hacker tool: pan2?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MLiberty Young at <-
MGary Nichols at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
Subject: hacker tool: pan2?
There is a really slick tool called "Snare for Linux" ("Snare for
Windows" also) that works like Tripwire in realtime mode. If you
configured it to alert you on any write attempt on a binary or any write
on important config files, it would put an entry into syslog. Then your
log watcher (swatch comed to mind) would page you as soon as anything
hinky happened. Sure, the attack would already be underway, but at
least you could contain the damage quicker.

If you have users on a box, the same idea can be applied to watch for
lesser attacks as well.

Of course, keeping the box patched . . . firewall . . . minimal
services . . . yada yada yada.

Regards,

George Toft
Computer Security
AGD,llc
www.agdllc.com
623-203-1760


Liberty Young wrote:
>
> On Fri, 2003-12-05 at 16:39, wrote:
> > > what is pan2?
> > > We just got hacked, and looking in the root's .bash_history, they
> > > downloaded pan2 from a .ro server, and it's still running. I was just
> > > wondering what that is..i can't seem to get a clear answer from google.
> >
> > Side question that you probably want to ignore for now: Could you tell us
> > about your setup and how you think the cracker got in?
> >
> > I am just curious about the whole story. How are you connected to the
> > net? What firewall technology you were using? Was the box at home, work,
> > co-lo? What OS? How did you discover the break-in? Etc.
> >
> > Right now, you need to do investigations and get secure again. But, at
> > some point, I'd like to learn from your experience.
> >
> > Alan
>
> It was a work box, behind a DSL line and in the DMZ..my main server is
> pretty hardened, and has its own firewall in front of it. The hacked box
> was our web-server.
>
> My guess is it was a rootkit, some script-kiddie tool. Honestly, i was
> asking for it. It was an old Mandrake 8.0 box i set up a few years ago,
> and updating rpms is a pain in the ass unless you're willing to upgrade
> your whole OS. Nothing new or exciting. I _was_ planning on upgrading it
> to debian...i guess that priority just shot up to #1.
>
> I could tell cuz it was a very sloppy hack...php.ini was changed to
> default, so that broke some stuff as my includes were in a non-default
> location. That's what caused me to start looking into the box. The date
> on that file was yesterday...and nobody here at work changed it.
>
> /sbin/init also had a date of yesterday, too...which not only put up a
> red-flag in my head, but also set off an alarm like a broken
> car-alarm..that zaps passerbys and kicks them...Ya. it started off as
> one of those days.
>
> mandrake has some nice security stuff, such as medusa. It logs open
> network connections and logs them...the third of december had normal
> stuff (http, ftp, ssh), and today had a program called dsniff-st
> (network auditing tool) listening, as well as for other anonymous
> broad-cast listening programs running.
>
> Like i said, i had a suspision with php.ini being changed, but the
> biggest flag raised was a changed init...i'm also sure a kernel-module
> MUST be installed, but of course, it's obfuscated.
>
> Right now, i'm working on installing debian on a different machine, then
> i'm going to take the hard-drive of the old machine and metaphorically
> take it out back and shoot it. I was planning on installing snort on a
> few machines, (standalone ndis, with a hdis on our main server)...so as
> things install, i'm reading "Intrustion Detection with Snort"..Kozial,
> sams publishing.
> Instead of coding this weekend, i guess i'll be reading that instead.
>
> As i'm reading the book, a theme keeps getting repeated...you have to
> know your infrastructure. Snort isn't a silver bullet, and is only
> usefull if you understand what is and isn't normal behaviour. If i was
> away, a co-worker probably wouln't have bothered to know why included
> files weren't there, and wouldn't become suspicious as why php.ini was a
> changed date..which caused me to look /sbin/init, a very commonly
> changed file in rooted boxen.
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-sudosudo->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)