Something must be done! (Security)

jiva@devware.com jiva@devware.com
Fri, 3 Mar 2000 02:09:06 -0700


I'm not sure which packages were actually exploited, but I know that
on at least one of the machines both the FTP d and the named were old,
and had known root exploits.  I suspect the other machine had the same
issues.  On one of the machines, we ran a nessus scan on it, and found
mysteriously, on port 516 a telnet daemon running.  We attempted to
connect to it, and found that it logged in the /var/log/secure as
in.taskd, but we could find no other references to it.  Did a locate
for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't!
We'd also noticed some weird behavior such as top not working right
anymore and netstat not working right etc (red flags).

So we did a bit more looking, and then I started thinking, well, if
it's logging in secure, it must be running through inetd, but we
didn't find anything in inetd.conf.  Sooo, I did a locate for inetd to
see if maybe I could tell anything from that, and lo and behold, there
was a SECOND inetd in "/usr/ /tools"  ! (yes, that's a space there,
isn't that clever? ;D)  Soo, I did a bit more looking, and yep, that
was how he came back after the initial sploit.  He had a nifty little
script that would cover his tracks by removing his traces from secure
etc.

Anyway, he wasn't that great because though he replaced all the
naughty bits, he didn't update the RPM database, and so a quicky rpm
--verify -a gave me a list of all the core files that have been
changed.  We're checking that out right now to determine if we should
just to a full reinstall.

Speaking of which, what's the commandline for netstat to give you a
listing of all the listening ports?  Is it netstat -lp?

On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote:
> 
> 
> Hey Jiva. Although I don't keep up on the RH stuff, I think I saw
> something like this come across the daily Freshmeat batch within the last
> week or so. You may want to do a search over there.
> 
> Question -- What packages were sploited on their systems? Share with the
> rest of us some of the details so that we can all make sure we're up to
> date... :)
> 
> ~Jay
> 
> 
> On Fri, 3 Mar 2000 jiva@devware.com wrote:
> 
> > 2 count em 2 of my friends running linux discovered tonight their
> > machines had been rooted!  And the only reason was because they didn't
> > keep their packages up to date.  Does anyone know of a script that'll
> > get just the latest security fixes on RedHat?
> 
> - J a y   J a c o b s o n     
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - President / CEO             Wired Global Communications, Inc.
> - Fax: 602.674.8725              Internet Engineering Solutions
> - Voice: 602.674.9900                http://www.wiredglobal.net 
> 
> In a world where an admin is rendered useless when the ball in his mouse
> has been taken out, it is good to know that I know UNIX.
> 
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
petribar:
	Any sun-bleached prehistoric candy that has been sitting in
	the window of a vending machine too long.
		-- Rich Hall, "Sniglets"