TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TCLUG:22365] Hacked
I found a decent book for securing your network called "Hack Proofing your
Network". Has some BS in it, but overall it's a very good book. Covers
alot of background. Basically, it's a howto on how to break into your own
network, because if you can, someone else can.
http://www.amazon.com/exec/obidos/ASIN/1928994156/o/qid=971039356/sr=8-1/ref
=aps_sr_b_1_3/002-8010958-9596017
I even got my girlfriend to start reading it. If you're not interested in
security, it's still an interesting read. I've been doing network and Unix
security for the last couple of years and I still found some helpful things
in it.
For now though, everyone should make sure they shutdown things they don't
need. Comment out anything you don't need in /etc/inetd.conf and restart
inetd. Run nmap against your machine to see what ports are open, shutdown
anything you don't need. If you need to run a nameserver, either run bind
as a non-priveledged user in a chrooted environment, or grab a copy of
djbdns from http://cr.yp.to. If you need a mailserver, I don't suggest
sendmail at all. Use qmail or postfix. I'm sure I'll probably get some
flames for that, but sendmail is a security nightmare waiting to happen.
Disable telnet and get ssh running.
There's a bunch of other things you can do, but this should ward off almost
all script kiddies.
If you're feeling really adventurous, set up snort
(http://www.whitehats.com/ids). This will give you a good idea of whose
banging on your door. It's funny to see people running windows exploits
against Unix machines too. :) Our office network gets over 200 portscans
per day, and our webserver farm gets thousands. If nothing else, snort
should be able to scare you into caring about security. :)
Jay
-----Original Message-----
From: Austad, Jay
Sent: Sunday, October 08, 2000 4:01 PM
To: 'tclug-list@mn-linux.org'
Subject: RE: [TCLUG:22365] Hacked
The xferlog is probably clean because I don't think it logs anonymous users
by default. Can you upload files anonymously to your machine or make
directories anonymously?
CERT is http://www.cert.org
To find your version of bind do:
named -v
Make sure you look at your /etc/inetd.conf and see if anything was added and
check in the /var/named or /etc/named.d. Here is the link to the named
vulnerability: http://www.cert.org/advisories/CA-2000-03.html This exploit
requires the attacker to have control of a DNS server somewhere that is
authoritative for a valid domain.
Jay
-----Original Message-----
From: Brian [mailto:tobytoo@black-hole.com]
Sent: Sunday, October 08, 2000 3:54 PM
To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:22365] Hacked
the xferlog is clean, as in empty, and the secure log has no mention of a
pbadmin logging in since i reinstalled on the 5th..
Do you have the url for CERT?
I should mentionthat my mobo is going wonky on me too. the battery that
holds the cmos is dead from the looks of it, it keeps defaulting my bios,
but
that only started after i shut down this afternoon.
where do i find my bind version?
"Austad, Jay" wrote:
> Look at /var/log/xferlog and look in /home/ftp and see if there's any
extra
> directories. If they knew what they were doing they would have removed
the
> extra directories that got created and wiped the log, but it's usually
some
> script kiddie who has no clue what he's doing. If the MKDIR's are logged,
> you'll be able to tell where they were coming from. Hopefully they were
> dumb enough to do it from their own machine. If you can find their IP,
> you'll want to notify the owner of that IP block because some of their
> machines may have been compromised.
>
> Also, CERT has a nice little article somewhere about rootkits and finding
if
> they installed one. Some have config files hidden in /dev that will give
> away the attackers IP.
>
> If you're running Bind older than 8.1.2, they could've used the IXFR
> exploit. Look in the directory that holds your zone files for a directory
> called ADMROCKS/. Also check your /etc/inetd.conf and see if they
appended
> anything to it.
>
> Jay Austad
> Network Administrator
> CBS Marketwatch
>
> -----Original Message-----
> From: Adam Maloney [mailto:adamm@sihope.com]
> Sent: Sunday, October 08, 2000 2:48 PM
> To: tclug-list
> Subject: Re: [TCLUG:22365] Hacked
>
> $10 says it's ftpd.
>
> Adam Maloney
> Systems Administrator
> Sihope Communications
>
> On Sun, 8 Oct 2000, Brian wrote:
>
> > My system was hacked last night, I was shut down from 10 pm until about
> > 9 this morning, when I rebooted I had a new account called pbadmin on my
> > login screen, before I just blow this acount away I would like to find
> > out how he got into my system. Any suggestions on how to back track
> > him?
> > I'm running caldera 2.4edesktop, with a dsl connection through a cisco
> > 675 and a netgear RT311 router.
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> > For additional commands, e-mail: tclug-list-help@mn-linux.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
For additional commands, e-mail: tclug-list-help@mn-linux.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
For additional commands, e-mail: tclug-list-help@mn-linux.org