[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: A lot of breakins recently. I need help.

From: Aaron Turner <aturner linuxkb org>
To: redhat-list redhat com
Subject: Re: A lot of breakins recently. I need help.
Date: Mon, 6 Sep 1999 09:43:46 -0700 (PDT)

Igmar,

The best thing to do is backup all your data, delete all the partitions,
and start from scratch.  You don't know what/if any binaries were replaced
with trojan backdoors, and it's a good bet that there are.  There really
isn't any way to tell for 100% sure if a file has been tampered with after
the fact.  There are some thing you can do (use RPM's verify feature), but
it isn't difficult for someone to tamper with the RPM database which would
make the verify untrustworthy.

For more info about security and Linux check out the Linux Administrators
Security Guide which is mirrored at:
http://www.linuxkb.org/mirrors/lasg/

On Mon, 6 Sep 1999, Igmar Palsenberg wrote:

> Hi,
> 
> I'm administrating a machine, and I've been hacked twice in two weeks.
> 
> Is there any way I can trace how they modified the passwd file ? In both
> cases, some users where appended to /etc/passwd, but not to /etc/shadow.
> 
> This is what the machine is running :
> 
> RedHat 6.0 with all updates applied.
> 
> SSH 1.2.27
> ProFTPD 1.2.0pre4
> INN 2.2.9
> Apache 1.3.9
> Apache 1.3.6SSL
> Sendmail 8.9.3
> IMAP 4.5
> xinetd
> 
> I have absolute no clue how they got in. The only recent change is the
> newsserver, and the system doesn't have much shell accounts. (4 to be
> precise)
> 
> The rest of the users have /usr/bin/passwd
> 
> The logs show this :
> 
> Sep  6 03:13:13 jdi xinetd[4721]: START: telnet pid=25532
> from=209.156.90.194
> Sep  6 03:13:28 jdi PAM_pwdb[25533]: get passwd; pwdb: structure is no
> longer valid
> Sep  6 03:13:29 jdi login[25533]: FAILED LOGIN 1 FROM
> NYCMB206-10.splitrock.net
> FOR tek, Authentication service cannot retrieve authentication info.
> Sep  6 03:13:34 jdi PAM_pwdb[25533]: get passwd; pwdb: structure is no
> longer valid
> Sep  6 03:13:35 jdi login[25533]: FAILED LOGIN 2 FROM
> NYCMB206-10.splitrock.net FOR www, Authentication failure
> 
> I activated process accounting, and will keep an eye on the system.
> 
> Any clue or hints ??
> 
> 
> 
> 
> 
>                     Regards,
> 
> 
>                                     Igmar Palsenberg
> 
> 
> 
> -- 
> To unsubscribe: mail redhat-list-request redhat com with "unsubscribe"
> as the Subject.
> 

--
Aaron Turner, Core Developer       http://vodka.linuxkb.org/~aturner/
Linux Knowledge Base Organization  http://linuxkb.org/
Because world domination requires quality open documentation.

References:
- A lot of breakins recently. I need help.
  - From: Igmar Palsenberg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]