RE: [TCLUG:2779] I've been compromised! <g>

To: tclug-list@listserv.real-time.com
Subject: RE: [TCLUG:2779] I've been compromised! <g>
From: Ben Kochie <ben@nerp.net>
Date: Mon, 14 Dec 1998 03:53:15 -0600 (CST)
In-Reply-To: <3674985F.F8CFD64B@iaxs.net>
Sender: ben@microq.nerp.net

sorry to say.. imap is not for image maps.. it's for imap mail services..
vulnerablities exist in older versions.. i suggest you do a format/reinstall
with latest version of your distro.. i wouldn't trust that box for 5 min

On 14-Dec-98 rtp wrote:
> Well,
> 
> I am glad this happened before I started serving anything important. <g>
> 
> My lan will eventually include; one linux clinet/server internet server,
> four macintosh machines and several linux/win95 machines. It's been my
> intention to use Samba and NFS/NIS; however, I don't really know the
> security consequences. I don't know if a lan this size really warrants
> NFS/NIS. Basically, the lan is designed to allow workstations access to
> user /home directories for the purpose of building and maintaining web
> sites. The only workstation I need to have a client/server relationship
> on is my personal workstation. I know there's volumes written on
> designing networks and security so I'll be doing some homework this
> week.
> 
> 
> /etc/log/messages
> 
> Dec 11 18:53:48 daddy PAM_pwdb[19257]: (su) session opened for user poop by
> port(uid=0)
> Dec 11 18:54:44 daddy pppd[18357]: Modem hangup
> Dec 11 18:54:44 daddy pppd[18357]: Connection terminated.
> Dec 11 18:54:45 daddy pppd[18357]: Exit.
> Dec 11 18:55:51 daddy kernel: PPP: ppp line discipline successfully
> unregistered
> 
> /etc/passwd
> 
> port:j7A3mq8PCNbzE:506:506::/home/port:/bin/bash
> poop::0:0:poop:/tmp:/bin/bash
> 
> poop is an unauthorized user and I didn't create port. Is port also an
> unwelcome user or is something else?
> 
> I've commented the following from my /etc/inetd.conf file:
> 
>#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
>#ftp    stream  tcp     nowait  root   
>#/usr/home/rtp/programs/proftpd-1.2.0pre1/ proftpd
>#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
>#gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn
>#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
>#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
>#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
> 
> My /etc/log/security file revealed numerous imapd entries:
> 
> Nov  5 16:13:19 daddy imapd[1314]: connect from 195.204.234.58
> Nov  7 09:59:37 daddy imapd[6257]: connect from 24.226.154.56
> Nov  7 10:02:44 daddy imapd[6295]: connect from 24.226.154.56
> 
> I haven't been using any image maps on the web that I was serving so I assume
> the imapd entries are exploits.
> 
> Anyway, I could put a volume of examples on here but I'll stop at this. Any
> feedback and thoughts are appreciated.
> 
> If I knew it was going to be this much fun, I'ld have started 20 years ago.

Thank You,
        Ben Kochie (ben@nerp.net)

*-----------------------*  [ - * - * - * - * - * - * - * - ]
| Unix/Linux Consulting |  [ Haiku Error Message:          ]
|  PC/Mac Repair        |  [  Chaos reigns within.         ]
|   Networking          |  [  Reflect, repent, and reboot. ]
| http://nerp.net       |  [  Order shall return.          ]
*-----------------------*  [ - * - * - * - * - * - * - * - ]

 "Unix is user friendly, Its just picky about its friends."

References:
- I've been compromised! <g>
  - From: rtp <rtp@iaxs.net>

Prev by Date: Re: [TCLUG:2783] diald and samba triggering
Next by Date: RE: [TCLUG:2777] SoundBlaster Banshee 3D
Prev by thread: Re: [TCLUG:2779] I've been compromised! <g>
Next by thread: I've been compromised, <g>
Index(es):
- Date
- Thread