TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:2779] I've been compromised! <g>



The default imap has some major security vulnerabilities. Get rid of it or
upgrade to a recent version. That's all you can do, really...

----
Nate Carlson
The Infinite Loop
natecars@infiniteloop.com

On Sun, 13 Dec 1998, rtp wrote:

> Well,
> 
> I am glad this happened before I started serving anything important. <g>
> 
> My lan will eventually include; one linux clinet/server internet server,
> four macintosh machines and several linux/win95 machines. It's been my
> intention to use Samba and NFS/NIS; however, I don't really know the
> security consequences. I don't know if a lan this size really warrants
> NFS/NIS. Basically, the lan is designed to allow workstations access to
> user /home directories for the purpose of building and maintaining web
> sites. The only workstation I need to have a client/server relationship
> on is my personal workstation. I know there's volumes written on
> designing networks and security so I'll be doing some homework this
> week.
> 
> 
> /etc/log/messages
> 
> Dec 11 18:53:48 daddy PAM_pwdb[19257]: (su) session opened for user poop by port(uid=0)
> Dec 11 18:54:44 daddy pppd[18357]: Modem hangup
> Dec 11 18:54:44 daddy pppd[18357]: Connection terminated.
> Dec 11 18:54:45 daddy pppd[18357]: Exit.
> Dec 11 18:55:51 daddy kernel: PPP: ppp line discipline successfully unregistered
> 
> /etc/passwd
> 
> port:j7A3mq8PCNbzE:506:506::/home/port:/bin/bash
> poop::0:0:poop:/tmp:/bin/bash
> 
> poop is an unauthorized user and I didn't create port. Is port also an unwelcome user or is something else?
> 
> I've commented the following from my /etc/inetd.conf file:
> 
> #ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
> #ftp    stream  tcp     nowait  root    /usr/home/rtp/programs/proftpd-1.2.0pre1/ proftpd
> #telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
> #gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn
> #pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
> #pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
> #imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
> 
> My /etc/log/security file revealed numerous imapd entries:
> 
> Nov  5 16:13:19 daddy imapd[1314]: connect from 195.204.234.58
> Nov  7 09:59:37 daddy imapd[6257]: connect from 24.226.154.56
> Nov  7 10:02:44 daddy imapd[6295]: connect from 24.226.154.56
> 
> I haven't been using any image maps on the web that I was serving so I assume the imapd entries are exploits.
> 
> Anyway, I could put a volume of examples on here but I'll stop at this. Any feedback and thoughts are appreciated.
> 
> If I knew it was going to be this much fun, I'ld have started 20 years ago.
>