[Wolves] help - think I've been hacked

wolves@mailman.lug.org.uk wolves at mailman.lug.org.uk
Fri Jul 18 17:16:01 2003 

Tools like this one *can* be helpful.

Unless I backdoored your kernel to redirect all dns traffic
to my dns server, and the "chkrootkit" you requested I send
back a picture of my monkey instead.

Just a thought.

To test a filesystem for monkey business with a tool like
this, you must boot from another (trusted) system and then
check the filesystem using the trusted tools and filesystem.
Much in the same way as you recover a naughty filesystem
from corruption (if it is sufficiently corrupted).

For this you would probably take out the hard-disk and put
it in another machine (that you trust). Boot from the
trusted disk and mount the disk you wish to check (assuming
the monkey hasn't found a way to corrupt from one system to
the next using the partition table of the drive - but you'd
probably already know about this were it true).

In short, you must spread the trust.

(Push out the jibes..... bring in the love........ push out
the jibes....... bring in the love - Mr. Burns)

Lets not get too deep and meaningful about trust. As I don't
trust any of you anyway, I'm just waiting for a time to kill
you all. If you trust that :-)

Tools like this one can be helpful, but to be honest - if
it's got to this stage then you needn't bother. Better just
re-install.

>From what I have seen (of your logs) it *hasn't* got this
far yet.

If you want a better assesment, then you could give me root
on your box and i'll do a full search and audit. But then,
you'd have to trust me first.

Anyway, you have to trust trust, or you won't get anywhere.

(Confused?)

bambam

--
Trust me, I'm a bambam.

On Thu, 17 Jul 2003, Equ1n0x wrote:

> Hi Jayne.
>
> Just got some bits from a server reference, may be of help.
>
> ---
>
> Use chkrootkit.
>
> ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
>
> (#Change to root
> su -
> #Type the following
> wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
> #Unpack the tarball using the command
> tar xvzf chkrootkit.tar.gz
> #Change to the directory it created
> cd chkrootkit*
> #Compile by typing
> make sense
> #To use chkrootkit, just type the command
> ./chkrootkit
> #Everything it outputs should be 'not found' or 'not infected'...
> #Now,
> cd ..
> #Then remove the .gz file
> rm chkrootkit.tar.gz )
>
> ---
>
> + Locating Fingerprints +
>
> Each of these users may have left behind records of their doings, these
> histories will GREATLY aid you in determining what has been done to your
> system. In my case, the hackers did not pass elementary school - and left
> behind records of all of their modifications. Let's take a look:
>
> find '/' -iname .bash_history
>
> + Search and Destroy +
>
> Your next step here is to find suspicious shell users and groups. We will
> scan through three files. But before we continue, PLEASE do NOT deleted
> (we're using less to view them, but we may have to vi them later) anything
> out of these files without confirming they are indeed not supposed to be
> there. There are some users that look funky, but they are supposed to be
> there. That said, let's continue (as root):
>
> less /etc/passwd
>
> The first column represents users on the system. In my case, the hackers
> created a few users: ADM1N, mysqi, vgodz, and noone. I'd recommend not
> deleted anything out of these files without asking people here on the forum
> if they also exist on their box.
>
> Next:
>
> less /etc/shadow
>
> Looks similar to /etc/passwd. Again, look for suspicious users.
>
> Next:
>
> less /etc/groups
>
> ---
>
> The full post is @
> http://forum.rackshack.net/showthread.php?s=&threadid=13172 if you want to
> look further into this approach.
>
> -- Patrick
>
>
> This email is for the intended recipient only; it should be treated as
> exclusively confidential and should not be disclosed for any reason. If you
> receive this email by mistake do not disclose it in all or in part in any
> form. Please inform admin@principalhosting.net. Reproduction of this
> document in any way, shape, or form is prohibited.
>
> Principal Hosting LTD. - http://www.principalhosting.net
> We Make Server Management Easy! - http://www.ezsm.com
>
> ----- Original Message -----
> From: Jayne Heger
> To: wolves@mailman.lug.org.uk
> Sent: Thursday, July 17, 2003 10:17 AM
> Subject: [Wolves] help - think I've been hacked
>
>
>
> well, the subject line says it all.
> But how do I determine this to be true, what steps should I take to make
> 100% sure I have been hacked, what should I check etc....
> to be honest I'm a bit panicky and can't think straight ATM.
>
> If anyone can help me I'd be grateful ;)
>
> Jayne
>
>
>
> _______________________________________________
> Wolves mailing list
> Wolves@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wolves
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>
> Email service provided by Principal Hosting LTD.
> http://www.principalhosting.net
>
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>
> Email service provided by Principal Hosting LTD.
> http://www.principalhosting.net
>
>
> _______________________________________________
> Wolves mailing list
> Wolves@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wolves
>