[svlug] Re: Possible breakin
raffi at linwin.com
Wed Feb 14 15:39:02 PST 2001
On Wed, 14 Feb 2001, David Madison wrote:
> Rafael says:
> > How a heck we are supposed to know that?
> > I'm sure it was not a friendly place...
> Those two statements seem to be in conflict to me. Either you have
> no idea, or you have some impression of what might have caused it.
Yes, I have no idea where the bad guys come from if the system was broken
into. The fact is that the original email did NOT include any relevant
information that could be used to "trobleshoot" the problem. As others
have suggested, it's possible that it's not a security problem at all. Too
many times on this and other lists people come with a question "what's
wrong with my machine" without providing any relevant or sufficient
information on the first place. The usual response is additional questions
and a bunch of speculations on what might have happened. Myself included.
> I was kind of hoping for responses explaining possible sources,
Like a URL or IP from the bad guy and possibly his SSN if coming from US.
> like the list of possible holes that Wayne posted, or Rick's response:
Internet is full of sites where you can get detailed information about
breakins etc. It's all speculation without having access to your system
and you did not provide enough info to go beyond the guessing point.
Look at http://securityportal.com/ for example ...
> > I'd guess that you had some disk trouble lately? Recently done some
> > fsck.ext2 work on that partition?
> Which was an interesting thought, though not the case for me. I hadn't
> had any disk problems, and the system had been up and running fine
> for weeks when it was suddenly surprised with this "magic" file.
create a script that will monitor what's happening with network
connections and file systems. Install snort etc. if you suspect there are
Install tripwire or Aide to keep track of files and their changes.
> I've been trying a number of utils on the file, tar, gzip, strings,
> bzip2, but I can't figure out what it might be, though it does
> seem to have a regular binary data format of ^@, some character and
> two random control characters, generally repeated over and over.
> I haven't seen any activity on the box since I replaced ssh2 and
> a good number of the utilities, so I'm beginning to think some tool
> went wonky and started creating this file, so now it's a puzzle to
> try to figure out what might have caused it.
Apparently you completely ignored my other simple suggestions, (not an
advise mind you) to use lsof and netstat to see what's currently connected
to the box or has open files and pipes. For quick fix I suggested to copy
known good binary files to the system and use those for quick repair if
you suspect a breakin even though it's good to make a backup of
everything first for later forensic work.
I've never seen clean fsck create any devices anywhere outside of /dev.
fsck used lost+found to collect lost inodes last time I checked. But then
my systems rearely have fsck problems since RH5.0 times. Never heard of a
Unix tool to go "wonky" and create a "device" in /tmp or any other place.
You did not tell enough in your first email to get a sound suggesion much
less and advice.
O__ ---- Rafael Skodlar
c/ /'_ --- Linux Imagineer since 1994
(*) \(*) -- There is a tunnel at the end of light.
More information about the svlug