Cramsession Linux Newsletter

home

Jan 31 2002

                    LINUX NEWS
        Resources & Links From CramSession.com
            Thursday, January 31, 2002

TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Loki Shuts Its Doors
Mandrake Releases 8.2 Beta
Red Hat Unveils Secure Enterprise Services
Another Word on Solaris for x86

3) Linux Resources

Fistful o' Links
Linux+ Study Tips
Using rndc to Administer BIND
BIND Upgrading Gotchas
Touching Up Scanned Images With the GIMP

4) App o’ the week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~

Get the skills, knowledge and credentials you need to excel in your career by attending University of Phoenix Online. Earn your degree at the times and places that work best for you. Our proven Web-based format lets you complete your education in the most efficient and convenient way possible. There’s no commuting. No crowded classrooms. No schedule conflicts. You simply click into class and start learning.

Learn more at http://ad.brainbuzz.com/?RC06&AIH07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp

1) Sean’s Notes

A couple of weeks ago I posed a question to the Linux-General board, asking what you’d do if you thought your machine was cracked.

http://boards.cramsession.com/boards/vbm.asp?mE7750

One thing a script kiddie will do upon gaining entry to a system is install a Root Kit. The purpose of the kit is to gather information (mostly passwords) about the other users, clean up after the attack (logs), and to leave a back door.

Along with the back door is usually a replacement of some system binaries to hide the existence of the root kit itself. If you checked the process listing and saw “password_sniffer” running, you’d probably be a bit suspicious. Likewise, if the promiscuous flag on an ethernet card were set (meaning that the card is capturing all data on the LAN), that might set off a warning bell. To combat this, root kits install tainted versions of some system utilities that will return “cleaned-up” results.

So one day you log in, and something doesn’t seem right, but according to “ps”, everything is. What do you trust?

kvanhaaren was quick to note that /proc has a directory for each process id that’s running. The /proc directory is special, since the files don’t really exist on any disk. It’s a place that the kernel can report on anything from devices, to processes, to network activity. When you work with the files in that directory, you’re talking to the kernel.

One thing to do might be to compare the number of processes that ps reports to the number of directories in /proc that refer to processes:

ls /proc | egrep ‘^[0-9]+$’ | wc -l

127

ps -ef | wc -l

127

The numbers may differ by one, since in the first case we’re causing three processes to be run, versus two in the second.

Since the numbers are the same, I should be able to assume that my copy of ps is reporting the proper processes.

Different numbers would mean that ps is hiding something from me. Now, my objective should be to quickly find out what pids are running, but not being shown by ps, so I can kill them off. Replacing /bin/ps may take too much time, or I might have already taken this machine off the network (which is probably a good idea).

The most direct way would be to dump a list of pids from each method into a file, and use “diff”.

cd /tmp/

ps -ef | awk ‘$2 ~ /[0-9]/ {print $2}’ | sort -n > fromps

ls /proc | egrep ‘^[0-9]+$’ | sort -n > fromproc

diff fromps fromproc

94,96c94,96 < 6565 < 6566

< 6567

6568 6569 6570

Here, I can see that three process IDs differ. Since the PIDs are consecutive, I know that they’re the PIDs of the commands I just ran, so no worries. What if I saw:

< 6565 < 6566

< 6567

21221 21222 21223 6568 6569 6570

I’d know that 21221 - 21223 are being hidden from me. /proc/21221/cmdline would tell me what the name of the process was. Repeat for the next two, then “kill -9” ‘em.

Two orders of business remain before you even think of getting back in business.

Remember the command lines you wrote down earlier? Try to find ‘em. If “linsniffer” was the name of one of the binaries, use find to locate it.

find / -name linsniffer -print

/dev/ida/.inet/linsniffer

As you can see, the rootkit is hidden in /dev/ida/.inet. Tar up those files for evidence, and then get rid of them.

Next thing to do is to preserve the logs. /var/log/messages, /var/log/maillog, and /var/log/secure must be saved. (If the attack happened a while ago, you might have rolled over the logs into something.N.gz). Any log you can find (samba, apache), save it. You’re going to want to try to find any signs of the attacker.

Your RPM database (if you use it), might still be intact. We might have taken a shortcut in the first step, but this is still no guarantee.

rpm -qf which ps

procps-2.0.6-5

rpm -V procps

S.5….T /bin/ps

Once you’re back in action, carefully check what’s been changed:

rpm -Va

and replace any RPMs that look fishy.

Being hacked by script kiddies isn’t the end of the world. As a good friend put it, it’s “a little wake up call for all of us to make sure our versions are current and machines properly locked down.” If it happens to you, turn it into a learning experience.

Some tools that might help you from becoming the victim of a script kiddie:

http://www.tripwire.org/ - Keeps an offline database of signatures on key binaries, such that you can quickly figure out what’s been changed.

http://www.psionic.com/abacus/logcheck - Periodically checks your system logs for suspicious activity, and mails the results to you.

http://www.thenewbiesarea.com/unix.shtml - A collection of script kiddie tools like root kits. I believe it’s important to know the tools that will be used against you, but be careful and responsible with these!

Long live the Penguin,

Sean mailto:swalberg@cramsession.com

P.S. - If you’ve sent me mail in the past couple of weeks and I didn’t get back to you, please resend. Some messages to my address were bouncing. Make sure to use @cramsession.com instead of the old @brainbuzz.com address. Thanks!

2) Linux News

Loki Shuts Its Doors

It was reported before that Loki Software had filed for bankruptcy protection, but the latest news is that they’re folding up for good. Loki ports popular games from Windows to Linux, and it’s a sad thing to see them go.

http://slashdot.org/article.pl?sid/01/24/032223&mode=thread

Mandrake Releases 8.2 Beta

For those of you that just have to be on the leading edge, Mandrake has made available a beta of their next release. It’s got the 2.4.17 kernel, and some new utilities. The screenshots of the DiskDrake application look interesting, proving to make file sharing as easy under Linux as it is with Windows, while still retaining the security and efficiency that brought you over in the first place.

http://www.linux-mandrake.com/en/82beta.php3

Red Hat Unveils Secure Enterprise Services

In conjunction with their Red Hat Network, which allows administrators to keep multiple machines up to date easily, Red Hat announced that they’re adding security services to the mix. I’m happy to see the company addressing the needs of the enterprise, since a managed security service has to be more efficient than having a bunch of people sitting around installing the latest Win2K hotfix.

http://www.redhat.com/about/presscenter/2002/press_linuxworld.html

Another Word on Solaris for x86

Newsforge.com interviewed a marketing guy from Sun about the news that they’ll be dropping the x86 port of Solaris. No good news for Solaris fans here, but the Open Source advocates in the crowd will like what this article has to say.

http://www.newsforge.com/article.pl?sid/01/28/1637218

3) Linux Resources

Long time site member NovellDude passed along 20 odd Linux- related links guaranteed to keep you informed. There are news sites, distribution vendor sites, and even a handy place to pick up cheap CDs. Thanks, ND!

http://boards.cramsession.com/boards/vbm.asp?mF6665

Linux+ Study Tips

It’s no secret that the Linux+ exam is slightly slanted towards Red Hat, despite its claim of being vendor neutral. As with most exams, the content also lags current technology somewhat. If you’re using Red Hat 7.2 to prepare for this exam, then this posting from the author of a Linux+ book will certainly interest you, as it points out where your system will be different from what’s expected on the exam.

http://boards.cramsession.com/boards/vbm.asp?mF8888

Using rndc to Administer BIND

rndc is a great utility to manage BIND servers, as it lets you remotely reload zones, or get debugging information. This article walks through the setup and use of this utility, including how to properly control its use.

http://www.netadmintools.com/article.php?sid%

BIND Upgrading Gotchas

I wish I knew about this one when I made the change to BIND 9. To say there are some behavioral differences between v8 and v9 would be an understatement. This page lists nine common problems people encounter (and solutions, of course).

http://sysadmin.oreilly.com/news/dnsandbind_0401.html

Touching Up Scanned Images With the GIMP

I must be cursed. Not only do I take bad pictures, but whenever I scan them in they look even worse. Am I worried? No! This article taught me the fine art of touching up photos with everyone’s favourite image editor, the GIMP.

http://www.geocities.com/SiliconValley/Haven/5179/

4) App o’ the week

If you’ve got the task of managing multiple Unix firewalls, or you’re contemplating Unix as a firewall solution, look at this site. The Firewall Builder has a Checkpoint-like GUI, supports multiple firewalls, and can even push out new rules to iptables or ipfilter clients. It even supports all the different NATting rules, and the ability to add rules to protect the firewall itself. As if this isn’t good enough, it’s even got good documentation (including a tutorial!)

http://www.fwbuilder.org/

(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.

     This message is from CramSession.com.

You are currently subscribed to the Hottest Linux News and Resources as: sean@ertw.com

To un-subscribe from this newsletter by e-mail: send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com

To Subscribe to this newsletter by e-mail: send a blank email message to:

mailto:join-linuxnews@list.cramsession.com

github.com/swalberg
twitter.com/seanwalberg