hi,

i notice that there were certain ports left open on one of my s8 machine - the very same machine was hacked a few days ago.

it was my fault to leave telnet and ftp open for convenience. now that i closed both of them and a few others. i went on to scan the open ports in the s8 machine and found out a few ports were still left open even though i could find no tracing of them being opened in inetd.conf.

where do i turn these ports off?

in addition, the s8 machine was hacked by
"/dev/tux/backup/login..."
you know what i mean if you have seen this one before.

i got in single mode, and reinstalled most of the apps from cd and it seems to be working fine. although it is still offline for the sake of futher investigation.

here is the bigger picture
1. how do i make sure the s8 is clean again (i would rather not format this hd if possible, too much is in it to do it over again - you know what i mean if you have been there before).
2. how do i keep it from happening?
3. how do i track the offender down? there must be something i can do to "recover" my "valuable" time.

many thanks in advance.

kayaker

ps, i would equally appreciate any advice you might have - even if it only address some of the questions i posted.

where do i turn these ports off?
As root, and posessing a clean and trusted set of binaries run
"netstat -anlp -A inet". This should give you the list of listening processes on raw, TCP or UDP. Check the (x)inetd config and comment out enabled services, else track the PID to the process, stop it using it's init script or using "kill" and turn off bootup initialization.

"/dev/tux"
Lemme guess. Tuxkit.

1. how do i make sure the s8 is clean again (i would rather not format this hd if possible, too much is in it to do it over again - you know what i mean if you have been there before).
What I'm about to say is *not* what you wanna hear.
Tuxkit (if that *is* the LRK they used) comes with all the luxuries a scriptkiddie can wish for, like ability to hide processes, trojaned sshd, bnc, toolkit, etc etc. The best way for you to regain control and *be* sure you can trust your system will be to only save your human readable data, reformat and reinstall cleanly.

2. how do i keep it from happening?
Do not use a backup unless you can validate it's contents to be 100 percent clean and trusted. Even then you'll have to wipe your passwds because they make have been intercepted.
Plz read the 1st thread in the security forum (post #1 Compromise, breach of security, detection). After rebuilding the box, take the time to harden your box (see same post). If you want detailed advice, just ask us in the security forum.

3. how do i track the offender down? there must be something i can do to "recover" my "valuable" time.
Difficult to answer. AFAIK it depends on the amount of disk activity and the timespan between the compromise and shutting down the box (to preserve data) being as small as possible. Not only wrt to denying the cracker time to cover up, but also since deleted stuff in some spaces like slack doesn't get overwritten immediately. Then it depends on how much of the logs remain, your ability to pinpoint data on the system that's not sposed to be there (checksumming), the ability to undelete data (TCT, Atstake) and finally after that your knowledge to interprete the "evidence".

Now you already "destroyed" part of the "evidence" by rebooting into runlevel 1, plus have overwritten data. That's definately not a good start for forensics, unless you made a copy with dd before you started ripping apart your "evidence".


HTH

here is what i found out about the breakin

http://mel.ini2.net/p/tuxkit-analysis.txt

perhaps the infomation in the file will help all of us.

kayaker

I'm just curious how you handled the incident, care to share your approach with us?

Moved the thread to the security forum as per unSpawn's request.

Jamie...

I have not had a chance to really looking into this problem since I have been busy at work and fulfilling other obligations, the infected hard disk is still off-line.

However it was suggested the probable sources of breaking are: ftp and telnet, I am in the processing in getting myself educated in these areas. Here are some info I gathered and hopefully it will help us all.

Additionally, how do you do your ftp and telnet, "securely"? Do you encrypt internal network traffic?

Kayaker


============================================
All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information. Using the login information, hackers can then download the site's web pages onto their own computer. After downloading the website, hackers then can use any number of HTML editors to edit the website with graffiti, fraudulent news, or anything else, and then FTP it back to its real home on the Web using the login and password they sniffed earlier. The main reason that web sites get hacked is because they are being updated with insecure FTP transfers. There are other ways that web sites can get hacked (due to improper OS and incorrect server configurations) but using secure FTP certainly reduces the probability of hacks due to insecure file transfers and logins.
-from http://www.intranetjournal.com/artic...08_14_02a.html

Telnet? Do you REALLY need to run telnet? Use SSH! Regarding FTP you could do SFTP ...

just to clarify, the problem with telnet is that it sends passwords in plain text, if you run ethereal on a machine or tcpdump and start a telnet session, you can see the username and password plain as day, it will even go so far as to put user: name pass: password in the output of those programs, we did it in a lab in one of my classes.