Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i ve been hacked ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kang_
Guest





PostPosted: Tue May 21, 2002 3:17 pm    Post subject: i ve been hacked ? Reply with quote

Hi
just installed gentoo
i have a strict firewall (block all execpt SSH (3.2.2) which is not on a standard port) and no egress filtering other than allow connection established from me, plus the ones new/established/related from a computer on my nat
i just emerged chkrootkit and ran chkwtmp
it found 5 deletions in wtmp (arg!)
my system is like 3 day old (!) so it is very unlikely that i've been hacked (but we never know)
then i choosed to change my (quite secure) password of root and user and here was i get: (chkrootkit said it found no trojan/backdoor etc btw)
Code:
root # passwd
New UNIX password:
Retype new UNIX password:
Enter new UNIX password:


it RE-ASKS ???
so heres my questions
1/ does gentoo uses normal wtmp stuff ? (i guess yes so i will check the unclean deletions with wted. Notice that an attaker not good enought to use a real wipper other than nulling entries is probably not supposed to install it's own backdoors.. but still.. or may be it's an overflow in the way wtmp is logged ? i got my hand on such an exploit (which was binaries :/) and unreleased (sic) but it was totally deleting wtmp instead of just entries so..

2/ is it normal way of gentoo passwd to ask TWO times ? (i guess not -> trojan)
thanx you a lot if you can answer me
kang
Back to top
kang_
Guest





PostPosted: Tue May 21, 2002 3:47 pm    Post subject: some more stuff Reply with quote

here are the nulled entries:
# ./a.out -f /var/log/wtmp -z
Thu Jan 1 01:00:00 1970
Thu Jan 1 01:00:00 1970
Thu Jan 1 01:00:00 1970
Thu Jan 1 01:00:00 1970
Thu Jan 1 01:00:00 1970


1970 ? what is this log wiper ? or is this gentoo default install bug ?
i used stage1-2-3 tarballs
anyone with a 1.1a cd iso install could check ?
i will check on the tarballs tho
Back to top
kang_
Guest





PostPosted: Tue May 21, 2002 3:52 pm    Post subject: Reply with quote

i checked and wtmp is clean on the cd
Back to top
Guest






PostPosted: Tue May 21, 2002 4:26 pm    Post subject: Reply with quote

after log exploration it seems i did reboot between the deletions because of a kernel crash
so that would may be explain the garbage in wtmp ? (i have no firewall hits related to port scan, etc during this period)
Back to top
kerframil
l33t
l33t


Joined: 19 Apr 2002
Posts: 710
Location: London, UK

PostPosted: Tue May 21, 2002 4:35 pm    Post subject: A few ideas Reply with quote

1) I'm not sure as I have some stuff to learn myself on wtmp, however I assume you have a perfectly serviceable firewall log. You could grep that to find any connection attempt to your SSH port (or, indeed, any successful inbound connection), if there are none to be found other than connections you know to have been initiated by yourself and your firewall is as secure as you say it is, then it it is a fairly safe bet that you are OK. Sorry, I would give more detailed guidance but I only use *BSD/IPFilter for firewalls ..! Yes, I do realise that such logs could, in theory, be doctored ...

2) Yes, it does re-ask. It's quite conventional, mainly to ensure the user does not enter a password incorrectly without realising it, thus locking themselves out of the most important user account!

Furthermore, if you had a trojan you might expect a port to be opened up for listening so netstat -l to make nothing is there that looks out of the ordinary. And a trojan could "phone home" too so you might want to tighten your ruleset so that not all outgoing connection attempts are allowed - only ports 80/21/53 and so forth just to make things a little bit more secure. Or even just log and drop all outgoing connection attempts from your Gentoo box for a period, and see what happened - no strange connection attempts probably = no trojan.

It would take a fairly skilled person to cover up their tracks completely, so try to establish as much evidence as possible before drawing a conclusion. If you have a good password (no dictionary terms, 10 chars minimum, and some chars other than [0-9a-zA-Z] present) then I doubt somebody walked straight in like that, subject to other potential vulnerabilities on your system of course ;-)

Also, you could do a lot worse than run an IDS such as snort to more comprehensively tackle the issue of intrusion attempts and possible file changes. I hear snort is pretty good and a build is available in portage.

PS: (for the casual reader): IMO, most firewall rulesets aren't as secure as people think they are, particularly if they do not set them up by hand. Especially with regards to tricky topics like anti-spoofing and connection state. For example, my rulesets have block rules for any packets from 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 and the local LAN subnet - in my case : 192.168.254.0/24 - as no inbound packet on the Internet facing interface should ever have such source addresses (which might just be let straight in otherwise). These rules are checked before any others so any spoofed packets will be blocked regardless - it doesn't matter who initiated them or where they were going. I also check outbound so that people can't spoof from my LAN either :-). I also check for packets with ip options and/or excessive fragments inbound before any of that.
Back to top
View user's profile Send private message
kang_
Guest





PostPosted: Tue May 21, 2002 4:36 pm    Post subject: Reply with quote

the double password asking thing was due to a pam missconfiguration
(i had copy-pasted from gentoo securing guide, which had typos, and also, which doesn't work on latest gentoo+pam it seems... also.. noticed it was very secure not to provide full path to libs like they did in the guide... sic..)
Back to top
Guest






PostPosted: Tue May 21, 2002 4:47 pm    Post subject: Re: A few ideas Reply with quote

kerframil wrote:
1) I'm not sure as I have some stuff to learn myself on wtmp, however I assume you have a perfectly serviceable firewall log. You could grep that to find any connection attempt to your SSH port (or, indeed, any successful inbound connection), if there are none to be found other than connections you know to have been initiated by yourself and your firewall is as secure as you say it is, then it it is a fairly safe bet that you are OK. Sorry, I would give more detailed guidance but I only use *BSD/IPFilter for firewalls ..! Yes, I do realise that such logs could, in theory, be doctored ...

yeah i did..

Quote:

2) Yes, it does re-ask. It's quite conventional, mainly to ensure the user does not enter a password incorrectly without realising it, thus locking themselves out of the most important user account!


No, i meant it RE,REasks but i found the problem (see upper post)
(im not that much of a newbie i hope :)

Quote:

Furthermore, if you had a trojan you might expect a port to be opened up for listening so netstat -l to make nothing is there that looks out of the ordinary.

i did :) (hopping that netstat is not trojanned itself, tried lsof too, including EST and LIS

Quote:

And a trojan could "phone home" too so you might want to tighten your ruleset so that not all outgoing connection attempts are allowed - only ports 80/21/53 and so forth just to make things a little bit more secure. Or even just log and drop all outgoing connection attempts from your Gentoo box for a period, and see what happened - no strange connection attempts probably = no trojan.
that's what i think is called egress filtering (not certain) and i didn't really made it very tigh yet

Quote:

It would take a fairly skilled person to cover up their tracks completely, so try to establish as much evidence as possible before drawing a conclusion. If you have a good password (no dictionary terms, 10 chars minimum, and some chars other than [0-9a-zA-Z] present) then I doubt somebody walked straight in like that, subject to other potential vulnerabilities on your system of course ;-)


yeah may be i've been a little overreacting to the wtmp check, but, ya know, we're all like that;)
Moreover it give us chance to see what other would do in such occasions and learn :)

Quote:

Also, you could do a lot worse than run an IDS such as snort to more comprehensively tackle the issue of intrusion attempts and possible file changes. I hear snort is pretty good and a build is available in portage.

didn't installed yet since it would requiert me to learn how to write good rules for it (i don't like installing stuff without knowing;)
but it is definitly in my "task list" ;)

Quote:

PS: (for the casual reader): IMO, most firewall rulesets aren't as secure as people think they are, particularly if they do not set them up by hand. Especially with regards to tricky topics like anti-spoofing and connection state. For example, my rulesets have block rules for any packets from 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 and the local LAN subnet - in my case : 192.168.254.0/24 - as no inbound packet on the Internet facing interface should ever have such source addresses (which might just be let straight in otherwise). These rules are checked before any others so any spoofed packets will be blocked regardless - it doesn't matter who initiated them or where they were going. I also check outbound so that people can't spoof from my LAN either :-). I also check for packets with ip options and/or excessive fragments inbound before any of that.

yeah i check that too (my firewall is handmade;)) and i deny of course source routed packets (altough i deny it from all sources which may cause problem in specifics networks, but here it's okay, i drop all traffic but 113 and 1080 which i reject (for timeouts to irc servers, etc) and allow my special ssh port;)

also i was about to install aide (emerge package) for binary sum but.. if i got already hacked it's stupid ;)))
Back to top
kerframil
l33t
l33t


Joined: 19 Apr 2002
Posts: 710
Location: London, UK

PostPosted: Tue May 21, 2002 5:07 pm    Post subject: This'n'that Reply with quote

Quote:
No, i meant it RE,REasks but i found the problem

Ah, I see ... that's alright then, I saw that post just as I clicked Submit :-).

Quote:
i did (hopping that netstat is not trojanned itself, tried lsof too, including EST and LIS

Yeah, that is an issue! Here are my MD5s for netstat/lsof if that's any help (my Gentoo box isn't exposed to the Internet), but isn't it possible that they would differ anyway if made from a Stage 1 install? Couldn't you boot from a CD, and manually overwrite suspected binaries with the ones from the stage3 tarball?
Code:
1f364e9497453271c015154ade78e96c  /bin/netstat
c63362506be1bef74f7a9b00e8095e2c  /usr/sbin/lsof

Quote:
didn't installed yet since it would requiert me to learn how to write good rules for it (i don't like installing stuff without knowing;)

That's extremely sensible ... if only everyone thought like that when it comes to security <sigh>!

Quote:
i drop all traffic but 113 and 1080 which i reject (for timeouts to irc servers, etc)

Cool ... have you seen this? Deals with the identd issue beautifully: http://hangout.de/fakeidentd/ Ebuild available under net-misc/fakeidentd.
Back to top
View user's profile Send private message
Guest






PostPosted: Tue May 21, 2002 5:19 pm    Post subject: Re: This'n'that Reply with quote

Quote:
i did (hopping that netstat is not trojanned itself, tried lsof too, including EST and LIS

Yeah, that is an issue! Here are my MD5s for netstat/lsof if that's any help (my Gentoo box isn't exposed to the Internet), but isn't it possible that they would differ anyway if made from a Stage 1 install? Couldn't you boot from a CD, and manually overwrite suspected binaries with the ones from the stage3 tarball?
Code:
1f364e9497453271c015154ade78e96c  /bin/netstat
c63362506be1bef74f7a9b00e8095e2c  /usr/sbin/lsof


assuming my md5sum is clean my netstat show right sum and my lsof not
however i installed netstat from stageXX but i compiled lsof with probably different options so it should be fine
thanx for the idea, i didn't though of it (i'm quite stupid when i fear i'm being haxored;)
:-)

Quote:
i drop all traffic but 113 and 1080 which i reject (for timeouts to irc servers, etc)

Cool ... have you seen this? Deals with the identd issue beautifully: http://hangout.de/fakeidentd/ Ebuild available under net-misc/fakeidentd.[/quote]

yeah just checked the source, seems ok (perform checks to prevent overflows :)
altough we never know exactly..
hm
i always asked myself if it would be better to run a real identd for security or not
an ident would allow me to know from which user something has been done to the outside for example
otherwise i prefer rejecting ident instead of replying fake, it's more secure and faster/easier to deal with :)
Back to top
kang_
Guest





PostPosted: Tue May 21, 2002 5:31 pm    Post subject: Reply with quote

ok, a friend of me told me he has same deletions after switching kernel and crashing too
so i guess i had the same and i'm safe :)
ok i'd better be paranoid and wipe/reinstall but hm
gentoo takes days to compile here;)
i think the reason we found was pretty valid :)

btw for thoses who want good security article bases, check:
www.nationwide.net/~aleph1/FAQ
it covers all the topic i know (i guess the other ones aren't spread in the wild if there are;)
and cover them good (thanx aleph1=)
Back to top
kerframil
l33t
l33t


Joined: 19 Apr 2002
Posts: 710
Location: London, UK

PostPosted: Tue May 21, 2002 5:44 pm    Post subject: Further reading ... Reply with quote

Cheers for that, kang_. I would also recommend the following URLs for any fellow Gentoo users concerned with security, firstly the networking bookshelf (which features Building Internet Firewalls and Practical UNIX Security among other very nice things ...):

http://tit.irk.ru/

And a guide to IPFilter which is very good. Note to the curious: read it even if you use iptables because making good firewalls rulesets is chiefly about understanding TCP/IP, not getting wrapped up in the actual syntax of the ruleset ;-)

http://www.obfuscation.org/ipf/

Oh, and Chuck Semeria's "Understanding IP Addressing" is really good too (well it's 3Com endorsed so you'd hope so!!!):

http://www.bergen.org/ATC/Course/InfoTech/Coolip/
Back to top
View user's profile Send private message
kang_
Guest





PostPosted: Thu May 23, 2002 1:13 pm    Post subject: Reply with quote

thx for that :)
Back to top
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum