'Re: security incident'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: security incident
From:       Fernando Ultremare <jamez () SEKURE ! ORG>
Date:       1999-07-08 19:50:33
[Download RAW message or body]

Hello,

>There was a lot of finger and sshd activity in the logs from those hosts,
>so that was primarily what we looked at. We never did determine how they
>exploited ssh, but it seemed to be the point of entry..


Considering that the sshd hasn't a hole to let hackers break in without an
account,
there are two possibilities:

The first one, the hacker was trying to probe accounts in your box, maybe
he has a passwd file or some information about the users on your system.

Second, if you start a big number of connections to sshd and don't send
the necessary informations (I think that this bug was reported in bugtraq),
the daemon wont close the connections. Because of it the same number of
sshd's proccess will be started and they wont be killed growing up the CPU
usage. Maybe the hacker was trying to use a DoS attack in your box.

If you can, find more informations like a core file, the users that the
hacker tryed to
use (are you running a tcp logger?). I think it will help us.

>>Did you contact the remote sites to alert them of the intrusions? How
>>did they respond?
>
>Well, the problem was that we were concerned that the intruder _was_ the
>administrator of the remote site. They level and breadth of access they had
>to a multi-server network would either indicate that they ran it, or had
>complete control of it. To tell the truth, there was an administrative
>decision to fix it, and bury it. We did not get a chance to investigate
>fully. The server had to be patched and cleaned up, then put back in
>operation ASAP. They figured if we could effectively lock them out then
>there was no point in going after them.
>
>We (our department) have been trying to bring security issues to the table,
>but it has been a difficult task. The one good thing that has arisen from
>that incident is that the administration has given us more funding for
>security issues. For example, I'm getting a paid trip to Las Vegas in a few
>days for defcon.. :)
>
>I know this has been said before, but I'll say it again. The problem with
>doing security work, is that no one knows you are doing anything until
>someone breaks through your security. So you are either acomplishing
>nothing, or you have failed.. it's a difficult position to be in.
>
>Hale
>


---
Sekure SDI
Brazilian Information Security Team
http://www.sekure.org


---

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic