Something must be done! (Security)

J. Francois jlf@magusnet.gilbert.az.us
Fri, 3 Mar 2000 06:02:30 -0700 

Damn.
Sorry to see this happen to one of our own.

Try: netstat -a
     lsof

It seems like on Fri, Mar 03, 2000 at 02:09:06AM -0700, jiva@devware.com scribbled:
Orig Msg> I'm not sure which packages were actually exploited, but I know that
Orig Msg> on at least one of the machines both the FTP d and the named were old,
Orig Msg> and had known root exploits.  I suspect the other machine had the same
Orig Msg> issues.  On one of the machines, we ran a nessus scan on it, and found
Orig Msg> mysteriously, on port 516 a telnet daemon running.  We attempted to
Orig Msg> connect to it, and found that it logged in the /var/log/secure as
Orig Msg> in.taskd, but we could find no other references to it.  Did a locate
Orig Msg> for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't!
Orig Msg> We'd also noticed some weird behavior such as top not working right
Orig Msg> anymore and netstat not working right etc (red flags).
Orig Msg> 
Orig Msg> So we did a bit more looking, and then I started thinking, well, if
Orig Msg> it's logging in secure, it must be running through inetd, but we
Orig Msg> didn't find anything in inetd.conf.  Sooo, I did a locate for inetd to
Orig Msg> see if maybe I could tell anything from that, and lo and behold, there
Orig Msg> was a SECOND inetd in "/usr/ /tools"  ! (yes, that's a space there,
Orig Msg> isn't that clever? ;D)  Soo, I did a bit more looking, and yep, that
Orig Msg> was how he came back after the initial sploit.  He had a nifty little
Orig Msg> script that would cover his tracks by removing his traces from secure
Orig Msg> etc.
Orig Msg> 
Orig Msg> Anyway, he wasn't that great because though he replaced all the
Orig Msg> naughty bits, he didn't update the RPM database, and so a quicky rpm
Orig Msg> --verify -a gave me a list of all the core files that have been
Orig Msg> changed.  We're checking that out right now to determine if we should
Orig Msg> just to a full reinstall.
Orig Msg> 
Orig Msg> Speaking of which, what's the commandline for netstat to give you a
Orig Msg> listing of all the listening ports?  Is it netstat -lp?
Orig Msg> 
Orig Msg> On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote:
Orig Msg> > 
Orig Msg> > 
Orig Msg> > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw
Orig Msg> > something like this come across the daily Freshmeat batch within the last
Orig Msg> > week or so. You may want to do a search over there.
Orig Msg> > 
Orig Msg> > Question -- What packages were sploited on their systems? Share with the
Orig Msg> > rest of us some of the details so that we can all make sure we're up to
Orig Msg> > date... :)
Orig Msg> > 
Orig Msg> > ~Jay
Orig Msg> > 
Orig Msg> > 
Orig Msg> > On Fri, 3 Mar 2000 jiva@devware.com wrote:
Orig Msg> > 
Orig Msg> > > 2 count em 2 of my friends running linux discovered tonight their
Orig Msg> > > machines had been rooted!  And the only reason was because they didn't
Orig Msg> > > keep their packages up to date.  Does anyone know of a script that'll
Orig Msg> > > get just the latest security fixes on RedHat?
Orig Msg> > 

JLF Sends...

This message brought to you by Master Forrest the Grump:
     "Evil is, what evil does."