Re: [cobalt-users] Hacked?? Telnet Connected But Not Activated?

[Wayne Sagar <wsagar@xxxxxxxx>]

At 10:16 AM 4/19/01 -0400, you wrote:

>Are you sure they didn't just figure out your admin password and turn
>telnet back on ?

Never sure of anything, though it was turned off in the master GUI and
shows commented out in inetd.conf now..

>aside from that, they would have probably done something that let them
>replace inetd.conf ... telnet is fairly ill behaved if you try to run it
>as a user or standaloe after inetd has started...

Hard to say if they did or not via the date of the file as I turn FTP
services on and off several times a day when not in use.. though FTP is
never used at anything above a user level... I do realize there are safer
methods of file transfer... just not there yet.. No password above user
level is ever sent unencoded (SSH for shell and SSL for GUI)

>The only time su postgres makes sense is initial setup when initializing
>the database, and when making new database users, i doubt the gui does it
>indirectly since it can do most things via the SQL interface...

Well that one turned out to be sort of a false alarm due to a sleep
deprived mind<g> Message below is what I saw and this is from a reboot and
init of the service.. 

Apr 18 05:11:53 www PAM_pwdb[370]: (su) session opened for user postgres by
(uid=0)
Apr 18 05:11:53 www PAM_pwdb[370]: (su) session closed for user postgres

>did you ask rpm to check telnetd ? and postgress? 
>did you run 'last' on the off chance you cought the fellow before he
>cleaned it ?

I wiped last accidently before looking at it myself during a reboot... not
sure how to check telnetd and postres with the rpm process.. I do have a
security person scheduled to take a look at things though... 

>log/secure? for IP's that are unusual?

Nothing unusual there.. everything in sequence no bad guys.. Fairly easy to
check this log as the box is a "developers" box and no user accounts are
sold, I only host managed websites on it.. Very few log-ins other than my
own and the few clients who want domain named email accounts.

>time/date stamp on /etc/passwd, telnetd ? for that matter, anything in
>/etc that should be 'old' ;)

You mean old like me <g> or old like when they should be stamped.. no..
nothing "looks" out of the ordinary there.

>tried su postgres yourself to see if it gets you somewhere without a
>password?

No problem, got right in no password prompt (from su) thinking this part of
my concern was, indeed a wolf cry, as I was completely fatigued from an all
night session and grasping at straws.. (and all the coffee I could manage
to down!)

>bash_history for all the possible *user* accounts?

Did find / bash_history and did not see an instance of this file...

>chkrootkit to find interesting tools? (ps there is a new version with
>lion/adore worm checks now)

Either I'll do this or the security "expert" that I know will take a
look-see... 

>One good reason to su to postgres is to add/edit a nice user account
>without you seeing it ;)

Again, this part... *probably* false alarm on my part... 

>You are aware that portsentry does *NOTHING* for ports are normally used,
>it only watches *unused* ports, and only if you tell it to...

Aware of this, have it watching a fair batch... but obviously not all are
monitored...  seems this program would be easy for a cracker to look at and
see what is default protected and assume they could go to the one's which
are not... not so good... side note: anybody ever publish a list here of
the minimum needed to be left open? 

>netstat should show 'closing' or fin_wait if the connection was just a
>connect attempt that failed, , 'established' means they were actually
>connected, tho it doesn't mean they logged in, but if you didn't have
>telnet listening they shouldn't have got that far, however if you just
>disabled telnet access for users in the gui they can because all it does
>is disable shells, not telnet

My fervrent hope is... this was a connect and not a log in... We tried
experimenting today with connect attempts with telnet still turned off,
from another computer... I was not able to even get any instance of cosing
waiting or anything as netstat runs are not quick enough to time it
correctly... It stands as a possibility that I just *happened* to run
netstat at the exact instant someone attempted a connect and netstat read
it at that moment in time.. I should have logged the result but ran it
again instantly when I saw the connect and it was gone... So in my
"grasping at straws" in the attempt to get a decent night's sleep (it's
already after 2:00AM here.. goodluck) and based on not seeing *anything*
that looks "off" within the file system or anywhere on the machine.. (other
than my misguided focus on postgres last evening-morning, not realizing
that log-check and the GUI seem to use that service) I'm trying to convince
myself that all is well.. at least for now, until further, more educated
probing can be done.

>You didn't think it was gonna be easy investigating did you ? ;)

LOL... none of this is easy for an "artist" turned web host!! <g> We're
getting there though.. 

>If you want to truely be serious about figuring what happened take
>elmer@xxxxxxx's advice ;)

Oh yes.. plans are to see if we can discern that the machine was or was not
comprimised and take appropriate action .. and then wrap it up "tighter
than a well diggers ass" !

>Think of it as job security ;lol , it will happen again, if not by the
>same way it did this time, then by some new and clever hack found in the
>future....make contingency plans for it...

If this were the job on a continuing basis.. the term "this job sucks"
would apply! <g> I know that no box can ever be totally secure.. I just
hate to think we're being "picked" ... yes there is lightning in the world
and yes, we can be struck by it any time.. but damn... once or twice is
enough.. or once a year or so.. but not every other month... that would get
old very quickly!

>I mean, think worse case anyhow, if yoy logged in and the hard drive blew
>up what would you have to do to fix it? this is not really any worse, just
>a little unsettling....you were 'violated' in a fashion, it's unnerving..

In all my years of abusing computers.. I've (knocking on wood) never had an
hd failure... that's  probably next... or maybe the plague? Locust? <g>

>Disclaimer: The spelling of words in this document may not reflect the
>current specified spelling in the websters new world dictionary.

I second that emotion and will not run my spchker!

Thanks for the handholding! I'm feeling much better now doctor... 
Wayne