Utok ?
Jiri Polach
sprava na jh-inst.cas.cz
Pondělí Listopad 23 20:55:43 CET 1998
Prosim o pomoc znalce detailu TCP/IP a moznych zpusobu proniknuti do Linuxu
zvenci. Vcera se komusi podarilo vytvorit si na dalku na jednom z nasich
Linuxu vlastni ucet a napachal dost skod. Jde o RedHat 5.1 s jadrem 2.1.122.
Z /var/log/messages jsem vytahl kus, ktery se tohoto utoku asi tyka prikla-
dam jej na konec, je dost dlouhy). Nevim, jestli jsou v nem vsechny dulezi-
te informace, mozna se utocnikovi podarilo i neco zamaskovat. Vidite v tom
vypise zpusob, jakym k utoku doslo? Lze proti tomu neco delat?
Diky,
Jiri Polach
/var/log/messages ---------------------------------------------------------
Nov 22 12:56:23 mountd[264]: Unauthorized access by NFS client 203.148.240.10.
Nov 22 12:56:23 syslogd: Cannot glue message parts together
Nov 22 12:56:23 mountd[264]: Blocked attempt of 203.148.240.10 to mount
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P
Nov 22 12:56:23
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E
Nov 22 12:57:39 PAM_pwdb[1081]: new password not acceptable
Nov 22 12:58:02 adduser[1083]: new group: name=bigkid, gid=1150
Nov 22 12:58:02 adduser[1083]: new user: name=bigkid, uid=1150, gid=1150,
home=/home/bigkid, shell=/bin/bash
Nov 22 12:58:09 PAM_pwdb[1082]: (login) session opened for user bigkid by
(uid=0)
Nov 22 12:58:09 login[1082]: LOGIN ON ttyp0 BY bigkid FROM
dialup1-224.samart.co.th
Nov 22 12:05:04 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:07:49 PAM_pwdb[1586]: password for (soldan/506) changed by
((null)/0)
Nov 22 13:11:11 kernel: nfsiod uses obsolete (PF_INET,SOCK_PACKET)
Nov 22 13:11:11 kernel: eth0: Setting promiscuous mode.
Nov 22 13:11:11 kernel: device eth0 entered promiscuous mode
Nov 22 13:11:32 inetd[1902]: execv /usr/sbin/in.identd: No such file or
directory
Nov 22 13:11:33 inetd[1906]: execv /usr/sbin/in.identd: No such file or
directory
Nov 22 13:11:33 inetd[1907]: execv /usr/sbin/in.identd: No such file or
directory
Nov 22 13:11:33 inetd[1908]: execv /usr/sbin/in.identd: No such file or
directory
Nov 22 13:13:10 inetd[253]: auth/tcp server failing (looping), service
terminated
Nov 22 13:13:10 inetd[4361]: execv /usr/sbin/in.identd: No such file or
directory
Nov 22 12:13:28 syslog: gethostby*.getanswer: asked for
"2.20.54.195.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:13:28 syslog: gethostby*.getanswer: asked for
"2.20.54.195.in-addr.arpa", got "2.EMS.20.54.195.in-addr.arpa"
Nov 22 13:17:10 fingerd[26682]: rejected @sarha.jh-inst.cas.cz
Nov 22 12:17:21 syslog: gethostby*.getanswer: asked for
"4.46.250.158.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:17:21 syslog: gethostby*.getanswer: asked for
"4.46.250.158.in-addr.arpa", got "4.0/27.46.250.158.in-addr.arpa"
Nov 22 13:17:23 fingerd[31635]: rejected @sarha.jh-inst.cas.cz
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for
"5.46.250.158.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for
"5.46.250.158.in-addr.arpa", got "5.0/27.46.250.158.in-addr.arpa"
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for
"6.46.250.158.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for
"6.46.250.158.in-addr.arpa", got "6.0/27.46.250.158.in-addr.arpa"
Nov 22 12:19:32 syslog: gethostby*.getanswer: asked for
"242.20.81.193.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:32 syslog: gethostby*.getanswer: asked for
"242.20.81.193.in-addr.arpa", got "242.224-255.20.81.193.in-addr.arpa"
Nov 22 12:19:36 syslog: gethostby*.getanswer: asked for
"18.172.152.194.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:36 syslog: gethostby*.getanswer: asked for
"18.172.152.194.in-addr.arpa", got "18.16/28.172.152.194.IN-ADDR.ARPA"
Nov 22 12:19:36 last message repeated 6 times
Nov 22 12:19:50 syslog: gethostby*.getanswer: asked for
"242.20.81.193.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:50 syslog: gethostby*.getanswer: asked for
"242.20.81.193.in-addr.arpa", got "242.224-255.20.81.193.in-addr.arpa"
Nov 22 12:19:54 syslog: gethostby*.getanswer: asked for
"18.172.152.194.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:54 syslog: gethostby*.getanswer: asked for
"18.172.152.194.in-addr.arpa", got "18.16/28.172.152.194.IN-ADDR.ARPA"
Nov 22 12:19:54 last message repeated 6 times
Nov 22 13:20:21 telnetd[6140]: ttloop: read: Broken pipe
Nov 22 12:20:22 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:30:11 kernel: eth0: Setting promiscuous mode.
Nov 22 13:45:44 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:53:18 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:53:47 login[27992]: unable to cd to `(null)' for user `root'
Nov 22 13:54:05 syslog: unknown configuration item `CREATE_HOME'
-----------------------------------------------------------------------------
Další informace o konferenci Linux