[ale] I can't seem to plug up all the security holes in my box...

Jim Kinney jkinney at teller.physics.emory.edu
Tue Jun 20 20:57:03 EDT 2000 

You've got problems!

Start by dropping to single-user mode and from a known good source replace
every binary that touches any aspect of networking, login and logging.
Make sure you are using shadow passwords. You also need to do a serity
scan for cgi scripts with holes. That is hard work. Try ussing nessus from
another machine to probe your system after you bring it back to multiuser
mode. 

The time some of my machines got cracked it wound up being easier to pull
off the user data and wipe the drive and start over. 

Scan the drives for setuid/grpid files. Make all you users change
passwords. In other words, change it for them and wait for the phone call.

Ideal scenario:

build a new machine with know good binaries. move over inspected user
file. assign new passwords. swap machines. answer phones and console
users. 

JimK

On Tue, 20 Jun 2000, Jay Finch wrote:

> 
> Hi y'all,
>          I always try to fix something myself, but I'm totally stumped at 
> this juncture.
> 
> Here's the scenario:
> I noticed somebody logging into my server from a domain I didn't 
> recognize.  When I queried the user, I found out that it wasn't my user, 
> but that someone had cracked their account.
> 
> I promptly kicked them off the system, but not before they had grabbed 
> copies of my /var/log/messages, /var/log/syslog, /etc/passwd, and /etc/shadow
> 
> Now I'm plagued with them continuing to log back in (from different spoofed 
> domains every time) under new accounts they keep cracking the PW's on.
> 
> I thought they were using the Sendmail 8.9.x + Linux 2.2.14 Root exploit, 
> but I upgraded to the 2.2.16 and Sendmail 8.10.2, to no avail.  I also 
> closed down my telnet ports and only allow folks to use SSH now, but that 
> didn't help.
> 
> Earlier today they logged in, gained root access somehow, and deleted ALL 
> of my system logs and all of my BACKUPS.
> 
> I freely admit that I'm not the wisest or smartest Admin around, but I need 
> to keep these weasels out.  I have about 150 users, with around 75 Websites 
> that I host on my machine...
> 
> Any advice or assistance would be appreciated.
> 
> Thanks!
> Jay
> -----
> Jay Finch                       : "Come with me.. and you'll be..
> (770) 650-0410  (voice)         :  In a world of pure imagination.
> pagejay at larp.com (pager)        :  Take a look and you'll see
> horus at larp.com                  :  Into your imagination ..."
> MTBI Survey says:  ENFJ         :               -- Willy Wonka
>       Check out my home page at:  http://www.photobooks.com/~horus/
> 

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list