Re: system cracked, /bin problems

From: James T. Dennis (jadestar_at_idiom.com)
Date: 09/08/03

  • Next message: shane Foster: "sendmail alias problem" 
    Date: Mon, 08 Sep 2003 05:22:06 -0000

    In comp.unix.admin Bill Vermillion <bv@wjv.comremove> wrote:
    > In article <3f28bbd3$0$95049$c30e37c6@lon-reader.news.telstra.net>,
    > milo <nospam@localhost.com> wrote:
    >>"fatted" <fatted@yahoo.com> wrote in message
    >>news:4eb7646d.0307292313.4910501d@posting.google.com...

    >>> Unfortunately my unix (redhat 8) system was cracked. The cracker also
    >>> left behind a nice feature where if any of the below commands is run,
    >>> it appends itself to the other commands in the list.

    >>> Is anyone familiar with this? How are the appends achieved?

     Not really appending --- linking themselves into the execution path.
     This can be done any number of ways --- the most obvious would be
     through an /etc/ld.so.preload line. Of course that would be the
     easiest to detect and defeat, too. However I mention it as an example
     so you're aware of how trivial linking custom code into the execution
     path of virtually all of your dynamically linked programs can be.

    >> Format and start again.

    > Actually in Unix system just remaking the file system will do it.

     I'd boot from an LNX-BBC or Knoppix (or other rescue disc), fetch
     and install chkrootkit (http://www.chkrootkit.org/ ) and run it;
     it can detect and identify a large number (over 50 and many variants
     of each) of rootkits; including kernel module root kits.

     Knoppix includes a copy of chkrootkit; but that's at 0.40* and the
     website lists 0.41 as the current version. Also I recommed visiting
     their website to learn more about rootkits in general (since you're
     asking out a program could link itself into other executables as you've
     described).

     I think the site is far more valuable for edification than for the actual
     script.

     Note that you'll want to use the -r option when running the chkrootkit
     script from your Knoppix boot. Read the website for details.

     Later, when you re-install Linux on the box you have to try to figure
     how the attacker got in and eliminate that hole. Of course you should
     limit the installation --- installing only the packages you need --- and
     perform the routine hardening steps (disabling unnecessary services,
     reviewing the list of CGIs and other dynamic web services you're running
     etc). Be sure to fetch and install all of the updated RPMs from Red Hat
     before exposing the system again.

     Otherwise you'll obviously just get rooted again.

     Sadly all of that may not be enough. Review the list of CGIs and custom
     or 3rd party programs you're installing --- see if that's the source of
     your hole. If there's a scripted exploit against the updated Red Hat
     packages we'd all like to know about it.

     You can also consider switching distributions. Unfortunately none of
     the mainstream distributions is adding features like LIDS or GRSecurity.
     So, any of those hardened distributions will be exotic and entail plenty
     of learning curve and probably considerable political opposition as well.

     You'll want to install something like tripwire, AIDE or Samhain (or any
     of a number of other file integrity monitoring utilities). Tripwire is
     well known, old and ships with most copies of Red Hat. Therefore I'd
     use something else --- install it manually rather than through the RPM
     system, and name it something innocuous. Hide the execution of that
     as part of a wrapper around some other program or buried in some normal
     cron job so it won't easily detected and disabled or tampered with by a
     successful attacker. (An obvious installation of tripwire, AIDE or
     whatever will still catch many unsophisticated worms and scripts --- but
     it's worth a little effort to install a second one more surrepticiously
     when you KNOW you've already been cracked once).

     If you follow these normal recommended hardening practices (which
     SHOULD BE routine) and you still get cracked into again --- then you want
     to solicit some forensics help so we can all benefit from figuring out
     how they're getting in and release fixes. 

    -- 
Jim Dennis,
Starshine: Signed, Sealed, Delivered
  • Next message: shane Foster: "sendmail alias problem"

    Relevant Pages

    • Re: system cracked, /bin problems
      ... script from your Knoppix boot. ... Be sure to fetch and install all of the updated RPMs from Red Hat ... You can also consider switching distributions. ... You'll want to install something like tripwire, ...
      (comp.unix.admin)
    • Re: Deploying Office 07 with Group Policy
      ... computer I tested it on took 30 minutes to install. ... the following script to the Computer Startup Script. ... REM Get ProductName from the Office product's core Setup.xml file. ... REM Set ConfigFile to the configuration file to be used for deployment REM ...
      (microsoft.public.office.setup)
    • Re: [opensuse] Editting PATH variable
      ... SuSEconfig script ... ... not knowing what you options you used to install ... If your unfamiliar with Bash a good book is 'Learning the Bash Shell' by ... For Java use editing the PATH variable is NOT required... ...
      (SuSE)
    • Re: Sysinstall is horrid
      ... > steps to take to install and configure the OS. ... just happens by accident, accidentally y'know, now and then, anyway. ... > have a Distributions section AND a Packages section? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Linux - for Scotty
      ... But it will let you get a feel for linux, to help you decide if it is ... As to distributions, I've not played with a great variety. ... If you choose to install a distro to a hard drive, performance is, ...
      (alt.support.mult-sclerosis)