missing /bin directory

Warren Togami warren at togami.com
Thu Mar 8 12:29:54 PST 2001 

Here's some more useful information on what to do after you are compromised.
http://securityportal.com/buffy/buffy20010308.html

They say something that I forgot.  "FDISK and format the system"  This is
essential to make sure that any boot sector trojans are wiped out.  They
also show a list of common root kits which may have been used to crack your
system.  You can look at the listing to see if anything looks familiar.

----- Original Message -----
From: "Erich Schrottke" <sharky at websharx.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Thursday, March 08, 2001 10:08 AM
Subject: [luau] Re: missing /bin directory


>
> * Unfortunately, jumping into the /var/log directory reveals absolutely
> squat! I can't find any entries  for 3/8/1 at all....nothing in
> messages, secure, or xferlog that might indicate anything funky.

Yeah.  The only way to preserve syslogs for future analysis in the event of
a security compromise is with a dedicated remote syslog server.  All of your
Unix machines can be set to feed their logs in real-time to that server,
which records everything in its own syslog.  You have ALL SERVICES, even SSH
disabled on that machine.

Be sure to monitor your syslog.  Run something like logcheck to e-mail the
uncommon log entries every hour.  Even without a dedicated syslog server
some monintoring of your logs is better than none.

> 1) Re-installing a new setup is annoying, and time consuming but always
> educational :) I'm smiling cuz I will try and learn from this as always.

Just keep your eye on Redhat security errata and bugtraq, and you'll be
relatively safe.

>
> 2) I'm concerned about how he possibly got in. I'd certainly like to
> prevent it from happening in the future. I know that TELNET was disabled,
> but ftp, apache (fp extensions and cgiemail only scripts running), sshd,
> named, mysql, and basic services running. But other than looking at logs
> and history files, I'm unsure of where to go next. Any advice on what else
> to check for to try and find the entry point?

It sounds like you are one of the smarter ones using SSH and never transmit
your password over plaintext.  That alone is MUCH better than SSH, but it is
not enough.  Whenever you copy SSH public keys to/from other machines, be
sure to compare them visually to be sure that there is no middle-man
spoofing your connection.  Or better yet copy them via floppy and
sneakernet... but that's a bit paranoid.

>
> *NOTE: Is leaving an inactive SSH connection up (it was running pine) to a
> box within your same local subnet a security risk?

Not usually, but are you sure that your client computer is not compromised?

>
> 3) Chasing the culprit down? There's some outgoing FTP connections to at
> least two sites that I can see, is there any value in trying to trace this
> further?

Your choice here.  I personally would write a letter to the admins of those
machines because they are probably compromised innocent victims themselves,
but most often tracking the attacker is nearly impossible or not worth the
time and effort.

Warren Togami
warren at togami.com

More information about the LUAU mailing list