[ale] hacked indicator?

Jonathan Rickman jonathan at xcorps.net
Tue Nov 21 10:01:03 EST 2000


On Tue, 21 Nov 2000, Wandered Inn wrote:

> Call me paranoid, I don't know.  Here's the story.  On all the machines
> I've got the PS1 prompt set up to display 'id at machinename' so that if I
> ssh to another machine, I can tell at a glance what machine/id I'm
> running on that machine.  The other day, I ssh'ed into my firewall
> machine and the prompt displayed 'uid at machinename'.  I found this
> bizarre and thought maybe it was something to do with the way PS1 was
> setup, but when I execute 'id -un' it too returns the uid rather than
> the user name.  If I su to root, the prompt properly changes to
> 'root at machinename.'  The other id is a common id I use across all my
> machines for ssh access.  Once I'm connected, I su to root to do
> whatever I might need to do.
> 
> Question is, is it possible this is a side effect of being hacked?  I've
> been checking out the log files and such and can not find anything else
> out of the ordinary.

Yes...

> Anyone seen a similar aberration?

Yes...

While this could be caused by misconfiguration on your part, I'm not
inclined to think so. I've read your posts in the past and you seem to
know what you're doing. Of course, everyone makes mistakes. This could be
a misconfiguration on the part of a script kiddie who installed a rootkit.
Four questions...

What kind of exposure to the internet at large exists on the system in
question?

What services is it running?

Do you have tripwire, or any other integrity checker installed?

Have you checked for any "suspicious listening services"?

Your best bet is to trust nothing. Use another machine to scan the system
in question using nmap. Look for anything listening that wasn't there
before. Pay particular attention to high ports. Export /etc over NFS or
Samba and use another machine to mount it and check your inetd.conf file
for added listeners.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH
kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL
j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73
0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK
VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M
TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt
YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/
d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+
RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6
Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC
c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm
nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN
OKraa8g7Nyh4s8rSHFvq5A==
=XYFV
-----END PGP PUBLIC KEY BLOCK-----

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list