Utok ?

Jiri Polach sprava na jh-inst.cas.cz
Pondělí Listopad 23 20:55:43 CET 1998 

Prosim o pomoc znalce detailu TCP/IP a moznych zpusobu proniknuti do Linuxu
zvenci. Vcera se komusi podarilo vytvorit si na dalku na jednom z nasich
Linuxu vlastni ucet a napachal dost skod. Jde o RedHat 5.1 s jadrem 2.1.122.

Z /var/log/messages jsem vytahl kus, ktery se tohoto utoku asi tyka prikla-
dam jej na konec, je dost dlouhy). Nevim, jestli jsou v nem vsechny dulezi-
te informace, mozna se utocnikovi podarilo i neco zamaskovat. Vidite v tom
vypise zpusob, jakym k utoku doslo? Lze proti tomu neco delat?

Diky,

Jiri Polach

/var/log/messages ---------------------------------------------------------

Nov 22 12:56:23 mountd[264]: Unauthorized access by NFS client 203.148.240.10. 
Nov 22 12:56:23 syslogd: Cannot glue message parts together
Nov 22 12:56:23 mountd[264]: Blocked attempt of 203.148.240.10 to mount 
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P
Nov 22 12:56:23 
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E 
Nov 22 12:57:39 PAM_pwdb[1081]: new password not acceptable
Nov 22 12:58:02 adduser[1083]: new group: name=bigkid, gid=1150 
Nov 22 12:58:02 adduser[1083]: new user: name=bigkid, uid=1150, gid=1150, 
home=/home/bigkid, shell=/bin/bash 
Nov 22 12:58:09 PAM_pwdb[1082]: (login) session opened for user bigkid by 
(uid=0)
Nov 22 12:58:09 login[1082]: LOGIN ON ttyp0 BY bigkid FROM 
dialup1-224.samart.co.th
Nov 22 12:05:04 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:07:49 PAM_pwdb[1586]: password for (soldan/506) changed by 
((null)/0)
Nov 22 13:11:11 kernel: nfsiod uses obsolete (PF_INET,SOCK_PACKET)
Nov 22 13:11:11 kernel: eth0: Setting promiscuous mode.
Nov 22 13:11:11 kernel: device eth0 entered promiscuous mode
Nov 22 13:11:32 inetd[1902]: execv /usr/sbin/in.identd: No such file or 
directory
Nov 22 13:11:33 inetd[1906]: execv /usr/sbin/in.identd: No such file or 
directory
Nov 22 13:11:33 inetd[1907]: execv /usr/sbin/in.identd: No such file or 
directory
Nov 22 13:11:33 inetd[1908]: execv /usr/sbin/in.identd: No such file or 
directory
Nov 22 13:13:10 inetd[253]: auth/tcp server failing (looping), service 
terminated 
Nov 22 13:13:10 inetd[4361]: execv /usr/sbin/in.identd: No such file or 
directory
Nov 22 12:13:28 syslog: gethostby*.getanswer: asked for 
"2.20.54.195.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:13:28 syslog: gethostby*.getanswer: asked for 
"2.20.54.195.in-addr.arpa", got "2.EMS.20.54.195.in-addr.arpa"
Nov 22 13:17:10 fingerd[26682]: rejected @sarha.jh-inst.cas.cz 
Nov 22 12:17:21 syslog: gethostby*.getanswer: asked for 
"4.46.250.158.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:17:21 syslog: gethostby*.getanswer: asked for 
"4.46.250.158.in-addr.arpa", got "4.0/27.46.250.158.in-addr.arpa"
Nov 22 13:17:23 fingerd[31635]: rejected @sarha.jh-inst.cas.cz 
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for 
"5.46.250.158.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for 
"5.46.250.158.in-addr.arpa", got "5.0/27.46.250.158.in-addr.arpa"
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for 
"6.46.250.158.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:17:49 syslog: gethostby*.getanswer: asked for 
"6.46.250.158.in-addr.arpa", got "6.0/27.46.250.158.in-addr.arpa"
Nov 22 12:19:32 syslog: gethostby*.getanswer: asked for 
"242.20.81.193.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:32 syslog: gethostby*.getanswer: asked for 
"242.20.81.193.in-addr.arpa", got "242.224-255.20.81.193.in-addr.arpa"
Nov 22 12:19:36 syslog: gethostby*.getanswer: asked for 
"18.172.152.194.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:36 syslog: gethostby*.getanswer: asked for 
"18.172.152.194.in-addr.arpa", got "18.16/28.172.152.194.IN-ADDR.ARPA"
Nov 22 12:19:36 last message repeated 6 times
Nov 22 12:19:50 syslog: gethostby*.getanswer: asked for 
"242.20.81.193.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:50 syslog: gethostby*.getanswer: asked for 
"242.20.81.193.in-addr.arpa", got "242.224-255.20.81.193.in-addr.arpa"
Nov 22 12:19:54 syslog: gethostby*.getanswer: asked for 
"18.172.152.194.in-addr.arpa IN PTR", got type "CNAME"
Nov 22 12:19:54 syslog: gethostby*.getanswer: asked for 
"18.172.152.194.in-addr.arpa", got "18.16/28.172.152.194.IN-ADDR.ARPA"
Nov 22 12:19:54 last message repeated 6 times
Nov 22 13:20:21 telnetd[6140]: ttloop:  read: Broken pipe 
Nov 22 12:20:22 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:30:11 kernel: eth0: Setting promiscuous mode.
Nov 22 13:45:44 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:53:18 syslog: unknown configuration item `CREATE_HOME'
Nov 22 13:53:47 login[27992]: unable to cd to `(null)' for user `root' 
Nov 22 13:54:05 syslog: unknown configuration item `CREATE_HOME'

-----------------------------------------------------------------------------

Další informace o konferenci Linux