensic Linux Distro FIRE or what's called "The Coroners Toolkit". Both of these have tools that will allow you to search for and identify deleted files. What you probably find will be the remains of the rootkit and associated files that were upload, unpacked, executed to take control, and then deleted to cover it's tracks.
7)Now that you have pretty convincing evidence that you were cracked, it's a safe assumption that you'll need hose that machine and do a complete format (slackware too) and rebuild it from scratch. I know that sucks and I can feel your pain, but it's the only way you can be sure that your system is secure. There could potentially be hidden kernel modules and all kinds of monsters lurking in there that you might be missing. And as incompetent as that cracker seems (and they seem like a complete moron), one nasty trick is to install two sets of cracking tools. One set is completely obvious and is put there for you to find and remove, thinking your system is safe, while the other set is significantly more stealthy and remains hidden on your system.
8) In the future...patch, patch, patch. When you think you've installed all the necessary patches, install some more just for fun. A good firewall will go a long way to protect your services from getting attacked and ultimately from getting hacked.
You are being used to proxy someones IRC traffic. Time to reformat Personally i would run a sniffer on my network and monitor him. Then after a while stop the by the IRC channel and say hi. If you do that i would recommend you check with your ISP first and make sure they are willing and ready to give you a new IP address cause you aren't going to want to have a skiddie war.
Edit: Actually although fun and interesting you may not want to do that. You wouldn't go through the lengths he has to be anonymous on IRC unless you are up to something bad. Hell BNC's only cost like $5 a month. Talk about being cheap... He will probably be acting like a lamer and getting you banned from IRC servers when hes trying to take over channels or something. Someone might file a complaint to your ISP or try to hack you (again lol). Worse he could use you as a proxy to attack other hosts.
An exploitable buffer overflow was discovered in the Samba server that can lead to an anonymous remote root compromise. The Samba Team also discovered some potential overflows during an internal code audit which was done in response to the previously noted buffer overflow problem.
All versions of Samba prior to 2.2.8a are vulnerable. The provided updates contain a patch from the Samba Team to correct the issue.
An exploit is known to exist and all Mandrake Linux users are encouraged to upgrade immediately.
Not much good now, but at least that gives you an idea of how they got in.
Well, the nightmare continues!
(now I'm working with a live linux, but it hasn't any forensics tool; I cannot get the FIRE linux, although I'd really want it)
I have discovered that the swine has tried to log in my system while I was using slack, but it seems he/she/they couldn't (not only for the next, but more clues); I was checking the /var/log/messages (I repeat, working in slack) and I saw this
Code:
Nov 24 18:40:43 myMachine -- MARK --
Nov 24 19:00:43 myMachine -- MARK --
Nov 24 19:02:33 myMachine sshd[2376]: Failed password for root from IP_ofTheSwine(?) port 1238
Nov 24 19:02:41 myMachine sshd[2378]: Illegal user sql from IP_ofTheSwine(?) Nov 24 19:02:41 myMachine sshd[2378]: Failed none for illegal user sql from IP_ofTheSwine(?) port 1239
Nov 24 19:02:43 myMachine sshd[2378]: Failed password for illegal user sql from IP_ofTheSwine(?) port 1239
Nov 24 19:02:47 myMachine sshd[2378]: Failed password for illegal user sql from IP_ofTheSwine(?) port 1239
Nov 24 19:03:09 myMachine sshd[2380]: Illegal user ssd from IP_ofTheSwine(?) Nov 24 19:03:09 myMachine sshd[2380]: Failed none for illegal user ssd from IP_ofTheSwine(?) port 1240
Nov 24 19:03:11 myMachine sshd[2380]: Failed password for illegal user ssd from IP_ofTheSwine(?) port 1240
Nov 24 19:03:14 myMachine sshd[2380]: Failed password for illegal user ssd from IP_ofTheSwine(?) port 1240
Nov 24 19:20:43 myMachine -- MARK --
Nov 24 19:40:43 myMachine -- MARK --
where "IP_ofTheSwine(?)" is an IP address, always the same number!
What I want is he/she stops, but I don't want any war!
The big question now is:
What can I do to stop him/her? I mean, I don't think is a good idea to wait until he/she decides is a good time to hurt me.
I got a new HD; i'm thinking in removing the old cracked one, plugging in the new one and installing slack 9.1 (the newest distro I have) with strong security measures.
It is enough with this? if no, what more can I do?
Any help will be appreciated!
Best regards
>I got a new HD; i'm thinking in removing the old cracked one, plugging in the new one and installing slack 9.1 (the newest distro I have) with strong security measures.
>It is enough with this? if no, what more can I do?
You will need to keep up with the security updates for slackware. It is also a good idea to not have unnecessary services acessable from the internet.
You can set samba to only listen on one network interface. If you have seperate network cards for internet access and the you local LAN then it is better to not havesambe acessible from the internet.
(now I'm working with a live linux, but it hasn't any forensics tool; I cannot get the FIRE linux, although I'd really want it)
That's OK, as long as you're using an OS that's independent of the ones on the compromised machine.
I have discovered that the swine has tried to log in my system while I was using slack, but it seems he/she/they couldn't (not only for the next, but more clues); I was checking the /var/log/messages (I repeat, working in slack) and I saw this
They probably didn't realize that you had taken the Mandrake system offline. If you look at those log messages, they're trying to log in using the users they created on the hacked system. So now they probably have a good idea that you're onto them, so do not boot the Mandrake system while it is connected to the internet.
where "IP_ofTheSwine(?)" is an IP address, always the same number! Hold onto that. While it's very likely that they are attacking through a proxy, you never know. When you get a chance do a whois lookup on the ip address and see what Internet Provider it falls under. There will usually be an email address to send abuse reports to. Go ahead and send them a message letting them know your situation and include the relevent logs with that ip address in it.
What can I do to stop him/her?
First, are you sure that you're getting a new ip address? I've noticed that my DSL modem has a habit of retaining the same one, so you should double check that you're getting a new address. Once you're sure of that, what you'll want to do is remove the old hardrive and put in the new one. Make sure the system is not connected to your internet connection and install Slackware (You can do Mandrake if you still want to). When that is completed, turn off all of the services (sendmail, portmapper, etc). Now what you'll need to do is add the following rule to iptables:
iptables -I INPUT -p tcp -m state --state NEW - j DROP
Run that as root from the command line and that should drop any incoming connections that you don't initiate. Then restart iptables. Once you're sure that iptables restarted without any errors, you can safely reconnect to the internet. Immediately go to the Slackware site and download all of the relevent security patches for Slack9.1. Once those are done downloading, install them.
The point of all this being that if you lock your box down and don't have any entry points, evil_cracker will eventually go away and move on to something that looks like an easier target. Except for the few talented crackers with some actual skill, most rely on known tools and exploits that are freely available to the public (the exploit that he likely used on you has been out since early April). If you keep up with patching, then you're taking away those tools and vulnerabilities. That leaves them with two options DOS or brute force password guessing, both of which consume time and resources. More likely than not, he'll go away once he realizes that he can't get in to your system anymore.
Next to excellent advice given by Capt_Caveman and others I'll just add a short list of things to do/watch for when you're about to install Linux on your new disk.
I would also like to emphasise (because your box already got cracked and they're continuing) it is important you send a report of events (supported with logs) to your ISP and the ISP of the offender. If you need help with that, just ask.
I got a new HD; i'm thinking in removing the old cracked one, plugging in the new one and installing slack 9.1 (the newest distro I have) with strong security measures.
Excellent. Here's ten quick steps to start securing your box:
1. (Re)partition, (re)format, and (re)install. Partition with care. Make /boot, / (root), /usr, /tmp, /var and /home use separate partitions.
2. Do not install what you don't need now. You have had problems with regularly updating applications and securing access, so don't install stuff like R services (Rsh, rlogin), network filesystems in general, Named, Sendmail, any FTP server, Lpd/CUPS etc etc until you have secured your basic system. Do not forget to add an unprivileged account on install if you can, or after install.
3. When booting your newly installed Linux, take down the network interface immediately if it is up.
If your distro comes with filesystem integrity scanner (Aide, Samhain, tripwire), install, configure and run it. Save a copy of the binary, configs and databases on read-only media. If you don't have one, make a list running "find / -type f|xargs -iF md5sum "F" 2>&1>/tmp/md5sums" and save that file on read-only media. Install and configure Sudo for your unprivileged user.
4. With the network interface still down, set the firewall default policies to "DROP" and add firewall rules for only your ISP's servers you need access to (DNS, mail, proxy) and the HTTP/Rsync or FTP hosts you will be downloading updates from.
5. Check if no service is started that should not have been started, including those started from (X)inetd. Check services that should be started for their control mechanism that will allow them to deny access based on username, group, time, IP. Xinetd comes with it's own mechanism, and OpenSSH's sshd can use /etc/hosts.{deny,allow} when compiled with libwrap.
6. Now bring up the interface, get your updates (and disconnect when done, unless you can see dependency problems coming).
7. When done upgrading, check your filesystem integrity and make an update. Check running services again.
8. Run SASTK (I don't think Bastille-Linux handles Slackware, check it out) to start hardening your box. After making changes run Tiger to test the system for stuff to correct (also see Chkrootkit, LSAT, env_audit).
9. Remount /usr and /boot with "readonly,nodev" mount flags. Remount /tmp with "nosuid,nodev" and /var with "noexec,nosuid,nodev" mount flags. Set the immutable bit on contents of /bin and /sbin ("chattr =i -R /bin"), and also on crucial configs in /etc for authentication, network information and configuration and any services you need to run.
10. Check out the LQ FAQ: Security references, post #1 "Basics, important sites, HOWTO's, handbooks, hardening, tips", post #2 "Netfilter, firewall, Iptables, Ipchains, DoS, DDoS" and post #3 "Intrusion detection, integrity checks".
Thanx again for the suggestions. Without your help I couldn't recover the control of my system (I hope I already got it)
I'll try to install slack as you told me, but I still have a couple of questions, since I'm a networking
...on Capt_Caveman's post:
Quote:
First, are you sure that you're getting a new ip address? I've noticed that my DSL modem has a habit of retaining the same one, so you should double check that you're getting a new address.
I have had troubles with this; I mean, my internet provider told my I have dynamic IP address, but whenever I've done 'ifconfig', I ALWAYS have got the same IP-address. I suppose the information should be in '/proc'. So I checked that place, looking for my address without results.
(I'm working with the live linux CD, does it matter?)
So... How can I 100%-sure find my IP address?
(I use DHCP which, I suppose is the standard)
Quote:
Make sure the system is not connected to your internet connection and install Slackware (You can do Mandrake if you still want to). When that is completed, turn off all of the services (sendmail, portmapper, etc). Now what you'll need to do is add the following rule to iptables: iptables -I INPUT -p tcp -m state --state NEW - j DROP Run that as root from the command line and that should drop any incoming connections that you don't initiate. Then restart iptables. Once you're sure that iptables restarted without any errors, you can safely reconnect to the internet. Immediately go to the Slackware site and download all of the relevent security patches for Slack9.1. Once those are done downloading, install them.
I have a couple of questions about this.
First let me translate (I'd like to be sure I understood the steps)
i - turn off the internet connection
ii - install the OS(es)
iii - turn off all of the INTERNET services (right?)
iv - do the iptables thing
v - turn on the necessary INTERNET services
vi - turn on the internet connection
vii - download the relevant patches
viii- turn off internet connection
ix - install new packages
x - system ready
if these steps are like that, I have a couple of questions:
on iii and v: how do I get the names of services I have to stop/start? How do I stop/start them? I mean, what could I do if I get troubles in this point (for example, I cannot start/stop a couple of services)?
on iv: how do I restart the iptables? What is iptables for?
on vii: What patches do I need? I have visited the slack site and it seems there are 4 security known problems with v9.1; here come:
* apache (I don't think I need, or do I need i to have internet working (for instance to visit the forum)?)
* gdm (I don't use to use gdm, but maybe is a good idea to update it)
* fetchmail (NO IDEA about this)
* OpenSSL (I think, I do need this, right?)
which ones do I need?
...on unSpawn post:
Quote:
5. Check if no service is started that should not have been started, including those started from (X)inetd. Check services that should be started for their control mechanism that will allow them to deny access based on username, group, time, IP. Xinetd comes with it's own mechanism, and OpenSSH's sshd can use /etc/hosts.{deny,allow} when compiled with libwrap.
How can I do this? I mean, I know 'ps', 'top'... but, considering I'm quite ignorant concerning to internet services, how can I be sure I do it well done? is there any tool in slack to do this?
Quote:
7. When done upgrading, check your filesystem integrity and make an update. Check running services again.
Do you mean "7. = repeat 3. and 5."?
...and more questions:
*) I never used a firewall. Which one is a good one for slack (I suppose it comes with the distro)?
*) (about my HDs)
I substituted hdc; the old one (20 GB) was where mandrake lived; the new one is 120GB, clean.
Of course, I have hda, which is also a HD
hda is a 60GB, where I have this (the output of fdisk)
Code:
/dev/hda1 * 1 3539 28426986 c W95 FAT32 (LBA)
/dev/hda2 4845 7476 21141540 83 Linux
/dev/hda3 * 3540 4207 5365710 83 Linux
/dev/hda4 4208 4844 5116702+ 83 Linux
where...
- in hda1 resides W98SE (I need it!!! )
- hda2 contains data (I NEED to keep it)
- hda3 is where lives my slack9.1. I can remove it, although I think it's clean; but I'd like to keep it for future references...
- hda4 is almost empty, just a couple of files which can be erased. What should I do with this HD? (I could reformat it, but I don't really like it. I estimate that doing backups could be around 3-4 days, and I don't have much time)
*)
Quote:
where "IP_ofTheSwine(?)" is an IP address, always the same number! Hold onto that. While it's very likely that they are attacking through a proxy, you never know. When you get a chance do a whois lookup on the ip address and see what Internet Provider it falls under. There will usually be an email address to send abuse reports to. Go ahead and send them a message letting them know your situation and include the relevent logs with that ip address in it.
Quote:
I would also like to emphasise (because your box already got cracked and they're continuing) it is important you send a report of events (supported with logs) to your ISP and the ISP of the offender. If you need help with that, just ask.
I did 'whois IP_ofTheSwine(?)' and I got (I've deleted the info, for security; if it's necessary I give any field tell me)
Code:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html inetnum: ***
netname: MEDIA-CLASS
descr: SC Media Class SRL
descr: ***
country: ***
admin-c: ***
tech-c: ***
status: ASSIGNED PA
mnt-lower: ***
mnt-by: ***
mnt-routes: ***
notify: ***
changed: ***
changed: ***
source: RIPE
route: ***
descr: Media Class Barlad
origin: ***
mnt-by: ***
changed: ***
source: RIPE
person: ***
address: ***
address: ***
phone: ***
fax-no: ***
e-mail: ***
nic-hdl: ***
notify: domain-admin@***
mnt-by: ***
changed: ***
changed: ***
source: RIPE
So, yes, I need help with this. How do I report this incident to the offender and to my provider? what do I say them?
btw, doing 'whois myIPAddress'(where 'myIPAddress' is the one ifconfig returns), I get two email addresses:
Code:
remarks: mail spam reports: abuse@***
remarks: security incidents: security@***
How can I 100%-sure find my IP address?
"ifconfig" should show. Unless told otherwise, dhcpcd, the client for DHCP, will negotiate your IP address with your ISP's DHCP server when you fire up dhcpcd.
on iii and v: how do I get the names of services I have to stop/start? How do I stop/start them?
AFAIK services to be started are in /etc/rc.d/rc.inet2(.conf)
Comment them out. Example:
Code:
# Start the SUN RPC Portmapper:
if [ -x /sbin/rpc.portmap ]; then
echo "Starting /sbin/rpc.portmap..."
/sbin/rpc.portmap
fi
becomes
Code:
# Start the SUN RPC Portmapper:
#if [ -x /sbin/rpc.portmap ]; then
echo "NOT starting /sbin/rpc.portmap..."
# /sbin/rpc.portmap
#fi
I mean, what could I do if I get troubles in this point (for example, I cannot start/stop a couple of services)?
You should have no problems. If you *do* run into problems stopping services, for instance SUN RPC, try "killall rcp.portmap".
on iv: how do I restart the iptables?
Two possible ways I think. Check /etc/rc.d/rc.inet2(.conf) for a reference to /etc/rc.d/rc.firewall. If it has the line, your firewall rules should go in /etc/rc.d/rc.firewall. Else check your rc files and /etc/rc.d/rc.S for a line or file called rc.iptables. If there's no line referencing iptables, look for a line which sez "rc.M", then add
Code:
# Starting iptables firewall
echo "Starting iptables..."
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
(Touch and) edit the /etc/rc.d/rc.iptables script.
What is iptables for?
Iptables is the tool you set up firewalling rules with.
on vii: What patches do I need? I have visited the slack site and it seems there are 4 security known problems with v9.1;
* apache (I don't think I need, or do I need i to have internet working (for instance to visit the forum)?)
* gdm (I don't use to use gdm, but maybe is a good idea to update it)
* fetchmail (NO IDEA about this)
* OpenSSL (I think, I do need this, right?)
which ones do I need?
Network facing daemons in general are only necessary if you want/need to share or provide (access to) services to others. So you won't need Apache. If you run Gdm it'll be to provide you with a mouse on the commandline and/or in X11. Fetchmail gets mail from remote POP3 servers, like when you have a mail account with your ISP.
OpenSSL is at the basis of many apps that need or need to provide more secure, encrypted network traffic. If you have OpenSSL installed *ALWAYS* upgrade OpenSSL.
How can I do this? I mean, I know 'ps', 'top'... but, considering I'm quite ignorant concerning to internet services, how can I be sure I do it well done? is there any tool in slack to do this?
As root, try "netstat -panel -A inet". This would show all network connections and their state. Check all in the "LISTEN" state.
Do you mean "7. = repeat 3. and 5."?
Yes.
I never used a firewall. Which one is a good one for slack (I suppose it comes with the distro)?
Linux/GNU's firewall framework comes in two parts: a kernel part called "Netfilter", and user tools to work it with: for kernel 2.4.x it's Iptables, for kernel 2.2.x (and for stubborn people who don't need/want Iptables features) Ipchains, and for 2.0.x kernels it's Ipfwadm.
Personally I dislike GUI tools so I can't recommend any, really. See my checklist, point 10, for the iptables tutorials. Yes, you'll have to read and read.
- in hda1 resides W98SE (I need it!!! )
Then by all means keep it.
- hda2 contains data (I NEED to keep it)
If this means your previously compromised Mandrake partition, remove it's entry from any bootloader and never boot it again. Inspect the data you want to copy visually and don't copy binaries.
If you want to keep it, OK, else clean up the partition after backing up.
- hda3 is where lives my slack9.1. I can remove it, although I think it's clean; but I'd like to keep it for future references...
"Thinking" isn't good enough!. I told you about filesystem integrity, so unless you have those means you better start fresh and good.
I estimate that doing backups could be around 3-4 days, and I don't have much time)
Don't distribute time. Distribute your priorities over time. If you think fondling blinkety-blink icons and translucent windows beats having a hardened box, BMG.
How do I report this incident to the offender and to my provider? what do I say them?
Here's a template:
Code:
-------------------------------------------------------------------------------------------
I. Whom to report to
Use this form to submit a security report:
- in case of the activity taking place on a network owned by a company or institute,
that entities' Emergency response team, Security Office(r), IT department or otherwise
administrative responsible persons,
- in case of the activity taking place on a network owned by an ISP, to that entities
Emergency response team, Security Office(r), IT department or otherwise
administrative responsible persons, and the offenders' ISP's abuse@ address.
- In case of system compromise a copy to CERT would be favourable,
- reporting to Dshield and Mywatchmen is also optional.
-------------------------------------------------------------------------------------------
II. What to report about
A security incident can be defined as:
- General harassment (email, chat, other)
- Unauthorized enquiries (probing, scanning)
- Intruder activities and system compromise
- Network attack activities (spoofing, denial of service)
- Virus and internet worm activity
- Vulnerabilities to any system
-------------------------------------------------------------------------------------------
III. What details to report
To get the right mindset for reporting a security incident or activity, try to fill in
your answers on the next four W's:
When:
- When was the activity or incident detected?
- When did the activity or incident actually occur?
What:
- What service did the system provide (DNS, HTTP server, firewall etc)?
- What level of access did the intruder gain?
- What unauthorized data collection programs, such as sniffers, were installed?
- What was the impact of the attack?
- What preventative measures have been (are being) implemented?
Who
- Determine responsible party's identification, usually IP address(es) or host name(s).
How
- How was access gained? What vulnerability was exploited?
- How was the incident detected?
(cut here)
-------------------------------------------------------------------------------------------
Security incident reporting form
-------------------------------------------------------------------------------------------
Reporting information
Name (last, first):
E-Mail Address:
Primary Phone:
Secondary Phone:
Type of report (choose)
[ ] harassment
[ ] unauthorized enquiry
[ ] intruder activity
[ ] system compromise
[ ] network attack activity
[ ] virus or internet worm
[ ] vulnerability
Priority (choose)
[ ] high
[ ] medium
[ ] low
Time of activity (exact time, range or period):
IP address (or range of) subject:
Subject's OS(es):
Describe the activity in one line:
Log excerpts showing activity
(think system, authorisation, firewall, application, tcpdump, IDS logs/readouts):
[slackware-security] gdm security update (SSA:2003-300-01) GDM is the GNOME Display Manager, and is commonly used to provide a graphical login for local users.
...maybe you refered to some package with similar name (I know there is a program called something similar to 'gdm' used to configure the mouse, but I don't remember the name)
Quote:
- in hda1 resides W98SE (I need it!!! )
Then by all means keep it.
- hda2 contains data (I NEED to keep it) If this means your previously compromised Mandrake partition, remove it's entry from any bootloader and never boot it again. Inspect the data you want to copy visually and don't copy binaries. If you want to keep it, OK, else clean up the partition after backing up.
- hda3 is where lives my slack9.1. I can remove it, although I think it's clean; but I'd like to keep it for future references...
"Thinking" isn't good enough!. I told you about filesystem integrity, so unless you have those means you better start fresh and good. I estimate that doing backups could be around 3-4 days, and I don't have much time) Don't distribute time. Distribute your priorities over time. If you think fondling blinkety-blink icons and translucent windows beats having a hardened box, BMG.
I maybe didn't explain properly.
In the beginning of this, I had 2 HDs (hda and hdc); the one with the OS compromised (and which is no more inside my computer) is hdc.
Concerning hda3, I DON'T want to use "this slack"; I'm going right now, to install slack from scratch in hdc (the new one); but someone told me before, I have to remove everything; I just wondered if I could keep this partition like it is for future references, i.e. to do forensics (I don't need the space now)
Anyway, I'm going now to install the new system. I hope all goes well; I'll post as soon as I finish (if it isn't to late )
Regards
Hello, again!
the last weekend I finished (more or less) finally. It seems, I've regained the control of my system, and I could shield my box reasonably...
but I realized that security is not so simple as I thought before. I see, this subject is more interesting and worthwhile than many other in linux, and computing in general; I sadly discovered that, the time spent securing the system is not wasted, but well inverted...
I have added several things in my TODO list:
- I discovered the world of 'iptables'; I had no idea about how interesting and powerful could be this tool.
I added a couple of rules, but I see, it isn't straightforward to get a complete set of coherent and sensible rules; I'll keep more on this...
- I also discovered 'sudo'; it's a necessary program! However, to me it isn't too easy to manage: more to read and !
- I still didn't report the attack; I already got FIRE, but it needs time to learn with such forensics tools (I've never used nothing similar). I would like to do it along this week.
... I have many other small things to do; I also have many other questions, but I'll post them in new threads, if necessary.
Thank you very much again for the patience and good advices!!! I wouldn't be able to handle this situation without the support of this splendid forum.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
intruder into my system? What can I do?
Personally i would run a sniffer on my network and monitor him. Then after a while stop the by the IRC channel and say hi. 
He will probably be acting like a lamer and getting you banned from IRC servers when hes trying to take over channels or something. Someone might file a complaint to your ISP or try to hack you (again lol). Worse he could use you as a proxy to attack other hosts.
Success... ?
more on this...
