-
January 4th, 2002, 03:08 PM
#31
Member
warning: /etc/hosts.deny, line 9: missing ":" separator
thats in my secure log. does that mean the 'all' in hosts.deny isn't taking place? if so thats a major security breach.
Jan 2 22:07:03 localhost sshd[578]: Received signal 15; terminating.
terminating? is that where the attacked stopped the service?
I didn't nmap myself yesterday to see if I had any more open ports. I have a list of things to do when I get home, this evening or at lunch.
-Jason
I configured k-mail w/ my name in it, the settings are stored in /home/Admin/mail, a text file in there with my name config'd might had led the cracker to knowing my name.
__________________________
Caution: in case of rapture, this computer will be unoccupied!
-
January 4th, 2002, 03:24 PM
#32
For the /etc/hosts.deny question, it seems to be badly formatted. Can you put the text from that file in a post? /etc/hosts.deny denies access to the machine remotely based on rule-settings such as the following:
ALL: ALL EXCEPT 127.0.0.1, <your_outside_ip_here, preferably static>
This will still allow a 'connection' but then it'll be closed but localhost (loopback) and the other allowed IP will be able to get in.
Another thing to make sure of, which I'm pretty sure is already the case, is to make sure TCP Wrappers are installed. TCP Wrappers was made by Wietse Venema and is kickass for ensuring the service that's being connected to. Go
here for more information.
As for sshd receiving a SIGTERM (signal 15) and bailing, I'm not sure given the info if that's because of an internal error or because of an outside attack. SSH by default install is pretty stable provided the binary was configured correctly for your machine/OS.
Another measure to take is to find out if you have a banner set for telnet. On RH, you have /etc/issue and /etc/issue.net. Do the following:
# cd /etc/rc.d
# vi rc.local (go down to the /etc/issue part)
In rc.local make sure that something other than the usual uname information is going into /etc/issue.net and /etc/issue. This way, you'll have a notice instead of critical information about your machine. I usually put something like "Welcome to MS-DOS 1.0" or something else...
Now only if I remembered where wu-ftp's information is so they can't find out what kind you use, although if they get in as anonymous, they can run SYST to find out...blah.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
January 4th, 2002, 03:32 PM
#33
Member
Vorlin, I never know where I will need to ssh in. So I have hosts.deny set to ALL and hosts.allow set to sshd: all
That way no connections can be made on any services (my understanding of it) but unlimited connections can be made on sshd port. Once I get home for lunch or after dinner I will post a few more things on my website and post a link again.
-Jason
__________________________
Caution: in case of rapture, this computer will be unoccupied!
-
January 4th, 2002, 04:43 PM
#34
Jason, it seems to me that your computer was broken into possibly because of a simple password guess. Out of curiosity, what version of OpenSSH are you running? There was a major vulnerability discovered recently in OpenSSH 1.x IIRC, one that could lead to remote compromises like this.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
January 4th, 2002, 06:45 PM
#35
Member
neither of my passwords, (root or Admin) are easy to guess, my root is alphanumeric and is 7chars long and my Admin is also 7 chars long. Unless someone keylog'd me.
-Jason
__________________________
Caution: in case of rapture, this computer will be unoccupied!
-
January 5th, 2002, 05:55 AM
#36
Member
I have updated some logs on my website. UberC0der, Vorlin, whoever would like to help. Please check it out.
-Jason
BTW: wtmp won't copy right, I did a "data wtmp" and it said it was a data file, cat or opening it in text editor just give me garbage.
__________________________
Caution: in case of rapture, this computer will be unoccupied!
-
January 5th, 2002, 06:13 AM
#37
Using 'last' will show you the contents of wtmp, whereas lastb will show you bad connect attempts out of btmp. That should help some.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
January 6th, 2002, 06:12 AM
#38
Senior Member
Excellent Vorlin! I hope you don't mind if I kind of re-hash/repeat what you have already said in my two posts here. I kinda posted them before I realized that you had pretty much answered the question and then I came back to edit them.
Hi jason-mis, just a little feedback on your /etc/hosts.deny and the error messages we saw in secure log.
[root@nothing /root]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
all <---- This is what secure log is complaining about on line 9 "missing : "
hosts.deny should be in this format if you want to block all:
ALL: ALL EXCEPT 127.0.0.1 Vorlin's caveat applies here.
TCP Wrappers (as mentioned by Vorlin) can drop individual ip's into /etc/hosts.deny, check out portsentry, it can make use of TCP Wrappers for all offending hosts if you choose. Below is an example of blocking individual ip addresses.
ALL: 24.116.131.36
ALL: 65.242.102.24
etc...
Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.
Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
-
January 6th, 2002, 06:58 AM
#39
Senior Member
[root@nothing /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
nscd:x:28:28:NSCD Daemon:/:/bin/false
mailnull:x:47:47::/var/spool/mqueue:/dev/null
ident:x:98:98:pident user:/:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
Admin:x:500:500:Administrator:/home/Admin:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
The fact that the only non-root, non-system user on the system is named Admin, and not
jason reinforces my suspicion that your attacker knows you. Unless perhaps your hostname is jason or
some form of jason, this guy/gal knows who you are!
/etc/passwd looks to be clean at first glance, I don't see anything out of the ordinary in here. But
please, someone else check this over for something I may have missed.
I would bet that your attacker used some variant of the `SSH CRC32' attack which is a buffer overflow
exploit for vulnerable versions of ssh (which RedHat and others are known to have packaged with their
systems unknowingly). An excellent paper on this attack can be found at http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml .
You had a question about how your attacker changed the ssh login banner. Generally speaking, the file
is /etc/issue.net, but you can check which one your system is using, or even change it by looking in
/etc/ssh/shd_config. The option that controls that login message is.....
Banner /path/to/the/banner
Hope this helped.
Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.
Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
-
January 6th, 2002, 10:54 PM
#40
Member
My banner in /etc/ssh/sshd_config is /etc/issue.net
/etc/issue.net only contains the regualr uname -r contents.
I dont know much about 'grep' but couldn't I grep for 'h4v1ng fun j45on??'
Thanks alot for your input Uberc0der, my hostname is 'nothing', the only thing on my system that has my name in it (that I can think of) is my k-mail config. If they knew me in irc, I chat under the name of jason-mis. if someone got in when I was chatting on my linux box while in irc.antionline.com
I can think of nothing else
About my hosts.deny I want it set to deny all BUT whats in my hosts.allow, I never know where I will need to ssh in from so I have hosts.allow set to sshd: all, is 'all: all' a valid argument in hosts.deny??
Thanks,
Jason
__________________________
Caution: in case of rapture, this computer will be unoccupied!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|