[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fw: Meteora Attacked (fwd)
- Subject: Re: Fw: Meteora Attacked (fwd)
- Date: Tue, 14 Dec 1999 13:52:20 -0700 (MST)
===============================================================================
Robb Kambic Unidata Program Center
Software Engineer III Univ. Corp for Atmospheric Research
address@hidden WWW: http://www.unidata.ucar.edu/
===============================================================================
---------- Forwarded message ----------
Date: Wed, 24 Nov 1999 13:31:25 -0500 (EST)
From: C. Vandersip <address@hidden>
To: Roland Blanchard <address@hidden>
Subject: Re: Fw: Meteora Attacked
Roland,
Even if you have fully patched your system (which is a good first step),
crackers may very well be one step ahead with a new exploit. A more
complete solution is to integrate your inetd daemons with the
"tcp_wrappers" program using the /etc/hosts.allow and /etc/hosts.deny
files to limit access. Best thing in inetd.conf is to send everything
you're leaving on through the tcp_wrappers daemon (tcpd). Turn off
(comment out) rpc.ttdbserverd, sprayd, walld, rusersd, rpc.cmsd and even
rstatd. See the man pages on these daemons to get details on their
functions. If this box is just an LDM server, there's probably no need
for any of these deamons. Notably, rpc.ttdbserverd and rpc.cmsd have been
NOTORIUS security holes, and rstatd is no armored tank either (though it
does allow for the use of the "rup" command to check load averages
remotely).
Of course, a firewall would help further secure things, by denying access
at the router level, for example.
Also, subscribe to the BUGTRAQ mailing list, which reports daily on
security issues for many OSes and software.
Are you still running the same system. Sounds like you might have
tripwire installed (?) so you can determine the bogus files. If not, IMO,
unless you have a clean backup of your system, I would flush it and
reinstall Solaris (maybe upgrade to 2.7) with all patches added and inetd
configured with tcp_wrappers before opening up to the network again.
On Wed, 24 Nov 1999, Roland Blanchard wrote:
>
>
> Our ldm host (thunder.alden.com) has been attacked at least once a week
> since
> September 1. It wasn't until October 15 that severe damage was done to our
> system that totally affected our whole network. I do not know how someone
> managed to
> become root on our system but I am told by Rich Magee (sys admin at
> California State
> University) that an rpc stack overflow can be done and the attacker is
> bounced into a shell as
> root.
>
> The attacker has replaced or modified files in /etc, /usr/sbin, /usr/bin,
> /usr/lib/nfs, /usr/dt/bin, /usr/openwin/bin, /etc/rc0.d, /etc/rc2.d,
> /etc/rc3.d, /bin, /var/adm and /var/log.
>
> The most common files affected were: rpc.ttdbserverd, statd, lockd,
> rpcbind, in.routed, inetd, syslogd, rpc.rstatd and passwd.
>
> I have found tar files that were downloaded that included programs such as
> eggdrop1.1.5, slirp and ppp.
> Several scripts have been downloaded to automatically remove
> and or replace files.
> Since I turned on ip tracing with the inetd, the latest script
> automatically
> searches for any occurrence of a given text string (such as ip #'s) and
> removes it from
> all log files. A new login file appeared in the /usr/sbin directory which
> would be executed before the standard login file in /usr/bin because of my
> path. The new login program would not allow rlogin or telnet access to the
> system.
>
> It seems you must be running Sun OS 5.5.1. I have installed the Sun OS
> 2.5.1_Recommended patches
> but the attacks continue. If anyone has experienced attacks of this nature,
> maybe this info can help you recover. If anyone knows of patches that I
> may have overlooked, all help is greatly appreciated.
>
> I read that hacking would probably be more of a problem with Y2K than Y2K
> itself. I am beginning to believe that statement.
>
> Roland Blanchard
> Sys Admin - Alden Electronics.
>
>
> > > From: Larry "The Weather Man" Riddle <address@hidden>
> > > To: address@hidden
> > > Cc: address@hidden
> > > Subject: Meteora Attacked
> > > Date: Monday, November 22, 1999 5:43 PM
> > >
> > >
> > > Our ldm host (meteora.ucsd.edu) was attacked last night/this
> > > morning through the ftp deamon. Other than leaving scatological
> > > ramblings in the ftp/pub directory, the only impact was to drag
> > > system processing down.
> > >
> > > In a POSSIBLY related problem, something filled up the /system
> > > disk (which ftp theoretically cannot see) causing the ldm to stop.
> > > I've restarted the ldm and attempted to recover the missing data
> > > (most of which was in the 16-18Z timeframe).
> > >
> > > This brings up a question: during more-or-less normal operation,
> > > the ldm processes seem to run at a fairly polite "nice number".
> > > As of this message, they're running at -3. However, during the
> > > worst of the attack, the "nice numbers" all went to -20, all by
> > > themselves.
> > >
> > > Is this normal during "abnormal" conditions?
> > >
> > > Larry
> > >
> > >
> > ---===---=-=-=-=-=-=-=-=-=-=-=====[\/]=====-=-=-=-=-=-=-=-=-=-=---===---
> > > -----===(* Climate's what we expect, but weather's what we get.
> > *)===-----
> > > Larry Riddle : Climate Research Division : Scripps Institution of
> > Oceanography
> > > University of California, San Diego : La Jolla, California
> > 92093-0224
> > > Phone: (619) 534-1869 : Fax: (619) 534-8561 : E-Mail:
> > address@hidden
> >
>
###############################################################
# Chris Vandersip #
# Computer Research Specialist/Dept. Sysadmin #
# Rm. 024, Dept. of Meteorology, Florida State University #
# address@hidden (850)644-2522 #
###############################################################