Re: Re: [SLUG] attacked!

From: Eben King (eben01@verizon.net)
Date: Fri Jun 16 2006 - 13:05:39 EDT


>From: Daniel Jarboe <daniel.jarboe@gmail.com>
>Date: Fri Jun 16 08:00:12 CDT 2006
>To: slug@nks.net
>Subject: Re: [SLUG] attacked!

>> First thing I did was stop Postfix. Turns out it was listening on all
>> interfaces, instead of just "lo". Fixed.
>>
>> Now, I need to figure out how I was broken in to. I don't see any holes in
>> the firewall, and root login is disabled through ssh.
>
>How about eliminating the most likely possibility first. Have you
>determined that port 25 was not open in the firewall? And that your
>postfix is not configured as a relay?

I went to reinstall Postfix, and the init scripts are not replaced. E.g., /etc/init.d/postfix was nonexecutable (!) and still has these lines:

if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
    sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
    chmod a+r etc/passwd
fi

I can't really decipher it, but I think the sed command is meant to remove
the asterisk from the password field in /etc/password, thus opening up
my system to all comers. I also think that since my system (and most systems
these days IIRC) use shadow passwords, /etc/passwd doesn't really matter. I
third think that the "< foo > foo" construct guarantees that the file in
question will get wiped out, but bash may have worked around that.

So, does anyone have a clean copy of this file? I've left postfix not running and checked /etc/{passwd,shadow} for unusual "features" and seen none. (The "no login" password entry is x not * anyhow.)

-- 
-eben    ebQenW1@EtaRmpTabYayU.rIr.OcoPm    home.tampabay.rr.com/hactar

My parents went to a planet where the inhabitants have no bilateral symmetry, and all I got was this lousy F-shirt.

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:57 EDT