|
| Linux Forum Index » Linux Security » I've been hacked, found mldonkey running |
|
Page 1 of 2 Goto page 1, 2 Next |
|
| Author |
Message |
| General Schvantzkoph |
 Posted: Mon Oct 04, 2004 11:09 am |
|
|
|
Guest
|
I'm pretty sure that I've been hacked, I found mldonkey running on one of
my systems. I had an open FTP port which I normally keep closed but I
opened for someone to do a download and then forgot to close. I have a
Linksys router which has open SSH ports and had an open FTP port (which
is now closed). The machine that was compromised with mldonkey is running
mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
all of my machines and it found nothing. There is a restart message in
the /var/log/messages on all of my systems that has the roughly the same
time stamp.
Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
What else should I do and which logs should I check? Is there another port
besides FTP that is a likely entry point? Could SSH have been compromised?
Here are some suspicious entries in the log on the machine that had
mldonkey,
/var/log/auth.log
Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from mldonkey to root
Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from mldonkey to adm
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_group.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of
/var/log/security/unowned_user.today from 644 to 640
and the following in /var/log/messages
Oct 3 04:17:49 saratoga :
Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts trusting files,
Oct 3 04:17:49 saratoga : this probably mean that you trust certains users/domain
Oct 3 04:17:49 saratoga : to connect on this host without proper authentication :
Oct 3 04:17:49 saratoga : - /home/bjrosen/.rhosts: + bjrosen
Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:22:00 saratoga CROND[24009]: (root) CMD (nice -n 19 run-parts /etc/cron.weekly)
Oct 3 04:25:00 saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:30:00 saratoga CROND[1655]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
Oct 3 04:30:00 saratoga CROND[1656]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:35:00 saratoga CROND[1670]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:40:00 saratoga CROND[1680]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:45:00 saratoga CROND[1688]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:50:00 saratoga CROND[1695]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 04:55:00 saratoga CROND[1702]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:00:00 saratoga CROND[1711]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
Oct 3 05:00:00 saratoga CROND[1712]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:01:01 saratoga CROND[1725]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)
Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from mldonkey to root
Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from mldonkey to adm
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_group.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_user.today from 644 to 640
Oct 3 05:05:00 saratoga CROND[1740]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:10:00 saratoga CROND[1747]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:15:00 saratoga CROND[1754]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:20:00 saratoga CROND[1764]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:25:00 saratoga CROND[1773]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:30:00 saratoga CROND[1781]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
Oct 3 05:30:00 saratoga CROND[1782]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:35:00 saratoga CROND[1796]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:40:00 saratoga CROND[1803]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:45:00 saratoga CROND[1811]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:50:00 saratoga CROND[1818]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 05:55:00 saratoga CROND[1825]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:00:00 saratoga CROND[1834]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
Oct 3 06:00:00 saratoga CROND[1835]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:01:01 saratoga CROND[1842]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)
Oct 3 06:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
Oct 3 06:05:00 saratoga CROND[1861]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:10:00 saratoga CROND[1868]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:15:00 saratoga CROND[1875]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:20:00 saratoga CROND[1882]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:25:00 saratoga CROND[1890]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:30:00 saratoga CROND[1898]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
Oct 3 06:30:00 saratoga CROND[1899]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:35:00 saratoga CROND[1914]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:40:00 saratoga CROND[1921]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:41:07 saratoga kernel: _M_str_putnext: queue overflow: dropping a message
Oct 3 06:41:09 saratoga last message repeated 69 times
Oct 3 06:45:00 saratoga CROND[1933]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:50:00 saratoga CROND[1940]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 06:55:00 saratoga CROND[1947]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 07:00:00 saratoga CROND[1966]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
Oct 3 07:00:00 saratoga CROND[1967]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Oct 3 07:01:01 saratoga CROND[1976]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)
Oct 3 07:01:01 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf |
|
|
| Back to top |
|
|
|
| Bill Unruh |
| Posted: Mon Oct 04, 2004 3:44 pm |
|
|
|
Guest
|
General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]I'm pretty sure that I've been hacked, I found mldonkey running on one of
]my systems. I had an open FTP port which I normally keep closed but I
]opened for someone to do a download and then forgot to close. I have a
]Linksys router which has open SSH ports and had an open FTP port (which
]is now closed). The machine that was compromised with mldonkey is running
]mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
]all of my machines and it found nothing. There is a restart message in
]the /var/log/messages on all of my systems that has the roughly the same
]time stamp.
]Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
]What else should I do and which logs should I check? Is there another port
]besides FTP that is a likely entry point? Could SSH have been compromised?
]Here are some suspicious entries in the log on the machine that had
]mldonkey,
]/var/log/auth.log
]Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from mldonkey to root
]Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from mldonkey to adm
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_group.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of
]/var/log/security/unowned_user.today from 644 to 640
These are all fine. -- they are standard msec messages.
] and the following in /var/log/messages
]Oct 3 04:17:49 saratoga :
]Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts trusting files,
This is terrible. It allows anyone in the world to connect to your
server. You certainly should not have this. Many users to make it easy to
run from another machine to their own put + into xauth to make it easy.
This is a badbadbadbadbad thinkg to do.
You should tell your sshd not to allow .rhosts and also do not allow telnet
connections.
]Oct 3 04:17:49 saratoga : this probably mean that you trust certains users/domain
]Oct 3 04:17:49 saratoga : to connect on this host without proper authentication :
]Oct 3 04:17:49 saratoga : - /home/bjrosen/.rhosts: + bjrosen
The user bjrosen has done this. Tell him not to do so.
Use the .ssh/authorized_hosts file instead.
]Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
]Oct 3 04:22:00 saratoga CROND[24009]: (root) CMD (nice -n 19 run-parts /etc/cron.weekly)
]Oct 3 04:25:00 saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
]Oct 3 04:30:00 saratoga CROND[1655]: (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
No idea what mldonkey is, but they have inserted it into root's cron. If
this was done by a stranger, then your system is completely comprimised.
Wipe and reinstall and then use find to look for any suid/sgid files, and
make sure that they should be tehre. Eg no file in /tmp, /dev/ /usr/share,
.... should be suid root (I found such files on one of my comprimised
machines.) |
|
|
| Back to top |
|
|
|
| Bit Twister |
| Posted: Mon Oct 04, 2004 9:02 pm |
|
|
|
Guest
|
On Mon, 04 Oct 2004 22:48:39 -0400, General Schvantzkoph wrote:
Quote: I'm trying to configure Mandrake 10.1 as second
level firewall machine but it seems to want to block the local net as well
as the internet port. Has anyone used 10.1 as a firewall?
I am using md 10.0
Shorewall is used on 10.1 and 10.0
I looked around here http://www.shorewall.net/
used webmin to play with the config files, read the config file
headers in /etc/shorewall and it does pretty good. |
|
|
| Back to top |
|
|
|
| Solbu |
| Posted: Tue Oct 05, 2004 9:00 am |
|
|
|
Guest
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On mandag 4. oktober 2004, 23:44 Bill Unruh tried to express an opinion:
Quote: Eg no file in /tmp, dev /usr/share, ... should be suid root
also the /tmp dir should be mounted (in /etc/fstab also)
with 'noexec,nosuid'.
If you also do not allow users to run their own programs from home,
set /home up with 'noexec'.
(Two of the servers I help administering, does this.)
- --
Solbu - http://www.solbu.net
Remove 'ugyldig' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBYrbzT1rWTfpocyQRAr7EAKDChxh91kd2Q5NXRTI0cOsawWxWcACg2xV9
aZeGjdCMmt6DlYMiT1oRKWA=
=Z4VB
-----END PGP SIGNATURE----- |
|
|
| Back to top |
|
|
|
| Marco Benton |
| Posted: Tue Oct 05, 2004 4:01 pm |
|
|
|
Guest
|
General Schvantzkoph wrote:
Quote: Does anyone know if Linksys routers are adequate firewalls? I had the FTP
port open but I don't know for sure if that was the route that the
intruders used. I'm trying to configure Mandrake 10.1 as second
level firewall machine but it seems to want to block the local net as well
as the internet port. Has anyone used 10.1 as a firewall?
well, if you pay $40 for a combo firewall/router/dsl device i guess you
can't expect too much? good enough for home use tho.
keep in mind that you can have 2 Cisco PIX firewalls and 2 linux
firewalls in front of your server and still be hacked if you dont
configure your FTP or whatever service correctly. for FTP use vsftpd...
not alot of parameters to screw up... or read some doco on how to
setup these services tightly. |
|
|
| Back to top |
|
|
|
| General Schvantzkoph |
| Posted: Tue Oct 05, 2004 4:26 pm |
|
|
|
Guest
|
On Mon, 04 Oct 2004 21:44:21 +0000, Bill Unruh wrote:
Quote: General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]I'm pretty sure that I've been hacked, I found mldonkey running on one of
]my systems. I had an open FTP port which I normally keep closed but I
]opened for someone to do a download and then forgot to close. I have a
]Linksys router which has open SSH ports and had an open FTP port (which
]is now closed). The machine that was compromised with mldonkey is running
]mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
]all of my machines and it found nothing. There is a restart message in
]the /var/log/messages on all of my systems that has the roughly the same
]time stamp.
]Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
]What else should I do and which logs should I check? Is there another port
]besides FTP that is a likely entry point? Could SSH have been compromised?
]Here are some suspicious entries in the log on the machine that had
]mldonkey,
]/var/log/auth.log
]Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from mldonkey to root
]Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from mldonkey to adm
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_group.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of
]/var/log/security/unowned_user.today from 644 to 640
These are all fine. -- they are standard msec messages.
] and the following in /var/log/messages
]Oct 3 04:17:49 saratoga :
]Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts trusting files,
This is terrible. It allows anyone in the world to connect to your
server. You certainly should not have this. Many users to make it easy to
run from another machine to their own put + into xauth to make it easy.
This is a badbadbadbadbad thinkg to do.
I assume that this is the result of my doing xhost + which I do on my
workstation so that I can run xemacs on other machines. I'm the only user
on my network, the attack came from outside.
Quote: You should tell your sshd not to allow .rhosts and also do not allow
telnet connections.
I don't have telnet installed on any of my machines. SSHD doesn't allow
..rhosts authentication and I require RSA authentication, passwords are
disallowed.
Quote:
]Oct 3 04:17:49 saratoga : this probably mean that you trust certains
users/domain ]Oct 3 04:17:49 saratoga : to connect on this host without
proper authentication : ]Oct 3 04:17:49 saratoga : -
/home/bjrosen/.rhosts: + bjrosen
The user bjrosen has done this. Tell him not to do so.
That's me.
Quote: Use the .ssh/authorized_hosts file instead.
]Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S
/usr/lib/mailman/cron/gate_news) ]Oct 3 04:22:00 saratoga CROND[24009]:
(root) CMD (nice -n 19 run-parts /etc/cron.weekly) ]Oct 3 04:25:00
saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S
/usr/lib/mailman/cron/gate_news) ]Oct 3 04:30:00 saratoga CROND[1655]:
(root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
No idea what mldonkey is, but they have inserted it into root's cron. If
this was done by a stranger, then your system is completely comprimised.
Wipe and reinstall and then use find to look for any suid/sgid files,
and make sure that they should be tehre. Eg no file in /tmp, /dev/
/usr/share, ... should be suid root (I found such files on one of my
comprimised machines.)
I've done clean installs of Mandrake 10.1C on all of my systems and
enabled the HIGH level of security (I had standard before). I also enabled
chkrootkit as part of the periodic security checks. I've also closed all
of the ports on my firewall with the exception of a single SSH port. I had
inadvertently left open an FTP which is how I expect that they got in but
I don't know for sure. Is it possible to get through an ssh port if RSA
authentication is required? How secure are home routers? I'm using a
Linksys. |
|
|
| Back to top |
|
|
|
| General Schvantzkoph |
| Posted: Tue Oct 05, 2004 5:36 pm |
|
|
|
Guest
|
On Tue, 05 Oct 2004 18:01:57 -0400, Marco Benton wrote:
Quote: General Schvantzkoph wrote:
Does anyone know if Linksys routers are adequate firewalls? I had the FTP
port open but I don't know for sure if that was the route that the
intruders used. I'm trying to configure Mandrake 10.1 as second
level firewall machine but it seems to want to block the local net as well
as the internet port. Has anyone used 10.1 as a firewall?
well, if you pay $40 for a combo firewall/router/dsl device i guess you
can't expect too much? good enough for home use tho.
This is a home office network. Does anyone know how reliable these things
are?
Quote: keep in mind that you can have 2 Cisco PIX firewalls and 2 linux
firewalls in front of your server and still be hacked if you dont
configure your FTP or whatever service correctly. for FTP use vsftpd...
not alot of parameters to screw up... or read some doco on how to
setup these services tightly.
I don't normally allow FTP, I opened a port so that a collegue could
download something and I forgot to close it. I'll never open an FTP port
again. |
|
|
| Back to top |
|
|
|
| Bill Unruh |
| Posted: Tue Oct 05, 2004 8:39 pm |
|
|
|
Guest
|
General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]On Mon, 04 Oct 2004 21:44:21 +0000, Bill Unruh wrote:
]> General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]>
]> ]I'm pretty sure that I've been hacked, I found mldonkey running on one of
]> ]my systems. I had an open FTP port which I normally keep closed but I
]> ]opened for someone to do a download and then forgot to close. I have a
]> ]Linksys router which has open SSH ports and had an open FTP port (which
]> ]is now closed). The machine that was compromised with mldonkey is running
]> ]mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
]> ]all of my machines and it found nothing. There is a restart message in
]> ]the /var/log/messages on all of my systems that has the roughly the same
]> ]time stamp.
]> ]Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
]>
]> ]What else should I do and which logs should I check? Is there another port
]> ]besides FTP that is a likely entry point? Could SSH have been compromised?
]>
]> ]Here are some suspicious entries in the log on the machine that had
]> ]mldonkey,
]>
]>
]> ]/var/log/auth.log
]>
]> ]Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from mldonkey to root
]> ]Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from mldonkey to adm
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_group.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of
]> ]/var/log/security/unowned_user.today from 644 to 640
]>
]> These are all fine. -- they are standard msec messages.
]>
]>
]> ] and the following in /var/log/messages
]>
]> ]Oct 3 04:17:49 saratoga :
]> ]Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts trusting files,
]>
]> This is terrible. It allows anyone in the world to connect to your
]> server. You certainly should not have this. Many users to make it easy to
]> run from another machine to their own put + into xauth to make it easy.
]> This is a badbadbadbadbad thinkg to do.
]I assume that this is the result of my doing xhost + which I do on my
]workstation so that I can run xemacs on other machines. I'm the only user
]on my network, the attack came from outside.
NONONONO. That allows attacks from anywhere in the world.
Use ssh and X11 forwarding instead. Do NOT use xhost +
even using the machine name is a better (though it can be spoofed).
You are worried about hacker attacks, and then use one of the most
dangerous things you can. Anyone in the world can copy everything on your
screen and keyboard to their system.They can read off all your passwords as
you type them . They can see what you read.
]> You should tell your sshd not to allow .rhosts and also do not allow
]> telnet connections.
]I don't have telnet installed on any of my machines. SSHD doesn't allow
].rhosts authentication and I require RSA authentication, passwords are
]disallowed.
VEry strange message then. Get rid of .rhosts then from everywhere.
]>
]> ]Oct 3 04:17:49 saratoga : this probably mean that you trust certains
]> users/domain ]Oct 3 04:17:49 saratoga : to connect on this host without
]> proper authentication : ]Oct 3 04:17:49 saratoga : -
]> /home/bjrosen/.rhosts: + bjrosen
]>
]> The user bjrosen has done this. Tell him not to do so.
]That's me.
OK. Don't do it.
]> Use the .ssh/authorized_hosts file instead.
]>
]> ]Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S
]> /usr/lib/mailman/cron/gate_news) ]Oct 3 04:22:00 saratoga CROND[24009]:
]> (root) CMD (nice -n 19 run-parts /etc/cron.weekly) ]Oct 3 04:25:00
]> saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S
]> /usr/lib/mailman/cron/gate_news) ]Oct 3 04:30:00 saratoga CROND[1655]:
]> (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
]>
]> No idea what mldonkey is, but they have inserted it into root's cron. If
]> this was done by a stranger, then your system is completely comprimised.
]> Wipe and reinstall and then use find to look for any suid/sgid files,
]> and make sure that they should be tehre. Eg no file in /tmp, /dev/
]> /usr/share, ... should be suid root (I found such files on one of my
]> comprimised machines.)
]I've done clean installs of Mandrake 10.1C on all of my systems and
]enabled the HIGH level of security (I had standard before). I also enabled
]chkrootkit as part of the periodic security checks. I've also closed all
]of the ports on my firewall with the exception of a single SSH port. I had
]inadvertently left open an FTP which is how I expect that they got in but
]I don't know for sure. Is it possible to get through an ssh port if RSA
]authentication is required? How secure are home routers? I'm using a
]Linksys.
It is not clear to me that mldonkey is from outside. It may be an internal
program included with mandrake 10.1. |
|
|
| Back to top |
|
|
|
| Bit Twister |
| Posted: Tue Oct 05, 2004 8:46 pm |
|
|
|
Guest
|
On 6 Oct 2004 02:39:51 GMT, Bill Unruh wrote:
Quote:
It is not clear to me that mldonkey is from outside. It may be an internal
program included with mandrake 10.1.
Not unless the OP loaded it. I always load all package groups and
locate mldonkey
/usr/share/apps/kappfinder/apps/Internet/mldonkey_gui.desktop
on Mandrakelinux release 10.1 (Community) for i586 |
|
|
| Back to top |
|
|
|
| Bill Unruh |
| Posted: Tue Oct 05, 2004 8:48 pm |
|
|
|
Guest
|
Marco Benton <marco@xssnet.com> writes:
]General Schvantzkoph wrote:
]> Does anyone know if Linksys routers are adequate firewalls? I had the FTP
]> port open but I don't know for sure if that was the route that the
]> intruders used. I'm trying to configure Mandrake 10.1 as second
]> level firewall machine but it seems to want to block the local net as well
]> as the internet port. Has anyone used 10.1 as a firewall?
I use 10.0 as one.
Youhave to set it up properly. Yes, it will block everything unless you
tell it not to. Is it shorewall you are running on 10.1?
You need to set up the zones file to define the various zone names, the
interfaces to tell the system what interfaces those names refer to, the
policy file to tell what the default policies are.
and teh rules file to tell it in detail what the rules are to accept
certain ports etc.
It is not the most clear of setups, but not impossible.
]>
]>
]well, if you pay $40 for a combo firewall/router/dsl device i guess you
]can't expect too much? good enough for home use tho.
You think maybe it is the dollar bills which do the protection? A good
firewall should not be that expensive.
There is no reason it should be.
]keep in mind that you can have 2 Cisco PIX firewalls and 2 linux
]firewalls in front of your server and still be hacked if you dont
]configure your FTP or whatever service correctly. for FTP use vsftpd...
] not alot of parameters to screw up... or read some doco on how to
]setup these services tightly.
Agreed. |
|
|
| Back to top |
|
|
|
| Bill Unruh |
| Posted: Tue Oct 05, 2004 8:52 pm |
|
|
|
Guest
|
General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]On Tue, 05 Oct 2004 18:01:57 -0400, Marco Benton wrote:
]> General Schvantzkoph wrote:
]>> Does anyone know if Linksys routers are adequate firewalls? I had the FTP
]>> port open but I don't know for sure if that was the route that the
]>> intruders used. I'm trying to configure Mandrake 10.1 as second
]>> level firewall machine but it seems to want to block the local net as well
]>> as the internet port. Has anyone used 10.1 as a firewall?
]>>
]>>
]>
]> well, if you pay $40 for a combo firewall/router/dsl device i guess you
]> can't expect too much? good enough for home use tho.
]This is a home office network. Does anyone know how reliable these things
]are?
]> keep in mind that you can have 2 Cisco PIX firewalls and 2 linux
]> firewalls in front of your server and still be hacked if you dont
]> configure your FTP or whatever service correctly. for FTP use vsftpd...
]> not alot of parameters to screw up... or read some doco on how to
]> setup these services tightly.
]I don't normally allow FTP, I opened a port so that a collegue could
]download something and I forgot to close it. I'll never open an FTP port
]again.
Why? Just remember to close it. And I doubt that that was the problem.
I am not sure that there was any problem.
a)
rpm -Va|grep '^..5'>/tmp/verify
and look at the files. Many are config files which should have changed. but
if find or ls or ps has changed since installation, you have been hacked.
b)
find / -perm +6000 -ls
to look at the suid/sgid files.
look at /etc/passwd for strange new users. |
|
|
| Back to top |
|
|
|
| General Schvantzkoph |
| Posted: Wed Oct 06, 2004 6:28 am |
|
|
|
Guest
|
On Wed, 06 Oct 2004 02:46:07 +0000, Bit Twister wrote:
Quote: On 6 Oct 2004 02:39:51 GMT, Bill Unruh wrote:
It is not clear to me that mldonkey is from outside. It may be an internal
program included with mandrake 10.1.
Not unless the OP loaded it. I always load all package groups and
locate mldonkey
/usr/share/apps/kappfinder/apps/Internet/mldonkey_gui.desktop
on Mandrakelinux release 10.1 (Community) for i586
I have absolutely no recollection of loading it, however I've checked back
on some old logs and found it running back in August. This is not the type
of application that I run but now I'm wondering if there is some chance
that I did this to myself, I'm not sure which is worse, that my
firewall doesn't work or if I'm getting senile. The FTP port was opened
last week, it was not open at any date prior to that. I use SSH to do all
of my tranfers to my systems, I never use FTP so that port is always
closed. The other port that was opened was the HTTP port. The only thing
running was the default Mandrake webpage. Is it possible that the HTTP
port was the source of the attach, how would anyone come through an HTTP
port? BTW the machine that had the open ports and the machine with
mldonkey running were both running Mandrake 9.2, not 10.1 which I just put
on yesterday. |
|
|
| Back to top |
|
|
|
| Bit Twister |
| Posted: Wed Oct 06, 2004 7:50 am |
|
|
|
Guest
|
On Wed, 06 Oct 2004 08:28:02 -0400, General Schvantzkoph wrote:
Quote:
I have absolutely no recollection of loading it, however I've checked back
on some old logs and found it running back in August.
If you did an update install of 10.1 then it would be carried forward.
Quote: The FTP port was opened last week, it was not open at any date prior
to that.
Can we assume you alwasy checked/installed updates everday and also
installed the kernel updates. kernel updates have to be done by hand,
not through the gui update icon.
Quote: I use SSH to do all of my tranfers to my systems, I never use FTP so
that port is always closed.
If I were to suddnly find my FTP open, I would save my data files and
do a disk format and a clean install with new passwords for everyone.
After enabling the firewall, getting all updates installed and backups
done, I would save a list of all file names on the system somewhere
else and check everyday to see what might show up.
Quote: The other port that was opened was the HTTP port. The only thing
running was the default Mandrake webpage. Is it possible that the HTTP
port was the source of the attach, how would anyone come through an HTTP
port?
There have been several apache updates.
Quote: BTW the machine that had the open ports and the machine with
mldonkey running were both running Mandrake 9.2, not 10.1 which I
just put on yesterday.
Well, sorry, I replaced my 9.2 partition with the 10.1 install
so I cannot say if donkey was part of the full load.
My suggestion, format the 10.1 install, use new passwords/phrases and
do clean installs on the 9.2 boxes with 10.0 with updates if you are
not ready for 10.1 this month. 10.1 official not due until November.
New passwords/phrases for everyone and tell them why they should not
use the old ones for login and email.
rpm -Va | grep '^..5' > /tmp/verify
would not tell you if additional programs were placed in
/etc/sysconfig/network-scripts/ifup.d/ and/or /etc/profile.d |
|
|
| Back to top |
|
|
|
| Marco Benton |
| Posted: Wed Oct 06, 2004 8:04 pm |
|
|
|
Guest
|
Bill Unruh wrote:
Quote: ]well, if you pay $40 for a combo firewall/router/dsl device i guess you
]can't expect too much? good enough for home use tho.
You think maybe it is the dollar bills which do the protection? A good
firewall should not be that expensive.
There is no reason it should be.
it shouldnt cost too much but a simple open and close type of firewall
might not cut it depending on type of traffic. maybe a firewall with
some packet inspection along with stateful session tracking will be bare
minimum. unless you have some VMS systems behind your firewall then a
Linksys will do well as not many people break into VMS nor know what to
do *if* they break in.  but i dont know of any home users that have
industrial strength servers at home so i would say a Linksys is fine...
oops but wait, Cisco owns them... i wonder if it'll turn into a PIX
and the price go up 200%? ;-)
Quote:
]keep in mind that you can have 2 Cisco PIX firewalls and 2 linux
]firewalls in front of your server and still be hacked if you dont
]configure your FTP or whatever service correctly. for FTP use vsftpd...
] not alot of parameters to screw up... or read some doco on how to
]setup these services tightly.
Agreed.
|
|
|
| Back to top |
|
|
|
| Guest |
| Posted: Fri Oct 08, 2004 2:27 pm |
|
|
|
|
General Schvantzkoph <schvantzkoph@yahoo.com> wrote:
Quote: I don't normally allow FTP, I opened a port so that a collegue could
download something and I forgot to close it. I'll never open an FTP port
again.
FTP itself isn't insecure as stated by the thousands of systems that
permit ftp transactions and do not get compromised. Like everything,
an improperly configured system _will_ get you hacked. |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Sat Jul 31, 2010 4:29 pm
|
|
