LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-20-2007, 01:59 AM   #1
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 37
uninvited guest on my system?


hi there,

a few days ago i checked who was loged on
and w output was,
uptime xx days xx:xx, 4 users
and below there were only 3 users listed
where is the fourth user?
i've scanned the system with rkhunter for rootkits, none found, scaned for viruses with clamav, none found...
nothing suspicius on the system, like a strange user in /etc/shadow or anywhere
no strange processes runing...

could have anyone broke into the system?
root is disabled without a password (*), and i use sudo to access root
 
Old 02-20-2007, 02:10 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Users here aren't exclusive accounts, but login sessions. each xterm, ssh session etc... would be another user there, even if they are all root.
 
Old 02-20-2007, 02:17 AM   #3
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 37
yes i know that
i don't have only 3 users on the system, but then there were curently 3 users loged into the server, me and other 2 users
so one 2much in the first line of w output
 
Old 02-22-2007, 10:06 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,755
Blog Entries: 4

Rep: Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966Reputation: 3966
That's based on the so-called utmp information and sometimes it does have its problems.
 
Old 02-22-2007, 01:53 PM   #5
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Blog Entries: 1

Rep: Reputation: 37
Each time you run bash or a program runs bash, a new user process is created if im not mistaken. Is it possible you had a couple of xterm's open when you ran the command.

I use gkrellm, which tells me under the Proc tab how many users are on the system etc, and if i open a new xterm up, a new user appears.

Try closing everything except one xterm, then run the commands 'users' and 'who'. That should give you an idea of who is logged in (assuming you havent been rooted or something similarly bad).
 
Old 02-23-2007, 01:18 AM   #6
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 37
well i changed my roots password in passwd from
root:encrypted-passwd:...
to
root:*:...

and if i would have been rooted i think that the user whould have changed this password
or create a new user for sudo or something
but there are no new users in shadow only those that i or my friend has added
 
Old 02-24-2007, 06:14 AM   #7
ljs662_removed
Member
 
Registered: Nov 2006
Posts: 51

Rep: Reputation: 15
No password for root?

Uh oh!
I'm very glad u put a password in for root, maybe try looking in /home, or using "who" every now and then? Just keep a lookout but i'm pretty sure that you will find its nothing.
p.s make sure all accounts have passwords, no password = haxor heaven.
Cheers, Luke
 
Old 03-02-2007, 02:09 AM   #8
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 37
well i think the worst has happened
I belive i've been rooted...
yesterday the web server was shut down
today someone changed apache config file
and deleted my document root so, basicly my web page has been deleted, lucky me i have a backup...
so i ran rkhunter as soon as i saw this, nothing strange, only, apache version 2.2.4 and php version 5.2.1 is buging it
it says unkown
i've inspected /etc/shadow /etc/group and /etc/passwd
nothing unussual in there
i also checked sudoers file, nothing strange either...
so what's next for me to do?
 
Old 03-02-2007, 05:16 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I belive i've been rooted... (..) so what's next for me to do?
First read, then act. Use common sense.

In short the plan is this:
- mitigation,
- investigating,
- preparing backups (we'll get to that),
- repartition, reformat, re-install from scratch (later),
- harden (later).


1. Mitigation

Start by reading the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.

Now save these off-site:
- full listing of processes,
- full listing of network connections,
- full listing of open files.
If the box is local reboot it. Don't run commands from the disk but boot a Live CD for investigating. If the box is in colo shut down every unnecessary network-accessable service meaning MySQL, Apache etc, etc. Use common sense. Basically you only need SSH. Raise the firewall so only you have access in and outbound access from your management IP (range).



2. Investigation

We need to build an understanding of the situation. Perform tasks from the Intruder Detection Checklist and add info below if not covered already:
- location (home, colo) and purpose of the box. If colo: (dedicated or shared hosting),
- (perceived) date of incident,
- distro+release+kernel versions,
- list of installed SW and knowing if they where updated (specifically PHP-based apps),
- list of running services and a short descr. of who has access,
- full listing of processes,
- full listing of network connections,
- full listing of open files,
- any auth data: full listings of "last", "lastb", syslogs of the "authpriv" kind (see /etc/syslog.conf),
- any audit data like running your distro's package manager in file verification mode, file integrity checker,
- system, daemon and firewall logs,
- any setuid-root files found, anything in accessable temp dirs,
- user shell histories,
- anything else idea's, hunches or gut feelings you think *could* be relevant like "obvious" configuration mistakes like allowing SSH RootLogin's etc, etc.

Please try to:
- work your way through the list methodically,
- ask before performing a task if unsure,
- save info off-site, not on the "victim" itself,
- post only *exact*information,
- if the amount of info is too much compress and tarball it and post a D/L location instead.

Please note that due to the time between the actual breach of security, your first post and your most recent post there is a good chance a lot could be scrubbed by the intruder.
 
Old 03-02-2007, 05:38 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Call for help with incident handling

@All: call for help with incident handling
While I hope my fellow Linux - Security moderators will chip in and take over when new info arrives, I think this is a good time to call everyone to the stage who wants to do incident handling to take part in this, even if you have never done incident handling in Linux - Security before.

There are a few restrictions though:
- please research and read the *whole* thread before posting,
- please follow the steps as layed out by me,
- do not offer your opinion unless it is based on presented facts,
- do not offer advice about hardening and such. It's annoying, distracting and we're not in that phase yet.

if you can't find the discipline to adhere to those restrictions please consider *not* posting at all.

TIA
 
Old 03-05-2007, 05:59 AM   #11
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 37
i've checked the whole system...ok half of it, and nothing found
then my fellow sys admin told me he screw up with apache config file and accidently deleted htdocs directory...

only rkhunter reported a sniffer, and it was pppoe, is this posible that pppoe could act as some kind of a sniffer?

and another question
currently i have 2.4.33.3 kernel
would it be more smart/safe to compile a new cernel 2.6.20.1?
 
Old 03-05-2007, 03:07 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Tux-Slack
i've checked the whole system...ok half of it, and nothing found
then my fellow sys admin told me he screw up with apache config file and accidently deleted htdocs directory...
oh, okay... well, one symptom less...

Quote:
only rkhunter reported a sniffer, and it was pppoe, is this posible that pppoe could act as some kind of a sniffer?
yes, considering what PPPoE is, it would make perfect sense for it to be used for sniffing... if i were you, i'd bust-out a known-good ppp package and a live cd and then compare checksums with those of the files installed on your box to rule-out a false-positive...

Quote:
and another question
currently i have 2.4.33.3 kernel
would it be more smart/safe to compile a new cernel 2.6.20.1?
if your 2.4 kernel is working fine (sans the security vulnerabilities) i would recommend you simply upgrade to the latest 2.4 (2.4.34.1 at the time of this post)... and after that, make sure you stay up-to-date with the latest 2.4 stable release...
 
Old 03-07-2007, 10:12 AM   #13
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by win32sux
yes, considering what PPPoE is, it would make perfect sense for it to be used for sniffing... if i were you, i'd bust-out a known-good ppp package and a live cd and then compare checksums with those of the files installed on your box to rule-out a false-positive...
Not sure how useful this would be. You would only expect the executable to match (and hence the checksum to match) if the executables being compared were compiled by identical compilers using identical libraries, and identical compiler/linker options for identical target platforms.

Such a comparison would be valid if the pppoe being used as the baseline was from a disk image of THIS SYSTEM taken immediately after installation and prior to deployment (and hence therefore was presumably clean), where pppoe had not subsequently been upgraded (therefore changed). The comparison would also be valid on a package based distro where the package being used for the baseline was the same package that had originally been used for the install.

Comparing the source checksums would be useless; wouldn't identify whether the executable on the system had been built from that source.

If there is genuine concern about a rootkit in this case (though the OP seems to have found a likely culprit), probably the best thing to do is follow the protocol for cleaning a rootkitted computer, then install something like tripwire so that in the future it will be obvious.

Last edited by jiml8; 03-07-2007 at 10:13 AM.
 
Old 03-07-2007, 11:57 AM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
@jiml8: my comment assumed he was using slackware, due to his profile and signature... so yeah, the idea is to compare the checksums of the binaries in the original package with the checksums of what's currently on your box... anyhow, thanks for your input...

Last edited by win32sux; 03-07-2007 at 12:02 PM.
 
Old 03-08-2007, 12:44 AM   #15
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Quote:
Originally Posted by jiml8
Then install something like tripwire so that in the future it will be obvious.
Yep though it wont be that useful now unless he's planning to do a complete cleanup and reinstall etc. Oh and 1 more thing , I believe Tripwire is commercial now so you might want to look at Aide just incase you plan to start from scratch.

Cheers
Arvind
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Vmware guest awilisch Linux - Software 1 01-24-2005 07:35 PM
Guest matt3333 Slackware 3 12-22-2003 10:15 AM
Can't connect to Guest OS grifta Linux - Networking 1 07-26-2003 10:09 PM
Guest OS ZoZo Linux - General 1 09-25-2002 05:40 PM
can only samba as a guest matt Linux - Networking 5 09-07-2001 01:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration