ITEM: I3143L
Intruder on the system. Security violation.
Question:
An intruder on our system walled a threatening message today.
The hacker broadcast the following message this morning:
Beware of Cavalier!
I've come to crash your pitiful system
Do you have to be root to use the 'wall' command? What can I do
to check the system for any damaging files or events that he may
have done? How can I secure my system?
Response:
Checked all the cron and at jobs.
There was nothing unusual in cron.
Going into /etc/security/lastlog we can see that he came in on
tty1, which is the modem line. The last time he logged in was
766165066 (which is the time in seconds since unix was created). It
computes out to be about 23 minutes ago ( Subtracting it from the last
time I logged in and dividing by 60 to get minutes ).
We then tried to look at the /var/adm/wtmp, but it wasn't there.
We tried to view it with /usr/sbin/acct/fwtmp \< /var/adm/wtmp.
It said it couldn't find wtmp. A few minutes later it couldn't
find fwtmp. We tried to use 'which fwtmp', but it couldn't find
'which' either.
Also while we were on the system he ran 'ps -eaf' and saw that a
root user was changing the password for guest. There are some
serious problems happening.
I advised the customer to set up auditing and/or accounting, and
have a current mksysb.
Beware of extra files with the setuid bit set. Specially, any type
of shells.
Faxing the following:
IF YOU HAVE A HACKER ON YOUR SYSTEM
____________________________________________________________________________
******* Call the FBI. This is a serious crime. *******
THINGS TO DO:
I suggest you use 'find' to document his system today, run periodic
'find's and compare results to 'find' files that are being modified.
I suggest removing .rhosts and /etc/hosts.equiv from the system or at
least limit and monitor their use aggressively.
Turn on auditing and/or accounting.
I refer you to the sysck command and /etc/security/sysck.cfg as an
"audit" tool. Any information that you gather to be used as a benchmark
should be removed from the system so that it is not tampered with by the
hacker...
There are some good publications on securing your system.
I recommend the O' Reilly Practical UNIX Security book. These are good
starts for the beginner.
The book UNIX System Security by Rik Farrow, which is published by
Addison-Wesley out of Reading, MA.
I suggest that you look at RAXCOs security toolbox and a product called
Fortress. The information below is accurate as of April 22, 1994.
AXCO Security Toolkit
RAXCO
1-800-248-2620
Fortress
Los Altos Technology
415-988-4848
This product is currently caught up in the legal system.
The company that owns the rights to it (Woodside) is going bankrupt.
The phone number listed is for Los Altos Technology which is the
company that actually wrote the application.
Stalker security software is a system accountability tool that manages
system audit files, generates standard reports on user activities and
resource access, and detects misuses and intrusions. It also has a
query function to filter through voluminous audit trail data for
specified activities. Stalker's graphical user interface is designed
to follow the natural workflow of a typical audit configuration and
analysis session.
For further information, please contact:
Sid Covington
Sales Manager
Haystack Labs
8920 Business Park Drive
Austin, TX 78759
(512) 343-2552 (voice)
(512) 794-9997 (fax)
** Stalker is a trademark of Haystack Labs, Inc.
A few other references for you:
American Society for Industrial Security 1655 North Fort Meyer Drive -
Suite 1200 Arlington, VA 22209 (703)522-5800
Computer Security Buyer's Guide from CSI Computer Security Institute
600 Harrison Street San Francisco, CA 94107 (415)267-7666
Computer Emergency Response Team (CERT) I know they put out bulletins,
but have you called them? (412)268-7090.
You may want to try and get COPS. COPS, according to Practical UNIX
Security, "...is a collection of shell scripts and C programs that
perform checks of your system to determine whether certain weaknesses
are present." Practical UNIX Security outlines some of the checks it
makes. You can get a white paper called "The COPS Security Checker
System," by Dan Farmer and Eugene H. Spafford by writing a copy of
technical report CSD-TR-993 at
Technical Reports Department of Computer Sciences
Purdue University West Lafayette, IN 47907-1398
COPS can be obtained via anonymous FTP from cert.sei.cmu.edu.
FOR NOW:
Beware of extra files with the setuid bit set. Specially, any type
of shells.
1. Change root password to a non-word (ex. b4ugo), but do not write
it down.
2. Dissable tty logins.
3. Read some of the security books listed above.
4. Look into security software.
5. Read up on the 'sysck' command. It is a helpful command, but be
careful, if you use it wrong it could cause problems.
6. Check the 'cron' and 'at' jobs.
\
The customer said that the modem line has been changed, as well as the
root password. He hasn't heard of any other problems since.
I cautioned him that the hacker could have setup many backdoors into the
system, during the time he had root access.
I would suggest reinstalling the system.
Support Line: Intruder on the system. Security violation. ITEM: I3143L
Dated: July 1994 Category: N/A
This HTML file was generated 99/06/24~13:30:45
Comments or suggestions?
Contact us