Thread: pam, ssh, user account vulnerability
View Single Post

   
  #7 (permalink)  
Old 01-18-2008, 08:35 AM
Enrique Perez-Terron
 
Posts: n/a
Default Re: pam, ssh, user account vulnerability
On Wed, 28 Sep 2005 07:14:35 +0200, Peter T. Breuer <ptb@oboe.it.uc3m.es> wrote:

> Rick Moen <rick@linuxmafia.com> wrote:
>> Lenny G. <alengarbage@yahoo.com> wrote:
>
>> [Intruders entered via a guessed username/password pair.]
>
>>> Luckily, the attacker wasn't able to compromise anything else on the
>>> system -- they weren't able to get a local root elevation and the
>>> system is otherwise (verifiably) intact (thank you rpm -Va!).
>
>> You sure about that?
>
> Yes - it does sound a little as though he has an adore module
> installed. He DOES want to boot from a live cd, get chkrootkit,
> and run it on the disk, mounted under /mnt.

I just want to add my voice, seconding Peter and Rick.

Some years ago when I got my first ADSL connection, I was also
in the process of installing a new OS, and I left the system unguarded
with no firewall for a few hours.

I can't remember how I discovered it, but I remember being frustrated
because I could not find out what was going on. The rootkit had replaced
/bin/ls and /bin/ps and a host of other files, so the foreign processes
and files were not reported, and the replaced files were lied about.

Fortunately, the toolkit was not that advanced (and this was about 1999),
and /proc and /sbin/lsof still worked normally. You can hardly imagine
my surprise and confusion when files and processes began appearing
in /sbin/lsof, and were consistently absent in ps and ls.

After that I have often thought about how rootkits gradually evolve and
become more and more sophisticated, since they are not built from scratch
but they evolve the same ways as other advanced software packages.

So, when I read "thank you rpm -VA", I immediately thought "but how
can you be so sure!" I have come to the same conclusion as the others,
you must boot an independent medium that the potential intruder
has not had any chance to modify, at least not through *this* intrusion.

Of course, your observation that the intruder has later failed to
get in through Michael's account gives some probability that he was
not that sophisticated after all, but you cannot be sure of that.
There seems to be enough incentives for the croocks to become rather
professional, and their automated systems are probably responsible
for the majority of the attacks.

-Enrique
Reply With Quote