LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2002, 09:29 PM   #1
te_conway
Member
 
Registered: Apr 2001
Location: MA
Distribution: redhat 7.2
Posts: 182

Rep: Reputation: 30
My first hack


System redhat 7.1

I telnet'd to my system to find a login prompt of
"/usr/tux/backup/login: Bad Address"
I couldn't login as root or anyone else for that matter even though my web server, samba and ftp was working fine.

I found some links on google on how to fix it and surprisingly was up and running in about an hour. I can login and everything seems fine but I don't know how to confirm that. Could there be a trojan on the system?

I have a dsl router that can block services (I don't know which ones I should block). It also does port forwarding and I was forwarding telnet and ftp to my server. I've stopped that for now but http is open for my web server. I'd like to bring telnet and ftp back on line but i'm nervous.

What can ipchains or firewalls do to stop hacks if they come in thru telent or ftp? Is there a security problem with telnet or wu-ftp? (I thought I saw a reference to this on google)

Any help appreciated.
 
Old 02-19-2002, 02:57 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
(Why are you expecting a trojan? Any susceptible behaviour?) Since ure using RH there are some options. Unfortunately they involve things like installing integrity detection like Tripwire (rpm is on the cd) or Aide, and saving the rpm (and tripwire) databases on read-only media.

On to checking, the first step should be to consult what CERT.org and SANS.org have to say on this (unless you know the drill they offer good checklists), like here.
Ok, knowing login and any other binary could be trojaned, and your kernel "patched" with some module :-] you can still *try* to verify installed apps against the rpm database but if a compromise has taken place it ain't to be considered trustworthy.
To try to detect std rootkit strings in trojaned binaries you could use chkrootkit, using rkscan or the like. *Using chkrootkit on a suspectedly h4x0red box requires clean binaries. Either boot an fd/cd with them on it or examine the partition from another one.

About telnetd you're right. It should be banned. Login, passwords and the rest of the traffic are sent unencrypted. Use OpenSsh instead.
Wu has a history of bad glitches, bugs snafu's and whatnot. Alternatives to try could be Pro-ftpd, vsftpd, muddleftpd and I'm sure the list of more secure ftp daemons is longer. My criteria would be among others: Don't allow anonymous access unless you totally need it. Use tcp wrappers if you can. Block traffic from IP ranges belonging to "non routable" traffic. Don't use a daemon that can't drop root privileges after starting up. Use a daemon that doesn't rely on external binaries but provides 'em itself. Use chroot for lowering possible damages where possible.

Netfilter (kernel 2.4 using Ipchains or Iptables) doesn't stop "hacks". For a short description of the differences and why you should deploy an fw *and* some form of IDS see http://www.linuxquestions.org/questi...threadid=14240

HTH
 
Old 02-19-2002, 03:54 PM   #3
te_conway
Member
 
Registered: Apr 2001
Location: MA
Distribution: redhat 7.2
Posts: 182

Original Poster
Rep: Reputation: 30
Thanks for the response.

After reading threads on google and elsewhere my problem is systomatic of a rootkit trojan. I have reinstalled a couple of modified binaries to regain access but by nature, I may loose access again if it's a trojan.

I'm going to download a rootkit checker and take it from there.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
hack,,, apenguinlinux General 4 02-22-2005 10:13 AM
hack,, apenguinlinux General 5 02-22-2005 09:40 AM
hack ?help me !! liumang Linux - Security 10 11-28-2004 04:21 AM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 12:23 PM
hack ? spooge Linux - Security 4 01-21-2003 11:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration