[aclug-L] FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!)

["Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>]

Here's a third

-----Original Message-----
From: owner-linux-admin@xxxxxxxxxxxxxxxx
[mailto:owner-linux-admin@xxxxxxxxxxxxxxxx] On Behalf Of Julius C. Duque
Sent: Wednesday, May 17, 2000 2:47 AM
To: Jim Roland
Cc: linux-net@xxxxxxxxxxxxxxxx; linux-admin@xxxxxxxxxxxxxxxx;
linux-newbie@xxxxxxxxxxxxxxxx
Subject: Re: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack:
DOS attack, log file attached!)


On Wed, 17 May 2000, Jim Roland wrote:

> Gee guess what!?!  I have the guy's IP address and host names.  Sorry, I
> don't remember a guy's name who told me he ran the attachment as root and
> found a file called ".rhosts", but it might be wise to cronicle your
> information, look in your logs (messages and syslogs) and send what
> information you have to Worldcom's Security department (email address noted
> a few paragraphs below).  Also, immediately change all your passwords.  If
> you were in as root, he did get your shadow file, and encrypted passwords
> *can* be broken.  Change them immediately.  If the date of your .rhosts
> file is at or just after the time of the attack, delete it.

That was me. The date of .rhosts on my /home dir was near the time I
executed the trojan email. I have already deleted that .rhosts. I also
noticed that sendmail had spawned a child process and was executing a
program/script ./ex4XXXX or something similar (I can't recall the
exact filename). I killed it, then decided to reboot the whole system
afterwards.

The /etc/passwd on my machine have /dev/null for the shell of users.
Only admins have /bin/bash shells. I also have tcp wrapper installed
long before this event happened. So, even if this cracker cracks the
admins' passwords, he still has to login first to our dialup before
he can telnet to the main server. Of course, I've already changed the
root's password, as well as informed the other admins to change
theirs, too. Also, since the shell of "ordinary" users is set to
/dev/null, a user still cannot enter the server. Without a
legitimate login shell, the system will just log him/her out
immediately after logging in. If you want, you could use
/bin/false instead of /dev/null.

Additionally, it's a good thing that I configured /etc/securetty
a long time ago so that root can only log on the console. The
password field on non-human accounts (nobody, guest, ftp, shutdown,
sync, bin, ftp, etc.) have long been disabled to shut out backdoors.

I have put all users (except for admins) on /etc/ftpusers, chmod 600,
to prevent non-admins from using the ftp service long before this
disaster happened. I've also checked my .procmailrc. Why? You could
execute arbitrary commands using the following .procmailrc recipe:

:0:
* $ ^Subject:[ ^I]*\/[ ^I].*
| ${MATCH}

The ^I stands for <tab>. This recipe will execute anything that's
on the subject line of an email. Imagine if this .procmailrc
recipe is located on root's directory! Someone just sends an
email to root with a Subject line: "rm -rf /" and BOOM! By-bye!

About the only thing I regret now is not installing Tripwire beforehand.
Ouch!

> May 16 16:47:53 ns sendmail[26775]: NOQUEUE: SYSERR: putoutmsg
(chi-qbu-nvb-vty13.as.wcom.net): error on output channel sending "220
mail.roland.net ESMTP Sendmail 8.8.7/8.8.7; Tue, 16 May 2000 16:47:52 -0500":
Broken pipe

I've been seeing this IP in /var/log/syslog for about a week now, trying
unsuccessfully to telnet and ftp to my machine. Yes, you're right,
this guy came from Chicago.
>
> We know he's in Chicago, we have his IP on 2 different occaisons, and know
> of 2 systems he's hijacked.  The 2nd (mediaserve.net) is in California.


Julius

-====---====---====---====---====---====---====---====---====---====---====-
 to unsubscribe email "unsubscribe linux-admin" to majordomo@xxxxxxxxxxxxxxxx
 See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi