hacked

hacked

[urgrue]

hi,
a hacker has planted trojans and messed around with one of my boxes.
its off the network, but i want to know what he did.
i replaced netstat, ps, lsof (and others) with originals, but nmap 
shows that ports 1130 and 53228 are open on the box. i can even telnet 
to these ports and get what definitely looks like backdoors.
but netstat and lsof cant find anything on these ports.
and ps of course doesnt show anything unusual.
since ive replaced the binary commands with originals, but these ports 
are still open, presumably some networking related library has been 
trojaned?
anyone know which one/ones, or how to find out?

Re: hacked

[Glynn Clements]

urgrue wrote:

> a hacker has planted trojans and messed around with one of my boxes.
> its off the network, but i want to know what he did.
> i replaced netstat, ps, lsof (and others) with originals, but nmap 
> shows that ports 1130 and 53228 are open on the box. i can even telnet 
> to these ports and get what definitely looks like backdoors.
> but netstat and lsof cant find anything on these ports.
> and ps of course doesnt show anything unusual.
> since ive replaced the binary commands with originals, but these ports 
> are still open, presumably some networking related library has been 
> trojaned?

Or the kernel itself.

Once a system has been cracked, the only reliable solutions are to
either revert to a known good backup, or start from scratch[1].

[1] Literally. Re-installing the OS over an existing filesystem won't
help if a trojan configuration file has been added; "dot" files in
root's home directory are a common vector.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: hacked

[urgrue]

yes, true. ive already replaced the box with a fresh install, but i am 
just curious to know what happened.


> 
> urgrue wrote:
> 
> > a hacker has planted trojans and messed around with one of my boxes.
> > its off the network, but i want to know what he did.
> > i replaced netstat, ps, lsof (and others) with originals, but nmap
> > shows that ports 1130 and 53228 are open on the box. i can even
> telnet
> > to these ports and get what definitely looks like backdoors.
> > but netstat and lsof cant find anything on these ports.
> > and ps of course doesnt show anything unusual.
> > since ive replaced the binary commands with originals, but these
> ports
> > are still open, presumably some networking related library has been
> > trojaned?
> 
> Or the kernel itself.
> 
> Once a system has been cracked, the only reliable solutions are to
> either revert to a known good backup, or start from scratch[1].
> 
> [1] Literally. Re-installing the OS over an existing filesystem won't
> help if a trojan configuration file has been added; "dot" files in
> root's home directory are a common vector.
> 
> --
> Glynn Clements <glynn.clements@virgin.net>
> 

Re: hacked

[Bruce Ferrell]

search google for vsl and vetes

You find like to a pretty nice kit for locating rootkits and the like. 
You don't mention what distro your system is.  Hate to say it but if 
it's RPM based, you can use the -V option to verify every stinking file 
on the system if necessary

urgrue wrote:

> yes, true. ive already replaced the box with a fresh install, but i am 
> just curious to know what happened.
> 
> 
> 
>>urgrue wrote:
>>
>>
>>>a hacker has planted trojans and messed around with one of my boxes.
>>>its off the network, but i want to know what he did.
>>>i replaced netstat, ps, lsof (and others) with originals, but nmap
>>>shows that ports 1130 and 53228 are open on the box. i can even
>>>
>>telnet
>>
>>>to these ports and get what definitely looks like backdoors.
>>>but netstat and lsof cant find anything on these ports.
>>>and ps of course doesnt show anything unusual.
>>>since ive replaced the binary commands with originals, but these
>>>
>>ports
>>
>>>are still open, presumably some networking related library has been
>>>trojaned?
>>>
>>Or the kernel itself.
>>
>>Once a system has been cracked, the only reliable solutions are to
>>either revert to a known good backup, or start from scratch[1].
>>
>>[1] Literally. Re-installing the OS over an existing filesystem won't
>>help if a trojan configuration file has been added; "dot" files in
>>root's home directory are a common vector.
>>
>>--
>>Glynn Clements <glynn.clements@virgin.net>
>>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Re: hacked

[Glynn Clements]

Bruce Ferrell wrote:

> search google for vsl and vetes
> 
> You find like to a pretty nice kit for locating rootkits and the like. 
> You don't mention what distro your system is.  Hate to say it but if 
> it's RPM based, you can use the -V option to verify every stinking file 
> on the system if necessary

But "rpm -V" suffers from the same problem as re-installing the OS
onto an existing filesystem. It will tell you if any of the files
which were installed from the RPM have changed, but it won't tell you
if a new file has been added.

IOW, just because "rpm -Va" doesn't find any problems, that doesn't
mean that you're safe.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: hacked

[fred orispaa]

my colleague tells me he found processes hidden on it with kill -31, and he 
restored them with kill -32.
i couldnt find any info on these signals but ill find out from him tomorrow.

needless to say, tripwire is a godsend, and i will surely have to double my 
efforts to get it installed on every box i have.
also i am definitely going to have to take a look at lids, it seems like 
one of those tools that once you get used to you wonder how you ever lived 
without it...



>Bruce Ferrell wrote:
>
> > search google for vsl and vetes
> >
> > You find like to a pretty nice kit for locating rootkits and the like.
> > You don't mention what distro your system is.  Hate to say it but if
> > it's RPM based, you can use the -V option to verify every stinking file
> > on the system if necessary
>
>But "rpm -V" suffers from the same problem as re-installing the OS
>onto an existing filesystem. It will tell you if any of the files
>which were installed from the RPM have changed, but it won't tell you
>if a new file has been added.
>
>IOW, just because "rpm -Va" doesn't find any problems, that doesn't
>mean that you're safe.
>
>--
>Glynn Clements <glynn.clements@virgin.net>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: hacked

[Bruce Ferrell]

Agreed, it will only tell you if executables (and/or libraries) have 
been modified.  That's what vsl is for... it hunts down those nasty 
hidden things (directories etc.)... If They're part of a known 
rootkit...  (Big if, I know).

In general, my experience is that when someone hacks in, they tend to 
install rootkits to maintain their foothold.  Between RPM -Va and a 
rootkit search, it's generally possible, in the real world, to have a 
reasonable assurance of a clean system.

Tripwire won't tell you if something you're not watching has changed. It 
won't tell you if a file has been added either.  It can only tell you if 
something you have under surveillance has changed.

Sometime a complete re-install just isn't feasible, no matter how desirable.

Can we move on now?

Glynn Clements wrote:

> Bruce Ferrell wrote:
> 
> 
>>search google for vsl and vetes
>>
>>You find like to a pretty nice kit for locating rootkits and the like. 
>>You don't mention what distro your system is.  Hate to say it but if 
>>it's RPM based, you can use the -V option to verify every stinking file 
>>on the system if necessary
>>
> 
> But "rpm -V" suffers from the same problem as re-installing the OS
> onto an existing filesystem. It will tell you if any of the files
> which were installed from the RPM have changed, but it won't tell you
> if a new file has been added.
> 
> IOW, just because "rpm -Va" doesn't find any problems, that doesn't
> mean that you're safe.
> 
> 

Re: hacked

[Gary E. Miller]

Yo Bruce!

On Wed, 12 Jun 2002, Bruce Ferrell wrote:

> Tripwire won't tell you if something you're not watching has changed.

So use it to watch EVERYTHING!  The only thing I skip are home directories.

> It won't tell you if a file has been added either.  It can only tell you if
> something you have under surveillance has changed.

Not true.  Yes the stupid suggested config is that dumb.  Depends on
your config.  I have it do things like watch the everywhere bu /home
for new files.  Takes time, but what else is happening at 3am?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem@rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

Re: hacked

[Glynn Clements]

Gary E. Miller wrote:

> > Tripwire won't tell you if something you're not watching has changed.
> 
> So use it to watch EVERYTHING!  The only thing I skip are home directories.

Home directories may host vulnerabilities (primarily via "dot" files);
this is more serious if any of the users are trusted in any way. You
should watch the home directories of any users who have root access
via su or sudo.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: hacked

[Gary E. Miller]

Yo Glynn!

I prefer to watch admins over the shoulder instead of trusting a simple
program.  Anyone with root access needs to think security and reliability
all the time.  A sloppy admin is way more dangerous than all the hackers
in the world.

As for the thousands of other home directories we have a bit of a dilemma.
If we snoop at them too much we are invading their privacy and wasting our
time.  OTOH, we periodically scan for suid programs, suspicious links, etc.
in home directories and keep a close eye on the process tree.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem@rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Thu, 13 Jun 2002, Glynn Clements wrote:

> Gary E. Miller wrote:
>
> > > Tripwire won't tell you if something you're not watching has changed.
> >
> > So use it to watch EVERYTHING!  The only thing I skip are home directories.
>
> Home directories may host vulnerabilities (primarily via "dot" files);
> this is more serious if any of the users are trusted in any way. You
> should watch the home directories of any users who have root access
> via su or sudo.

Re: hacked

[Ionut Murgoci]

On Wed, 12 Jun 2002, urgrue wrote:

> yes, true. ive already replaced the box with a fresh install, but i am 
> just curious to know what happened.

it's simple. You had instaled on that computer a lkm based rootkit. You 
didn't see that processes because they had been hidden. 
 And I think u must search for normal files in /dev. There is located 
often the config files for rootkits, or in /usr/share/man/man*
  Rootkit detectors re not so good, i saw systems infected and chkrootkit 
dind't find a thing. If your not so good in linux maybe u should reinstall 
ur machine with the latest prefered version and latest updates.
  
-- 
Murgoci Ionut
Network & System Engineer 
RDS Iasi - Network Operations Center
Phone: +40-32-218385  Fax: +40-32-225132