Hi Everybody somebody sniffed our local network! that automatically generated mail on our RH 6.1 server (posted earlier) was generated by linsniffer only. I found the same mail generated to another address max_003_2000@yahoo.com with subject "F the rwetter" he replaced the netstat,ifconfig,top,ps to some older version created on Sep 26 1983. chor is here n /dev/ida/.inet
ls -l /dev/ida/.inet -rwx------ 1 root root 7165 Sep 26 1983 linsniffer* -rwx------ 1 root root 75 Sep 26 1983 logclear* -rw-r--r-- 1 root root 4 Jun 22 14:09 pid -rw-r--r-- 1 root root 701 Jun 13 16:53 s -rwxr-xr-x 1 root root 4060 Sep 26 1983 sense* -rwx------ 1 root root 8268 Sep 26 1983 sl2* -rw------- 1 root root 541 Sep 26 1983 ssh_host_key -rw------- 1 root root 512 Jun 22 14:09 ssh_random_seed -rwxr-xr-x 1 root root 686535 Dec 3 2000 sshdu* -rw-r--r-- 1 root root 936166 Jun 22 15:03 tcp.log
'tcp.log' is the list of username, passwords & some contents of outgoing mail. mostly pop3, ftp passwords are listed which are using on other windows clients. This file doesn't containing our dial-up account's password and official website's.
how can I find more details like who is this sniffer and when he enter in to our m/c?
Any way I am very happy to learn about all these things. thankyou linsniffer. As a layman this is good experience for me.
waiting for more comments on security issues, hacking and cracking... I got one article on linsniffer http://www.linux4biz.net/articles/articlesniff.htm happy week-end, I will be back on Monday.
Regards Benoy
Sometime on Jun 22, Benoy George assembled some asciibets to say:
how can I find more details like who is this sniffer and when he enter in to our m/c?
Well, for one, you need to install tripwire. That will fingerprint all your binaries and store it in a database. Then, back up that database on a separate machine/removable disk. Tripwire will check all binaries every night and mail you if there are any discrepancies, reporting what they are. That way you will know if someone has tampered with your system, and what exactly has been changed.
You should also stop all not-required services, and instead redirect all requests on those ports to a logger that will log the entry and send a mail to you reporting.
That way, if anyone tries to scan your machine, you will get immediate notice of it.
You also need to check your log files regularly to see if anything unexpected is happening. Typically, you'd do this every morning, but a better solution may be to get a log analyser that will provide your log files in an easy to read format, possibly over the web. That way, you can have one browser window always open to monitor what's happening.
waiting for more comments on security issues, hacking and cracking...
Just so you know, security issues are related more to cracking than to hacking. A very small part of hacking is related to security. Most of it deals with clever programming of anything from a really efficient factorial program to an os tweak to work around a hardware bug.
Cracking on the other hand has everything to do with security, and little if anything that doesn't deal with security.
A good system administrator needs to know how a cracker works, but not necessarily a hacker. A good programmer should aspire to be a hacker.
Philip
On Sat, 23 Jun 2001, Philip S Tellis spewed into the ether:
Sometime on Jun 22, Benoy George assembled some asciibets to say:
how can I find more details like who is this sniffer and when he enter in to our m/c?
Well, for one, you need to install tripwire. That will fingerprint all your binaries and store it in a database. Then, back up that database on a separate machine/removable disk. Tripwire will check all binaries
Ideally a WORM device like a CDROM.
every night and mail you if there are any discrepancies, reporting what
Note that this is a cron job, and not a tripwire daemon.
they are. That way you will know if someone has tampered with your system, and what exactly has been changed.
You should also stop all not-required services, and instead redirect all requests on those ports to a logger that will log the entry and send a mail to you reporting.
Or just log connection attempts to syslog. man ipchains (or get Bastille/another firewall script)
That way, if anyone tries to scan your machine, you will get immediate notice of it.
Also check out portsentry
You also need to check your log files regularly to see if anything unexpected is happening. Typically, you'd do this every morning, but a better solution may be to get a log analyser that will provide your log files in an easy to read format, possibly over the web. That way, you
I suggest email for reporting. Easier to handle. You might also check out snort itself.
can have one browser window always open to monitor what's happening.
<snip>
A good system administrator needs to know how a cracker works, but not necessarily a hacker. A good programmer should aspire to be a hacker.
Every good sysadmin is a programmer, and every good programmer is a sysadmin, to some extent. Actually, even sysadmins should try to be good hackers, that is a useful skill, and vice versa.
Devdas Bhagat -- Do you like "TENDER VITTLES"?
On Fri, 22 Jun 2001, Benoy George spewed into the ether:
Hi Everybody somebody sniffed our local network!
huh? Someone else had root on at least one of your machines?
that automatically generated mail on our RH 6.1 server (posted earlier) was generated by linsniffer only. I found the same mail generated to another address max_003_2000@yahoo.com with subject "F the rwetter" he replaced the netstat,ifconfig,top,ps to some older version created on Sep 26 1983.
Looks like a standard rootkit. Dates can be changed, there are programs available to do that,'
chor is here n /dev/ida/.inet
You mean cracker
ls -l /dev/ida/.inet
<snip rootkit detauls>
how can I find more details like who is this sniffer and when he enter in to our m/c?
How much damage did you do to the machine? If you haven't messed around much, make a bitwise backup of the machine to a clean hard disk( by clean I mean run dd if=/dev/zero of=/dev/hd<whatever> bs=512
Then after you have a backup of the disk, make a copy to do your research on. Look in the archives of the incidents list at http://securityfocus.com to see if someone has got hit by the rootkit before. Run strings on the second copy of the image to see details. You should be able to see erased logs, and such details (if it is not too late).
Any way I am very happy to learn about all these things. thankyou linsniffer. As a layman this is good experience for me.
http://securityfocus.com. Quite a few good security lists there
waiting for more comments on security issues, hacking and cracking...
BTWm rebuild that compromised machine, install all patches, and then install tripwire. Replace Bind by DJBDNS, Sendmail by Postfix or Qmail (simply because sendmail is too complex). [Note: Do *not* install any software that you do not run, what is not installed cannot be compromised]
Devdas Bhagat -- The difference between reality and unreality is that reality has so little to recommend it. -- Allan Sherman
Hi,
I am facing a problem configuring my linux box as a load balancer.. right now, i have two connections on to the net, 1) a 256 kbps leased line and 2) a cable modem ie 2 default routes and 2 diffrent ip addresses...
What i need to know is howto configure my linux box so that i could use both these net connections from my main linux router and they should masquarade the connections.
I have checked out equal cost multipath.. the problem here is that it uses a round robin method to send data.. uses the first default route for one ip address then the second for the next ie per-connection balancing .. The problem here is that it seems to distribute the bandwidth equally. The leased line should handle more bandwidth than the cable modem. I could be wrong here, has any one done this ??
TEQL: this is per-packet balancing... it is more useful for local clustering than bonding upstreams for internet feeds.. am not sure on wether it would handle masquerading.
also seen some thing in the ip command ip route add default scope global nexthop via 100.100.100.2 nexthop via 200.200.200.254 but this seems to send fragments across diffrent default routes ( 100.100.100.2, 200.200.200.254) ie per-packet balancing... dunno wether it will work with masquarading.
Is it that i'm just missing something with the above solutions...
The closest I get to my requirements would be equal cost multipath method.... any thing better ???
Also i cannot experiment on these links.
Has any one done it before ???
Bye Sachin
-
Benoy George -
Devdas Bhagat -
Philip S Tellis -
Sachin Prabhu