TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

I've been compromised, <g>



Sorry about the repost, it seems that a couple of my recent posts
haven't included the body of the messages.

Well,

I am glad this happened before I started serving anything important. <g>

My lan will eventually include; one linux clinet/server internet server,
four macintosh machines and several linux/win95 machines.
It's been my intention to use Samba and NFS/NIS; however, I don't really
know the security consequences. I don't know if a lan
this size really warrants NFS/NIS. Basically, the lan is designed to
allow workstations access to user /home directories for the
purpose of building and maintaining web sites. The only workstation I
need to have a client/server relationship on is my personal
workstation. I know there's volumes written on designing networks and
security so I'll be doing some homework this week.


/etc/log/messages

Dec 11 18:53:48 daddy PAM_pwdb[19257]: (su) session opened for user poop
by port(uid=0)
Dec 11 18:54:44 daddy pppd[18357]: Modem hangup
Dec 11 18:54:44 daddy pppd[18357]: Connection terminated.
Dec 11 18:54:45 daddy pppd[18357]: Exit.
Dec 11 18:55:51 daddy kernel: PPP: ppp line discipline successfully
unregistered

/etc/passwd

port:j7A3mq8PCNbzE:506:506::/home/port:/bin/bash
poop::0:0:poop:/tmp:/bin/bash

poop is an unauthorized user and I didn't create port. Is port also an
unwelcome user or is something else?

I've commented the following from my /etc/inetd.conf file:

#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
#ftp    stream  tcp     nowait  root
/usr/home/rtp/programs/proftpd-1.2.0pre1/ proftpd
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd

My /etc/log/security file revealed numerous imapd entries:

Nov  5 16:13:19 daddy imapd[1314]: connect from 195.204.234.58
Nov  7 09:59:37 daddy imapd[6257]: connect from 24.226.154.56
Nov  7 10:02:44 daddy imapd[6295]: connect from 24.226.154.56

I haven't been using any image maps on the web that I was serving so I
assume the imapd entries are exploits.

Anyway, I could put a volume of examples on here but I'll stop at this.
Any feedback and thoughts are appreciated.

If I knew it was going to be this much fun, I'ld have started 20 years
ago.