Results 1 to 5 of 5

Thread: i have got a situation here...

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    i have got a situation here...

    well... i was running a linux box on RH 7.3 with apache and squid...main use of this box as proxy server....ports 22,80,81,443 were open......well someone used mod_ssl apache hole to spawn a remote shell and probably ptrace hole (by reverse ftp) to get root on th system...as soon as i discovered it...i closed the server for public access and now i want to analyse the server...but wait...he did another job ..... he pointed all the log to /dev/null exacept for boot messages to /dev/console......now i have 3 question..........

    1. how can i analyse the logs offline...i.e i want to download the logs from that system(RH7.3) to another mandrake (9.1) and want to analyse those...any tools???

    2.what are the various log files that i need to copy offline??

    3. now when i boot into the box...after starting the network ...both of eth0 and eth1 (on proxy server, the hacked one) goes into Promiscuous Mode..now i am unable to access my proxy server using ssh...what is this mode...and how can i get both of my cards out of this mode...

    any help is highly appriciated and thx in advance......
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    To answer your questions

    1 If the logs got pointed to dev/null it means they were deleted.
    2 if you are using a standard syslog configuration then all the logs would be in messages
    3 Promiscuous Mode means that your network cards are sniffing your network take them off the network manually go through your log files (if there is any left) for anything suspicious then format and reinstall your system icase of back doors and trojans etc

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you want to analyse this it's probably better to put this harddisk into another machine and access it from there. Look for forensic tools, you can probably find some links if you search the archives.

    Promiscuous mode means your network card will detect all traffic (not just what's destined for it). This usually means your attacker installed a sniffer.

    When your done with it, best thing to do is to nuke the install and reinstall from original media. You may also want to check all your other machines on your network as there is no way to tell how far your attacker went.

    Oh, as for the hole. AFAIK the mod_ssl hole will yield remote root immediately. There's no need to elevate privileges.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    You probably want to have a look at some of the info at this link.

    http://www.sans.org/rr/catindex.php?cat_id=27

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    3. now when i boot into the box...after starting the network ...both of eth0 and eth1 (on proxy server, the hacked one) goes into Promiscuous Mode..now i am unable to access my proxy server using ssh...what is this mode...and how can i get both of my cards out of this mode...
    ifconfig (interface) -promisc

    he pointed all the log to /dev/null exacept for boot messages to /dev/console
    This person is *nix savy. If you point the logs to this null device, his/her activities are obviously not logged. My guess is that any logs that are left intact are worthless to you anyway. If it were me, I would mirror the setup (basically setup a honeypot) and then see if you can sit in on a live session to see what he/she is up to. This is a rare treat and would yield a wonderful learning experience for you and possibly give you info to pursue legal action as an added bonus.

    Oh, as for the hole. AFAIK the mod_ssl hole will yield remote root immediately. There's no need to elevate privileges.
    Indeed this is true.

    Have you signed up for RedHat up2date? It's free and it will prevent stuff like this from happening to you again. A good patching schedule is essential so you may want to revise yours or create one if it does not exist.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •