Compromised RH6.1 system

Derek Martin derek at cerberus.ne.mediaone.net
Sat Apr 22 15:49:22 EDT 2000 

I've posted numerous messages about this on GNHLUG, but not here on BLU,
so I figured I'd offer a brief summary. This past Friday, my RH6.1 machine
was compromised.  /bin/login was replaced with a version that allowed
anyone to log in as root with no password, and telnet (which I normally
don't allow at all) was re-enabled.

This was apparently achieved by exploiting a bug in BIND 8.2, about which
CERT has released an advisory:

  http://www.cert.org/advisories/CA-99-14-bind.html

If you are running RH6.1 or any system with a BIND 8.2 version, make sure
you get the update packages or get the latest version from ISC.

The attack was apparently done with a script, and does a rather nice job
at leaving little evidence other than the obvious root shell.  If this
were done by hand by a knowledgeable attacker, it would have been
extremely easy for them to eliminate all traces of the attack, other than
leaving behind a /bin/login program that didn't have the same size and
checksum of the original one. A talented attacker could even get around
that one.

I noticed this attack because I could not retrieve my mail from the
machine, and then saw that it had been rebooted.  I was able to find out
where the attack came from because I do a LOT of packet logging via
ipchains, and the assailant made no effort to look for that.  The machine
the attack came from was also a RH6.1 system, so in all likelyhood it was
also attacked in the same manner.

The bottom line is I only noticed the system had been compromised because
this was done by a script-kiddie.  Had this been done by someone with a
clue, I'd never have noticed.

I'm going to start running an IDS and log to a different machine, and I'd
recommend that if you have a Linux box connected to the internet that you
do the same. But above all, go get your BIND up to date.

-- 
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin      |  Unix/Linux Geek
derekm at mediaone.net  |  derek at cerberus.ne.mediaone.net
------------------------------------------------------

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list