Re: Uh-oh. Cracked allready. I think...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Tim, dear all,
Thanks for all the responses.
I realize it's pretty bold trying put a box on the net without having
extensive admin experience beforehand. But I think I'm learning fast, and
I hope I'll be able to do it without placing any burden on the rest of the
net. That is, except for you guys... :-) Your help is greatly appreciated!
On 23 May 2002, Tim Haynes wrote:
>Kjetil Kjernsmo <kjetil.kjernsmo@astro.uio.no> writes:
>
>> To address this first: It is the gnutella server that causes alarm, so is
>> there anything I could have done that would install gnutella but escape
>> my attention? I certainly never did apt-get install gnutella (I tried
>> apt-get remove gnutella yesterday, with no effect). Is it likely that if
>> I don't know how it got there, has been installed by a cracker? I've
>> tried to telnet 217.77.32.186 6346 but get no connection.
>
>Well if something's got on there that you don't remember installing, can I
>have some of what you're taking? ;)
Hehe... I was sooooo sure it would be at least one copy of Star Wars II,
but no... ;-) There's nothing here... I've walked through the whole disk,
and I can't find anything of any size that I don't know what is. Whatever
it is, it has to be rather small...
>It's at this point that you should start debugging what's really listening
>on your box from what a scanner says you are. I suggest you nmap yourself
>to see what ports you really have open, and compare against
> netstat -plant | grep LIST
>(here's your first potential clue: if netstat complains about `-p', it's
>been trojanned.)
It complained about -p when I wasn't root...
OK. This is what nmap says, launched from my workstation:
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1024/tcp open kdm
1025/tcp open listen
6346/tcp filtered gnutella
Whereas this is nmap from the machine itself:
kjetil@pooh:~$ nmap pooh
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning: You are not root -- using TCP pingscan rather than ICMP
Interesting ports on pooh.kjernsmo.net (217.77.32.186):
(The 1545 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
1025/tcp open listen
So, the suspicious gnutella port isn't in the latter. I don't know what
kdm is doing there, BTW. I unselected X and desktop in the initial
tasksel. There seems to have been installed some X stuff nevertheless, but
neither KDE nor kdm has ever been installed on this box.
So for netstat:
pooh:~# netstat -plant | grep LIST
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 209/rpc.statd
tcp 0 0 0.0.0.0:1025 0.0.0.0:* LISTEN 236/rpc.mountd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6586/apache
tcp 0 0 217.77.32.186:53 0.0.0.0:* LISTEN 194/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 194/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 285/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 201/lwresd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 218/inetd
(slightly reformatted to fit better)
>Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>used gnutella port), try telnetting into it and see what banner, if any, it
>presents.
Nope, nothing...
pooh:~# telnet 217.77.32.186 6346
Trying 217.77.32.186...
telnet: Unable to connect to remote host: Connection refused
to be sure.
>At some stage you should probably run _chkrootkit_ on the blighter, too.
Yeah, I've done that several times. chkrootkit was described in "Securing
Debian", so I installed it before moving it, but only ran it just after I
saw the gnutella port. Nothing detected.
>Do you have an original AIDE database from immediately after it was
>installed?
Uh, don't think so. I installed snort, but didn't take the time to play
with it. I thought that would do the job too... Can I get the required
information from the snort install...?
>> I tried to set the suggested PermitRootLogin for ssh to no,
>> but ssh gave me some messsage that I thought meant it did't recognize it.
>
>That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
>see if you get any syntax errors there.
Yeah, I got something weirder now...:
pooh:/etc/ssh# /usr/sbin/sshd -f /etc/ssh/ssh_config
/etc/ssh/ssh_config: line 19: Bad configuration option: ForwardX11
/etc/ssh/ssh_config: line 24: Bad configuration option: FallBackToRsh
/etc/ssh/ssh_config: line 31: Bad configuration option: IdentityFile
/etc/ssh/ssh_config: line 36: Bad configuration option: PreferredAuthentications
/etc/ssh/ssh_config: terminating, 4 bad configuration options
What could be wrong about e.g.:
ForwardX11 yes
>Here's another idea:
>
> | zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
> | /usr/sbin/sshd
> | 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb
> | a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd
They are OK.
>> exploitable. I put the report on <URL:
>> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
>
>That said, you probably want to check the Changelog(.Debian.gz) for ssh -
>I'd be surprised if the patches required hadn't made it down into Testing.
The marked hole was indeed patched, but I couldn't find anything about the
warning (OpenSSH < 3.2.1).
>> If it has been cracked, what should I do? I could run up to my hosts and
>> have them turn it off, I guess. But then what? I have really no clue what
>> happened, and while I could turn off some more services, it seems like
>> the biggest security problems are with ssh and smtp, that is, OpenSSH and
>> Exim, so would a clean reinstall help a lot?
>
><http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>.
>
>First assess whether you really have been breached; if you have, you *must*
>reformat, reinstall, update all packages, firewall, install an IDS (aide)
>and nIDS (snort) - but take a forensic last-minute backup before you do.
Well, yeah, Istill don't know if I've been breached, after all, it is only
the gnutella entry in the nmap I do from my workstation, but then, better
safe than sorry...
Best,
Kjetil
- --
Kjetil Kjernsmo
Recent astrophysics graduate Problems worthy of attack
University of Oslo, Norway Prove their worth by hitting back
E-mail: kjetikj@astro.uio.no - Piet Hein
Homepage <URL:http://folk.uio.no/kjetikj/>
Webmaster@skepsis.no OpenPGP KeyID: 6A6A0BBC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OSF1)
Comment: For info see http://www.gnupg.org
iD8DBQE87jDrlE/Gp2pqC7wRAkV2AJ0b+VHstC/rayVRb6i4gzp3Fd5siACfSBBR
LleteNVSzvw60ojr3BIF6RA=
=p4tv
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: