[lug] Fun with being hacked
stimits at idcomm.com
Tue Aug 14 11:05:09 MDT 2001
Knowing that the cracker was using gdm to hide doesn't say the attack
was actually through gdm originally. Making a system account the login
would tend to be less suspicious (in theory, not reality for gdm) than
some brand new account. Knowing how they got in would require knowing
exactly what ports were open and to whom. In this case, the original
crack might not even be from 184.108.40.206, though this is where it is
now being used from. Older versions of sshd had one weakness or another.
Opening bind, rpc, or the printer ports would also be a route in. Do you
have ipchains or other firewall running? Do you have the configuration
now, and better yet, also from before the crack?
D. Stimits, stimits at idcomm.com
> So, I noticed an interesting message in my messages file this morning:
> Aug 12 04:43:14 pharynx sshd2: connection from "220.127.116.11"
> Aug 12 04:43:20 pharynx sshd2: User gdm's local password accepted.
> Aug 12 04:43:20 pharynx sshd2: Password authentication for user gdm
> Aug 12 04:43:20 pharynx sshd2: User gdm, coming from
> s161-184-79-143.ab.hsia.telus.net, authenticated.
> Apparently this has been happening since around the 28th of July.
> I also found a package called "autotelnet" installed in
> /tmp/.../autotelnet, which is a hack designed to break into telnetd using
> a buffer overflow (gives root shell of course).
> Of course, my next actions will be to reformat and reinstall RH7.1, and,
> once again, apply every RPM in existence. The problem is that I am not
> running telnetd, and in fact turned off all the services except sshd
> (openssh). I
> did a check on the telnet port and had the connection refused. It seems
> to me that the autotelnet was installed afterwards, to probe and attack
> other machines. I do not, however, have any idea of how they got in in
> the first place.
> Does gdm normally have a passwd? there is a gdm listed in the user
> accounts, but I thought that was just so gnome could do it's thing?
> Should I password it next time?
> In general, since RH7.1 does not install the xwindows linuxconf, what's
> a quick way to find out what services are running on a machine?
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG