TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

I've been compromised! <g>



Well,

I am glad this happened before I started serving anything important. <g>

My lan will eventually include; one linux clinet/server internet server, four macintosh machines and several linux/win95 machines. It's been my intention to use Samba and NFS/NIS; however, I don't really know the security consequences. I don't know if a lan this size really warrants NFS/NIS. Basically, the lan is designed to allow workstations access to user /home directories for the purpose of building and maintaining web sites. The only workstation I need to have a client/server relationship on is my personal workstation. I know there's volumes written on designing networks and security so I'll be doing some homework this week.
 

/etc/log/messages
Dec 11 18:53:48 daddy PAM_pwdb[19257]: (su) session opened for user poop by port(uid=0)
Dec 11 18:54:44 daddy pppd[18357]: Modem hangup
Dec 11 18:54:44 daddy pppd[18357]: Connection terminated.
Dec 11 18:54:45 daddy pppd[18357]: Exit.
Dec 11 18:55:51 daddy kernel: PPP: ppp line discipline successfully unregistered
/etc/passwd
port:j7A3mq8PCNbzE:506:506::/home/port:/bin/bash
poop::0:0:poop:/tmp:/bin/bash
poop is an unauthorized user and I didn't create port. Is port also an unwelcome user or is something else?
I've commented the following from my /etc/inetd.conf file:
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a 
#ftp    stream  tcp     nowait  root    /usr/home/rtp/programs/proftpd-1.2.0pre1/ proftpd 
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd 
#gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn 
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d 
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d 
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
My /etc/log/security file revealed numerous imapd entries:
Nov  5 16:13:19 daddy imapd[1314]: connect from 195.204.234.58 
Nov  7 09:59:37 daddy imapd[6257]: connect from 24.226.154.56 
Nov  7 10:02:44 daddy imapd[6295]: connect from 24.226.154.56
I haven't been using any image maps on the web that I was serving so I assume the imapd entries are exploits.
Anyway, I could put a volume of examples on here but I'll stop at this. Any feedback and thoughts are appreciated.
If I knew it was going to be this much fun, I'ld have started 20 years ago.