I've been compromised! <g>

To: "tclug-list@listserv.real-time.com" <tclug-list@listserv.real-time.com>
Subject: I've been compromised! <g>
From: rtp <rtp@iaxs.net>
Date: Sun, 13 Dec 1998 20:47:27 -0800
Organization: Mi-Recordz
Sender: rtp@daddy.static.iaxs.net

Well,

I am glad this happened before I started serving anything important. <g>

My lan will eventually include; one linux clinet/server internet server, four macintosh machines and several linux/win95 machines. It's been my intention to use Samba and NFS/NIS; however, I don't really know the security consequences. I don't know if a lan this size really warrants NFS/NIS. Basically, the lan is designed to allow workstations access to user /home directories for the purpose of building and maintaining web sites. The only workstation I need to have a client/server relationship on is my personal workstation. I know there's volumes written on designing networks and security so I'll be doing some homework this week.

/etc/log/messages

Dec 11 18:53:48 daddy PAM_pwdb[19257]: (su) session opened for user poop by port(uid=0)
Dec 11 18:54:44 daddy pppd[18357]: Modem hangup
Dec 11 18:54:44 daddy pppd[18357]: Connection terminated.
Dec 11 18:54:45 daddy pppd[18357]: Exit.
Dec 11 18:55:51 daddy kernel: PPP: ppp line discipline successfully unregistered

/etc/passwd

port:j7A3mq8PCNbzE:506:506::/home/port:/bin/bash
poop::0:0:poop:/tmp:/bin/bash

poop is an unauthorized user and I didn't create port. Is port also an unwelcome user or is something else?

I've commented the following from my /etc/inetd.conf file:

#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a 
#ftp    stream  tcp     nowait  root    /usr/home/rtp/programs/proftpd-1.2.0pre1/ proftpd 
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd 
#gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn 
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d 
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d 
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd

My /etc/log/security file revealed numerous imapd entries:

Nov  5 16:13:19 daddy imapd[1314]: connect from 195.204.234.58 
Nov  7 09:59:37 daddy imapd[6257]: connect from 24.226.154.56 
Nov  7 10:02:44 daddy imapd[6295]: connect from 24.226.154.56

I haven't been using any image maps on the web that I was serving so I assume the imapd entries are exploits.

Anyway, I could put a volume of examples on here but I'll stop at this. Any feedback and thoughts are appreciated.

If I knew it was going to be this much fun, I'ld have started 20 years ago.

Follow-Ups:
- RE: [TCLUG:2779] I've been compromised! <g>
  - From: Ben Kochie <ben@nerp.net>
- Re: [TCLUG:2779] I've been compromised! <g>
  - From: Nate Carlson <natecars@infiniteloop.com>

Prev by Date: Apache + mod_perl + MySQL examples?
Next by Date: I've been compromised, <g>
Prev by thread: Re: [TCLUG:2778] Apache + mod_perl + MySQL examples?
Next by thread: Re: [TCLUG:2779] I've been compromised! <g>
Index(es):
- Date
- Thread