SUMMARY: verify commands: /usr/bin/passwd, etc

From: Kevin Metzger <kevin_at_pmimail.com>
Date: Fri Apr 04 2003 - 08:50:09 EST
	Before I begin, this was a duplicate question to 
	"Hacked Help" that got held for a questinable subject
	line.  The summary is also a copy of the same, but I
	will copy it here for completeness.

First, thanks to the 56 people who responded.

By far the most frequent response was to check md56 fingerprints at
http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl .  I downloaded the md5
from http://sunsolve.sun.com/md5/md5.tar.Z .  One suggestion for
http://www.sun.com/blueprints/0501/Fingerprint.pdf .

Another suggestion was to get and run chkrootkit from
http://www.chkrootkit.org which I did first.  That suggested the t0rn trojan,
but that is know to atack DNS servers that this server is not running.

The other suggestion that was often repeated is to reload or some conbination
of remove the server from the network _now_ and boot from CDROM or remove the
drive to another Solarib server and run diagnostics while the compromised
drive is mounted in /a .

My solution thus far is to run the chkrootkit first then check the md5 
fingerprints of everything in /usr/bin and /usr/sbin.  If it didn't check and
I didn't know what it was it got mv-ed and if it were a solaris binary,
copied it from the CD.  I also wrote all the md5's to a log file and cron a
job that creates a file nightly and diff the two for all files in /usr/bin and
/usr/sbin .  And just for fun a added three lines to my .profile that do a
last for root, bin and adm for my inspectin each and every time I login.  I
have disabled root logins except for the console adn verified that users bin
and adm have the NP no password set.  I have not seen any further suspicious
logins.  I plan to impliment the noshell script below.

For anyone interested the Solaris binaries compromised were
/usr/bin/du
/usr/bin/ls
/usr/bin/passwd
/usr/bin/find
/usr/bin/netstat
/usr/bin/su
and the replacements were exactly the same size and date as the origional.

 
Tim Wort went on to say:
> 
>As for the accounts: adm and all system accounts should not have passwords
>or shells configured, they should be locked with the shell replaced, I
>would replace the shell with a script called noshell (from Titan.).
>
>noshell:
>
>trap "" 1  2  3  4  5  6 7 8 9 10 12 15 19
>
>HOSTNAME=`uname -n`
>USER=\`id | awk '{print $1}' | awk -F= '{print $1}'\`
>
>/bin/cat /dev/null |mailx -s "Attempted access by ${USER} on host
>${HOSTNAME}" root@${HOSTNAME} &
>
>echo "Sorry, you are not allowed to logon."
>
>exit
>


--
Kevin Metzger
Systems Administrator
Progressive Medical, Inc.

800 777-3574 x2686 desk
614 378-6396 mobile
614 389-0740 fax

Recieved Fri, 21 Mar 2003, from Kevin Metzger:

-Date: Fri, 21 Mar 2003 15:43:21 -0500 (EST)
-From: Kevin Metzger <kevin@pmimail.com>
-To: sunmanagers mailing list <sunmanagers@sunmanagers.org>
-Subject: verify commands: /usr/bin/passwd, etc
-
-I think I've been hit by invaders and want to verify commonly molested
-commands before running them. systems are Solaris 7 and 8 on sparc and x86.
-
-The evidence is the output from last:
-dwayne    console			Fri Mar 21 14:15 - 14:19  (00:04)
-root      pts/17       host130-220.pool Fri Mar 21 13:56 - 14:01  (00:04)
-adm       pts/16       host130-220.pool Fri Mar 21 13:56 - 13:57  (00:00)
-
-Dwayne is my tech support, but how is someone getting in as adm directly?  One
-other machine here shows root, adm and bin logging in.  I'm seeing this on
-three seperate machines.
-
-thanks in advance and I summarize.
-
---
-Kevin Metzger
-Systems Administrator
-Progressive Medical, Inc.
-
-800 777-3574 x2686 desk
-614 378-6396 mobile
-614 389-0740 fax
-_______________________________________________
-sunmanagers mailing list
-sunmanagers@sunmanagers.org
-http://www.sunmanagers.org/mailman/listinfo/sunmanagers
-
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri Apr 4 08:58:55 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:08 EST