[lug] intrusion

bgiles at coyotesong.com bgiles at coyotesong.com
Wed Jun 13 12:44:12 MDT 2007

> There was a funny UID - easypwn.
> Changed the passwd, later saw:
> easypwn tried to get in, failed, then another "don't know who it is
> userID" mailmn got on from same IP.
> The easypwn tried to get in again and logged in successfully.

If you have a vulnerability, you can be attacked by multiple bad guys or
re-attacked by the same one.  When we had a vulnerability a while back our
logs showed three(?) separate attackers within less than 24 hours.  IIRC
one was successful (and quickly detected), a second was successful but the
payload failed, and the third hit just minutes before we closed the door.

> What's the short list of cleaning procedures/lockdowns while taking this
> machine out of service?

If you can't disconnect from the network (which leaves you wide open for,
well, anything), you can at least look at the logs to try to identify how
they got into the system.

Meanwhile a good idea with non-rootkit attacks are:

  # find / -perm +1000 -ls   (list all suid files)
  # find / -perm +2000 -ls   (list all sgid files)

  # find /tmp -type b   (list all block devices)
  # find /tmp -type c   (list all character devices)
                        (do for all directories other than /dev)

  # find /tmp -type f -perm +444 (1)
  # find /dev -type f -perm +444 (1)

There are a number of legitimate suid and sgid files, but iirc they should
all be under /bin and /usr/bin and be well documented somewhere.  You
shouldn't have any special devices outside of /dev.

(1) I think this is right... you want to find any executable files under
/tmp and /dev.  There should be none.  On most systems the same thing
should be true about /home.

More information about the LUG mailing list