[ale] hacked indicator?

Wandered Inn esoteric at denali.atlnet.com
Tue Nov 28 10:00:37 EST 2000 

Well, I think I may have figured this one out.  Here's an interesting
tidbit as well as a response to some feedback from the list.

I've figured out why the output of 'id' does not provide a user name on
this machine for non-root users.  The perms on the passwd file were
600.  If I change them to 644, then 'id -un' reports the proper user
name.

Question is, should the perms on /etc/passwd be that tight?  Obviously,
it did not cause any problems other than the 'id' issue which isn't a
real problem.

I assume this was done by the install of Mandrake 7.1.  As I recall, the
install asks how secure you want the machine to be and I believe I
selected the 'paranoid' response.

I certainly feel better about this whole issue, particularily since I
couldn't find any other anomolies.  Logs look okay and there doesn't
appear to be any changes in services based on the cron jobs Mandrake
provides.

Jonathan Rickman wrote:
> 
> On Tue, 21 Nov 2000, Wandered Inn wrote:

> > Question is, is it possible this is a side effect of being hacked?  I've
> > been checking out the log files and such and can not find anything else
> > out of the ordinary.
> 
> Yes...
> 
> > Anyone seen a similar aberration?
> 
> Yes...
> 
> While this could be caused by misconfiguration on your part, I'm not
> inclined to think so. I've read your posts in the past and you seem to
> know what you're doing.

Well, I think I've got strengths here and their, but not unlike a sieve
in some areas.  Thanks for the compliment anyway (at least I'll take it
as one.) :)

> Of course, everyone makes mistakes. This could be
> a misconfiguration on the part of a script kiddie who installed a rootkit.
> Four questions...
> 
> What kind of exposure to the internet at large exists on the system in
> question?

I'm still ppp dial up, so it's not an always on connection.

> 
> What services is it running?

On the firewall, very little.  No sendmail, portmap, ftp, telnet, nfs,
http.  Pretty focused machine.

> 
> Do you have tripwire, or any other integrity checker installed?

Alas, no. (shame on me).  I've not gotten that far as it is dial up
connectivity.  I am running a modified set of the ipchains scripts from
the New Riders 'Linux Firewalls' book.

> 
> Have you checked for any "suspicious listening services"?

Hmm, do you mean services I've not had on previously?  I've reviewed the
output of the emails that Mandrake 7.1 generates on a regular basis and
not found anything unusual.

> 
> Your best bet is to trust nothing. Use another machine to scan the system
> in question using nmap. Look for anything listening that wasn't there
> before. Pay particular attention to high ports. Export /etc over NFS or
> Samba and use another machine to mount it and check your inetd.conf file
> for added listeners.
> 
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
> 
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: PGP 6.5.2
> 
> mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH
> kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL
> j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73
> 0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK
> VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M
> TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt
> YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/
> d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+
> RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6
> Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC
> c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm
> nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN
> OKraa8g7Nyh4s8rSHFvq5A==
> =XYFV
> -----END PGP PUBLIC KEY BLOCK-----
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
Until later: Geoffrey		esoteric at denali.atlnet.com

"Great spirits have always found violent opposition from mediocre minds.
The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his
intelligence."
- Albert Einstein
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list