[Plug-security] Once cracked

Wes Bateman plug-security@lists.PLUG.phoenix.az.us
Mon, 10 Sep 2001 17:26:47 -0500 (CDT)


Actually, along those same lines, does the user have a shell?  Are logins
enabled for that account?  Also, is there a password hash in /etc/shadow
for the user?

Also, provided you can trust your kernel and your tools, you might use
"netstat -na" and/or "lsof -i" to see what ports are listening.  Make sure
you don't have a shell answering on a port you didn't know about.  You
could also (even after you wipe it and reinstall, if that's what you end
up doing) watch all traffic to/from that host (with tcpdump -w or
something similar).  Be interesting to see if other hosts try to connect
to it...especially on ports you wouldn't expect.  If you reimage, then you
could probably trust that host to do this function for you.  Otherwise,
you'd want another, trusted box sitting in front of it.

And, like was suggested before, look closely at wtmp (using the
"last" command), your logs, and maybe your ~/.bash_history files.  It's
amazing how much stuff gets left behind often times.

Oh, another thing you might do is if the new account you found has a shell
like /bin/false, then you might take a closer look at /bin/false.  I've
seen /bin/bash copied to /bin/false ;-O hehe  To check this, you might try
"strings /bin/false" and see if you see any mention of /bin/bash or the
like ;-)  Also see if /bin/false is SxID - if so, that's bad, hehe.

Also, you might find a /etc/passwd- file, compare it to /etc/passwd.  Do
the same for /etc/shadow- and /etc/shadow.  Sometimes you can see
interesting changes that have taken place.  If the new user has a home
dir, look their for a .bash_history file too.

Forensics can be lots of fun...but not when it's on your own host I guess
:)  Hopefully you'll be able to find enough info to satisfy your
curiosity before you start over.  Again, I'd keep my /home and anything
else I thought was useful, and try to verify it later.  But that's your
call.

Another thing you could do (but probably don't want to) is dd the whole
device to a file on another disk (do it while booted from a rescue CD or
mounted in another box or something.  Then you'll have a perfect copy for
forensic analysis at your leisure (provided the storage space for it is
less important to you than preserving the data/evidence.

Anyhow, have fun ;)

Wes

On Mon, 10 Sep 2001, James wrote:

> What was the users name?
> 
> On Monday 10 September 2001 09:06 am, you wrote:
> > Okay the reason I think I've been cracked is that there is a user found
> > in /etc/passwd that I've never created and is a member of the root grp.
> > When I look under linuxconf this user doesn't show up. Now I'm thinking
> > its "possible" that something I installed created this user. but how
> > would I find that out? and why would it need to be a member of the root
> > grp? I don't have telnet, sendmail, bash, or ftp running on my box. I do
> > allow IRC and as far as I know that's the *only* way someone could get
> > in. I'm not running IP tables like I should though. So far haven't seen
> > anything malious on my machine. but you never know. Thanks for the ideas
> > so far. I'll be looking them over to see if I can figure it all out. but
> > if I haven't found out how they did it by the end of the day I'm just
> > going to wipe it all.
> >
> > Carl P.
> >
> >
> > _______________________________________________
> > Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
> _______________________________________________
> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
> 

-- 
Wes Bateman, GCIA
Chief Security Officer
ManISec, Inc. - "Managed Internet Security Services"
http://www.manisec.com
wes@manisec.com