Complete.Org: Mailing Lists: Archives: discussion: May 2000:
[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking att 		Home

[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking att

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!)
From: John Goerzen <jgoerzen@xxxxxxxxxxxx>
Date: 22 May 2000 09:14:37 -0500
Reply-to: discussion@xxxxxxxxx 
Jonathan Hall <jonhall@xxxxxxxxxxxx> writes:

> Just as a side note... traditionally on UNIX systems, only the first 8
> characters of the password are relevant.  On some Linux systems, it's as
> many as 16 (and can be set to more, if you want).

If you have enabled MD5 in your PAM login prefs, or alternatively in
/etc/login.defs for non-PAMified distributions, then it is, I believe, 
128 characters.


> 
> a0b1c2d3e4f5g6h7i8j9
> 
> is the same as:
> 
> a0b1c2d3e4
> 
> Adding more than 8 (or 16) characters has no effect on security.  Try it
> sometime... try just typing the first 8 characters of your password--you'll
> probably get logged in.  If not, try just the first 16 :-)
> 
> 
> On Sat, May 20, 2000 at 05:44:07PM -0500, Michael Holmes wrote:
> > Hey, when I was attacked, I was using Kmail as /home/mike  NOT AS ROOT,  I 
> > have
> > encripted and shadow passwords and they popped right up on the screen that
> > night!   NOW I HAVE AN ENTIRE SENTENCE FOR MY ROOT PASSWORD!  When I picked 
> > the
> > first one, it said it was too weak;  now I understand!
> > 
> > On Thu, 18 May 2000, you wrote:
> > > Here's a third
> > > 
> > > -----Original Message-----
> > > From: owner-linux-admin@xxxxxxxxxxxxxxxx
> > > [mailto:owner-linux-admin@xxxxxxxxxxxxxxxx] On Behalf Of Julius C. Duque
> > > Sent: Wednesday, May 17, 2000 2:47 AM
> > > To: Jim Roland
> > > Cc: linux-net@xxxxxxxxxxxxxxxx; linux-admin@xxxxxxxxxxxxxxxx;
> > > linux-newbie@xxxxxxxxxxxxxxxx
> > > Subject: Re: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack:
> > > DOS attack, log file attached!)
> > > 
> > > 
> > > On Wed, 17 May 2000, Jim Roland wrote:
> > > 
> > > > Gee guess what!?!  I have the guy's IP address and host names.  Sorry, I
> > > > don't remember a guy's name who told me he ran the attachment as root 
> > > > and
> > > > found a file called ".rhosts", but it might be wise to cronicle your
> > > > information, look in your logs (messages and syslogs) and send what
> > > > information you have to Worldcom's Security department (email address 
> > > > noted
> > > > a few paragraphs below).  Also, immediately change all your passwords.  
> > > > If
> > > > you were in as root, he did get your shadow file, and encrypted 
> > > > passwords
> > > > *can* be broken.  Change them immediately.  If the date of your .rhosts
> > > > file is at or just after the time of the attack, delete it.
> > > 
> > > That was me. The date of .rhosts on my /home dir was near the time I
> > > executed the trojan email. I have already deleted that .rhosts. I also
> > > noticed that sendmail had spawned a child process and was executing a
> > > program/script ./ex4XXXX or something similar (I can't recall the
> > > exact filename). I killed it, then decided to reboot the whole system
> > > afterwards.
> > > 
> > > The /etc/passwd on my machine have /dev/null for the shell of users.
> > > Only admins have /bin/bash shells. I also have tcp wrapper installed
> > > long before this event happened. So, even if this cracker cracks the
> > > admins' passwords, he still has to login first to our dialup before
> > > he can telnet to the main server. Of course, I've already changed the
> > > root's password, as well as informed the other admins to change
> > > theirs, too. Also, since the shell of "ordinary" users is set to
> > > /dev/null, a user still cannot enter the server. Without a
> > > legitimate login shell, the system will just log him/her out
> > > immediately after logging in. If you want, you could use
> > > /bin/false instead of /dev/null.
> > > 
> > > Additionally, it's a good thing that I configured /etc/securetty
> > > a long time ago so that root can only log on the console. The
> > > password field on non-human accounts (nobody, guest, ftp, shutdown,
> > > sync, bin, ftp, etc.) have long been disabled to shut out backdoors.
> > > 
> > > I have put all users (except for admins) on /etc/ftpusers, chmod 600,
> > > to prevent non-admins from using the ftp service long before this
> > > disaster happened. I've also checked my .procmailrc. Why? You could
> > > execute arbitrary commands using the following .procmailrc recipe:
> > > 
> > > :0:
> > > * $ ^Subject:[ ^I]*\/[ ^I].*
> > > | ${MATCH}
> > > 
> > > The ^I stands for <tab>. This recipe will execute anything that's
> > > on the subject line of an email. Imagine if this .procmailrc
> > > recipe is located on root's directory! Someone just sends an
> > > email to root with a Subject line: "rm -rf /" and BOOM! By-bye!
> > > 
> > > About the only thing I regret now is not installing Tripwire beforehand.
> > > Ouch!
> > > 
> > > > May 16 16:47:53 ns sendmail[26775]: NOQUEUE: SYSERR: putoutmsg
> > > (chi-qbu-nvb-vty13.as.wcom.net): error on output channel sending "220
> > > mail.roland.net ESMTP Sendmail 8.8.7/8.8.7; Tue, 16 May 2000 16:47:52 
> > > -0500":
> > > Broken pipe
> > > 
> > > I've been seeing this IP in /var/log/syslog for about a week now, trying
> > > unsuccessfully to telnet and ftp to my machine. Yes, you're right,
> > > this guy came from Chicago.
> > > >
> > > > We know he's in Chicago, we have his IP on 2 different occaisons, and 
> > > > know
> > > > of 2 systems he's hijacked.  The 2nd (mediaserve.net) is in California.
> > > 
> > > 
> > > Julius
> > > 
> > > -====---====---====---====---====---====---====---====---====---====---====-
> > >  to unsubscribe email "unsubscribe linux-admin" to 
> > > majordomo@xxxxxxxxxxxxxxxx
> > >  See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
> > > 
> > > 
> > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > -- 
> > Michael A. Holmes
> > ---------------------------
> > A positive attitude may not solve all of your problems, but it will annoy
> > enough people to make it worth the effort
> > 
> >                                             Herm Albright
> > 
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> 
> --
> Tech Support: "What version of the Mac OS are you using?"
> Customer: "Word 6.0."
> --
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>   Jonathan Hall  *  jonhall@xxxxxxxxxxxx  *  PGP public key available
>  Systems Admin, Future Internet Services; Goessel, KS * (316) 367-2487
>          http://www.futureks.net  *  PGP Key ID: FE 00 FD 51
>                   -=  Running Debian GNU/Linux  =-
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> 

-- 
John Goerzen   Linux, Unix consulting & programming   jgoerzen@xxxxxxxxxxxx |
Developer, Debian GNU/Linux (Free powerful OS upgrade)       www.debian.org |
----------------------------------------------------------------------------+
  via Remote

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]