Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.os.linux.security > #171

Re: Security breach?

Show all headers | View raw

On Fri, 11 Jan 2013 03:10:37 -0600, Ohmster wrote:

Going to merge in stuff from upline posts.

Before I forget it again, you need to create a police report to help cover
your @$$.


> ...sigh. I noticed a few days ago that the Firefox browser was open to
> craigslist and it was a post to my acount for a ridiculous suv for sale
> with all kinds of spam words in it, so many it would violate CL's TOS.

So your telling us you have been cracked for a few days.  :-(

> Selinux is too restrictive, by the time I figure it out I would be dead
> so I disabled it all this time.

If you had selinux disabled then you helped the cracker to get into the box.

> Gotta be a rootkit or something.

And there lies the rub. There is no telling what is installed unless 
you take the drive to another system and really dig into it.
This assumes you know what you are doing and do not infect the new system.

> Bit Twister <BitTwister@mouse-potato.com> wrote in
> news:slrnkevaie.4qm.BitTwister@wb.home.test: 
>
> Yeah well that did not seem to help, still in my box, having a field day 
> with the brower and stored passwords.

Yep, I never store passwords in the browser.
Hell, I have a separate Linux account for surfing, credit card, bank,...
Except for bank, .bash_logout wipes and tars in a pristine setup.

I even have separate Linux accounts for each email account.
Can not use the tar/wipe/restore there.

>> Going to guess no firewall and/or lack/missing security updates of
>> plugins and/or applications used via the web.
>
> Not at all. I have the firewall running and use the updater applet all 
> the time. And I use yum to update the system constantly.

That means you have whatever updates supplied by your distro.
Not necessarily the latest.


>> Had you been running something like
>> http://sourceforge.net/projects/aide
>> and running something like http://rkhunter.sourceforge.net
>> 
>> You might have had a chance, maybe.
>
> No. Never heard of it until now. You think it can help, even after the 
> fact? Oh this looks awesome, Bit!

Aide would be useless at this point.
rkhunter might work but you have to connect to
get a download of the database so doing that on the infected system
is just asking for trouble.

Moving the drive to another system an running rkhunter might turn something
up but I would not count on it.

>> Think about what happens when the cracker installs a rootkit.
>
> Do I have to?
>
>> The kit intalls programs which will not report the files/activities/ip
>> address which the cracker requires to run a stealth operation from
>> your computer.
>> 
>> An example, cat, grep and ls are modified to skip any line containing
>> the string crack_kit and/or an ip address(s).
>
> Wow! Really? Logwatch did show tampered or altered system files but I 
> fail to see how this one file can do anything bad.

You are missing the point. Malware puts hooks in to catch anything 
relating to its activity and put it in the bit bucket.

In your case not everything is being caught.

> Hm, never thought of that. Must I use another Linux box or can I use my 
> Windows 7 machine that I can ssh to?

Oh, My God. Hell, you might have be cracked through that machine if it
is on the same network.


> Yes it is offline and shut down. I want to power it up but must pull the 
> Ethernet cable until I can disable the Internet on this box.
> Sysconfig, NETWORKING - NO?
> What do you think?

You have to pull the network cable unless you want to purchase something
else on craigslist or ebay.  :-(

Hope you got the delivery address for what was bought. It looks real good
in the police report.

> Tell me more BT. Thanks! 

If the choice is between win7 and the infected box and you want to
root around, then all I can suggest is get a new drive, unplug infected
drive(s), clean install, + updates, + aide, + rkhunter, tell fstab
about infected drive(s) set to not automount with read only.

Power down, connected infected drive and start looking through the drive.

Other solution is to use a live cd but that is going to be a bit slow.
If someone comes after you with legal paper, you better have unmodified
drive(s) showing you were cracked and have a copy of your police report.

I would be very surprised if you find/figure out how you were cracked.
Saw an article about some malware on an infected web site would create
a tunnel back to cracker.  :(

Any internet content, flash, pdf, gif, MP3, WMA, WMV, MP2,..., might
contain malware.

Poisoned cookies, bookmarks, dns cache,... are another vector.
Not to mention infected websites cracking your router from the LAN side.

If it were me, I would put the drive(s) in the closet and hope nothing
else happens.

Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
  Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
    Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
                Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
        Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
            Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
              Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
                Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
            Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
  Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
  Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
      Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
          Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
            Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
      Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600

csiph-web