A.P. Lawrence

security breakin

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

From - Thu Mar 23 08:32:33 2000
Path: news.randori.com!news-hub.cableinet.net!newspeer.clara.net!news.clara.net!newsfeed1.swip.net!swipnet!pln-e!spln!extra.newsguy.com!newsp.newsguy.com!enews2
From: Jeff Liebermann <jeffl@comix.santa-cruz.ca.us>
Newsgroups: comp.unix.sco.misc
Subject: Re: Scobot Hack
Date: Wed, 22 Mar 2000 22:37:55 -0800
Organization: Committee to Maintain and Independent Xenix
Lines: 93 Message-ID: <recjdsk2vilp0urrt5odlv1d1qseaf93e7@4ax.com> References: <38D9A9FC.C7D65550@bellsouth.net>
Reply-To: jeffl@comix.santa-cruz.ca.us
NNTP-Posting-Host: p-614.newsdawg.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Newsreader: Forte Agent 1.7/32.534
Xref: news.randori.com comp.unix.sco.misc:57034
X-Mozilla-Status: 8010
X-Mozilla-Status2: 00000000

On Thu, 23 Mar 2000 00:22:04 -0500, Geoff Bleau <geoffb@bellsouth.net>
wrote:

>/etc/shadow had also been modified.

If he can do that, he has the root password.

>I plan on restoring from a 2 week old backup tomorrow - and then
>changing
>all passwords while in single-user mode.

What do you mean plan?  You have a problem right now that will only
get worse if you leave it alone.  Fix it now.

Need eyes on the ground at your customer's site?
Installation and light training Boston and New England
Reliable and experienced, punctual and professional.

How do you know that the 2 week backup is any good?  If your hacker
was on the system back then, and nobody noticed, then you're wasting
your time.  I wouldn't do it.

BTW, thanks for not bothering to disclose the version of whatever SCO
product you're using.  I'll assume 3.2v5.0.5 with all the latest
updates.

>In the meantime - is there a quick way to keep this guy off the system

Ummm, pull the plug?  Disconnect from the rest of the network?

>?? - I am
>hesitant to change passwords now - as it looks like one of the functions
>of the
>tcl scripts is to re-direct or duplicate info to a 'log' file ( for
>possible mailing ?? )

Lousy logic.  He has the root password.  He problaby has a mechanism
(trap door, SUID script, SGID scrip or rootshell) for changing the
password again.  The only way you're going to keep him off the system
long enough to clean up the mess is to change ALL the passwords, and
clean out his junk.

  
1.  Pull the plug from the network, modem server, terminal server,
etc.
2.  Clean out /tmp /usr/tmp and any other world writeable directories.
3.  Change the root password.  Also change the passwords for mmdf,
news, admin, backup, and any other administrative accounts with live
logins.
4.  Then run:
        find / \( -mtime -1 -type f \) -exec ls -adl {} \;
This will find any files that have been modified today.  Slog through
the list.  If my *GUESS* is right, password changes and root logins
are being logged to a file or sent via email and this will show the
file.
5.  If your unspecified version of SCO Unix happens to be 3.2v5.0.x,
run:
        custom -v strict
and all the corrupted, tweaked, or missing files will be checked.
This may take a long time depending upon machine speed.
6.  Look for any SUID scripts and binaries that don't belong.
        find \(-perm -4000 -perm -2000 \) -exec ls -adl {} \;
(I didn't have a system handy to test the above command).
7.  Check /etc/passwd, /etc/shadow, /etc/group, /tcb/files/auth/..
for any surplus users.
8.  Run:
        pwck
        grpck
        /tcb/bin/authck -a -v
        /tcb/bin/integrity -v
and fix whatever it finds.
9.  Check the mail queues for any outgoing email full of passwords.
        /usr/spool/mail
        /usr/spool/mmdf/lock/home/*
10. Install ssh (secure shell) and use it when playing root.
11. Paste a copy of the scobot script into:
        http://stage.caldera.com/support/security/secfdbk.html
I think they'll be suitably entertained.  I forgot the security team
secret email address.  Also see:
        http://stage.caldera.com/support/security/

Depending upon the size of the system and your experience level, you
may find it easier to slog through the various directories and look
for extra programs, trojan horses, and software bombs.  However,
methinks that saving the *DATA* to tape, blasting the whole mess,
installing your unspecified version of SCO Unix from scratch,
restoring the data, and fixing anything the was forgotten, will need
to be performed.  I should also point out that 99% of all the root
level security breaches I've found were done from inside the firewall.

Good luck.

-- 
Jeff Liebermann  150 Felker St #D  Santa Cruz CA 95060
(831)421-6491 pgr (831)426-1240 fax (831)336-2558 home
http://www.cruzio.com/~jeffl   WB6SSY
jeffl@comix.santa-cruz.ca.us   jeffl@cruzio.com

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

/Bofcusm/319.html copyright 1997-2004 (various authors) All Rights Reserved

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here