Something must be done! (Security)

James, Justin justin.james@intel.com
Fri, 3 Mar 2000 09:54:10 -0800


Maybe a how-to for the website on how to do a basic check to see if you box
is secure and up to date would be appropriate.  I know I would interested in
seeing how one would really go about doing a security check and some of the
tips, tricks, and tools used.

Thanx,

Justin

-----Original Message-----
From: jiva@devware.com [mailto:jiva@devware.com]
Sent: Friday, March 03, 2000 10:08 AM
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: Re: Something must be done! (Security)


Heh, yeah, like I said, they weren't actually *my* machines that had
the problems, but you can bet that I ran a security scan on all my
boxes last night just to be safe. ;D


On Fri, Mar 03, 2000 at 09:10:09AM -0700, John Kloian III wrote:
> Sounds like you've had quite a little adventure Jiva.  Yes, -lp will give
> you the listen ports.
> 
> John Kloian III
>
____________________________________________________________________________
> Vice President/CIO 		         Wired Global Communications, Inc.
> Phone:  602.674.9900 ext. 103	 "Specializing in Open Source Network
Solutions"
> Fax:    602.674.8725       	            http://www.wiredglobal.net
> 
> 
> 
> 
> 
> 
> On Fri, 3 Mar 2000 jiva@devware.com wrote:
> 
> > I'm not sure which packages were actually exploited, but I know that
> > on at least one of the machines both the FTP d and the named were old,
> > and had known root exploits.  I suspect the other machine had the same
> > issues.  On one of the machines, we ran a nessus scan on it, and found
> > mysteriously, on port 516 a telnet daemon running.  We attempted to
> > connect to it, and found that it logged in the /var/log/secure as
> > in.taskd, but we could find no other references to it.  Did a locate
> > for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't!
> > We'd also noticed some weird behavior such as top not working right
> > anymore and netstat not working right etc (red flags).
> > 
> > So we did a bit more looking, and then I started thinking, well, if
> > it's logging in secure, it must be running through inetd, but we
> > didn't find anything in inetd.conf.  Sooo, I did a locate for inetd to
> > see if maybe I could tell anything from that, and lo and behold, there
> > was a SECOND inetd in "/usr/ /tools"  ! (yes, that's a space there,
> > isn't that clever? ;D)  Soo, I did a bit more looking, and yep, that
> > was how he came back after the initial sploit.  He had a nifty little
> > script that would cover his tracks by removing his traces from secure
> > etc.
> > 
> > Anyway, he wasn't that great because though he replaced all the
> > naughty bits, he didn't update the RPM database, and so a quicky rpm
> > changed.  We're checking that out right now to determine if we should
> > just to a full reinstall.
> > 
> > Speaking of which, what's the commandline for netstat to give you a
> > listing of all the listening ports?  Is it netstat -lp?
> > 
> > On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote:
> > > 
> > > 
> > > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw
> > > something like this come across the daily Freshmeat batch within the
last
> > > week or so. You may want to do a search over there.
> > > 
> > > Question -- What packages were sploited on their systems? Share with
the
> > > rest of us some of the details so that we can all make sure we're up
to
> > > date... :)
> > > 
> > > ~Jay
> > > 
> > > 
> > > On Fri, 3 Mar 2000 jiva@devware.com wrote:
> > > 
> > > > 2 count em 2 of my friends running linux discovered tonight their
> > > > machines had been rooted!  And the only reason was because they
didn't
> > > > keep their packages up to date.  Does anyone know of a script
that'll
> > > > get just the latest security fixes on RedHat?
> > > 
> > > - J a y   J a c o b s o n     
> > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > > - President / CEO             Wired Global Communications, Inc.
> > > - Fax: 602.674.8725              Internet Engineering Solutions
> > > - Voice: 602.674.9900                http://www.wiredglobal.net 
> > > 
> > > In a world where an admin is rendered useless when the ball in his
mouse
> > > has been taken out, it is good to know that I know UNIX.
> > > 
> > > 
> > > _______________________________________________
> > > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> 
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
A woman can never be too rich or too thin.

_______________________________________________
Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss