[ SlackList ] [ WkikiSlack ]



Re: Slack mi padl - wolanie o pomoc!

From: <admin@ibq.pl>
Date: Mon Jun 09 2003 - 01:06:56 CEST
[slacklist] Re: Slack mi padl - wolanie o pomoc!

Dnia pon 9. czerwca 2003 00:54, napisałeś:

polecam pierw przejżec co sie dzieje w skrypcje = zanim się go odpali :)
skrypt dopisuje do host.allow i host.deny = localhost!
wiec o ssh mozesz zapomniec ( zdalnie ) :- )
ten skrypt blokuje ci wszystkie tty
masz mozliwosc zalogowanie na jedną konsole i to = siedząc przy kompie :)
ctrlaltdel to tez sprawka SECURE.sh
brak dostepu do niektórych programow moze byc = spowodowane zdjeciem suidow z
niektórych progsów itp itd bla bla

heh ZANIM KLEPNIESZ W ENTER looknij o co chodzi = :))

FATlacz

> Witam,
>
> sorry za przydlugi list ale naprawde potrzebuje = fachowej pomocy.
>
> Moje problemy, wg mojego podejrzenia sa zwiazane = ze skryptem secure.sh,
> ktory odpalilem w niedziele w poludnie (pakiet = Slackmore wg artykulu z
>
> : http://hacking.pl/articl=
>
> "Zabezpieczanie")
>
> Dziwne to gdyz od 12:00 do godziny 22:00 = wszystko chodzilo jak trzeba
> a pozniej po prostu stracilem zdalna kontrole = nad routerem. Objawilo
> sie to tym, ze nagle programy wykonywalne typu = wget, mc przestaly sie
> uruchamiac jakby prawa do nich cos mi zmienilo. = Po zamknieciu sshd,
> juz nie moglem sie zalogowac (access =
>
> Komp, po tym jak do niego w nocy dotarlem, nie = reagowal na zadne
> polecenia, root nie przyjmowal hasla, nie mozna = bylo rowniez
> zrestartowac go przez CtrlAltDel.
>
> Po recznym reboocie, Lilo sie odpala, jajko = startuje bez problemu,
> ale po dotarciu do INITTAB na konsoli = jest:
>
> - cannot execute /etc/rc.d/rc.S
> - cannot execute /etc/rc.d/rc.M
> - cannot execute /sbin/agetty
> - cannot execute /sbin/agetty (ta linia sie = powtarza wielokrotnie)
>
> - potem wszystko staje, wywala jeszcze jakies =
> taski dla tego levela i to koniec, wisi.
>
> Odpalilem slacka z plyty i zamontowalem swoja = partycje hda2.
> Sprawdzilem obecnosc wszystkich plikow - = sa.
> W /rc.d wydaje sie byc wszystko ok. Pliki sa na = miejscu a ls -l
> pokazuje, ze maja -rwxr-xr-x. Dzwonilem do = kolegi ze slackiem i mowil,
> ze u niego tez tak jest wiec powinno =
>
> A nie chodzi :(((
>
> Sprawdzalem rowniez /etc/inittab i tam jest = wszystko po staremu -
> runlevel jest na 3 (nic tu nie = grzebalem).
>
> W logach jest wszystko ok. Messages, syslog, =
> bylo by podejrzane. Widac nawet moje proby = wejscia przez sshd i bledne
> haslo. Nie wiem czy ktos zrobil wlam, zrobil = kuku i posprzatal po
> sobie... Wszystkie pliki i katalogi sa na = miejscu. Logcheck nic
> na mojego emaila nie wyslal a portsentry nie = raportowal o jakimkolwiek
> skanowaniu.
>
> Nie wiem co skopalem. Oprocz tego skryptu nic = wiecej nie robilem.
> Jutro poniedzialek, userzy wlacza net a tu =
>
> Moze ktos z Was podpowie mi co jeszcze = powinienem sprawdzic. Jesli
> czeka mnie ponowna instalacja i konfiguracja to = sie potne... najgorszy
> ten stracony czas.
>
> Ponizej podsylam ten rzeczony skrypt. Moze ktos = z Was zauwazy cos
> podejrzanego. Wczesniej wywalilem z niego kilka = sekcji, ktore uznalem
> za niepotrzebne i zapuscilem tylko to co = nizej.
>
>
> Bartek
>
>
> = ========================== ========================== =======
>
> #!/bin/sh
>
> # SECURE.sh performs the following tasks:
>
> # Puts in /etc/hosts.deny file the ALL: ALL@ALL =
> # exterior access to the machine.
>
> FILE="/etc/hosts.deny"
> if [ "`cat ${FILE} | grep 'ALL: = ALL@ALL'`" == "" ]
> then
>     echo "Updating = ${FILE} (ALL@ALL)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | egrep -v = "# End of hosts.deny." > ${FILE}.tmp
>     echo "ALL: = ALL@ALL" >> ${FILE}.tmp
>     echo "# End of = hosts.deny." >> ${FILE}.tmp
>     mv ${FILE}.tmp = ${FILE}
> fi
>
> # Puts in /etc/hosts.allow file the ALL: = ALL@127.0.0.1 : ALLOW entry,
> giving # access to the resources of the local = machine.
>
> FILE="/etc/hosts.allow"
> if [ "`cat ${FILE} | grep 'ALL: = ALL@127.0.0.1'`" == "" ]
> then
>     echo "Updating = ${FILE} (ALL@127.0.0.1)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | egrep -v = "# End of hosts.allow." > ${FILE}.tmp
>     echo "ALL: = ALL@127.0.0.1          =   : ALLOW" >> ${FILE}.tmp
>     echo "# End of = hosts.allow.." >> ${FILE}.tmp
>     mv ${FILE}.tmp = ${FILE}
>     tcpdchk
> fi
>
> # Changes in /etc/host.conf file the order = hosts, bind sequence into the
> # more secure order bind, hosts and adds the = nospoof on sequence.
>
> FILE="/etc/host.conf"
> if [ "`cat ${FILE} | grep 'order hosts, = bind'`" != "" ]
> then
>     echo "Updating = ${FILE} (order, nospoof)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | \
>     sed 's/order hosts, = bind/order bind, hosts/' > ${FILE}.tmp
>     echo "nospoof = on" >> ${FILE}.tmp
>     mv ${FILE}.tmp = ${FILE}
> fi
>
> # Blocks in /etc/securetty file the access for = the root to all consoles
> # except /dev/tty1.
>
> FILE="/etc/securetty"
> if [ "`cat ${FILE} | egrep '^tty6'`" = != "" ]
> then
>     echo "Updating = ${FILE} (tty?)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | \
>     sed 's/^tty2/# tty2/' | = \
>     sed 's/^tty3/# tty3/' | = \
>     sed 's/^tty4/# tty4/' | = \
>     sed 's/^tty5/# tty5/' | = \
>     sed 's/^tty6/# tty6/' = \
>
>     > ${FILE}.tmp
>
>     mv ${FILE}.tmp = ${FILE}
> fi
>
> # Removes from /etc/group file the news and uucp = groups superfluous in most
> # cases. It is equivalent to give groupdel news = and groupdel uucp commands.
>
> FILE="/etc/group"
> if [ "`cat ${FILE} | egrep '^
news:'`" != "" ]
> then
>     echo "Updating = ${FILE} (groups)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | \
>     egrep -v '^news:' | \
>     egrep -v '^uucp:' = \
>
>     > ${FILE}.tmp
>
>     mv ${FILE}.tmp = ${FILE}
>     # groupdel news
>     # groupdel uucp
> fi
>
> # Removes from /etc/passwd file news, uucp, = operator, sync, and shutdown
> # users. It is equivalent to the sequence of =
> # taking the appropriate parameters.
>
> FILE="/etc/passwd"
> if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
> then
>     echo "Updating = ${FILE} (users)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | \
>     egrep -v '^news:' | \
>     egrep -v '^uucp:' | = \
>     egrep -v '^operator:' | = \
>     egrep -v '^sync:' | = \
>     egrep -v '^shutdown:' = \
>
>     > ${FILE}.tmp
>
>     mv ${FILE}.tmp = ${FILE}
>     # userdel sync
>     # userdel = shutdown
>     # userdel news
>     # userdel uucp
>     # userdel = operator
> fi
>
> # Performs the parallel actions with reference = to /etc/shadow file.
>
> FILE="/etc/shadow"
> if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
> then
>     echo "Updating = ${FILE} (users)."
>     if [ ! -e ${FILE}.old ] = ; then cp -p ${FILE} ${FILE}.old ; fi
>     cat ${FILE} | \
>     egrep -v '^news:' | \
>     egrep -v '^uucp:' | = \
>     egrep -v '^operator:' | = \
>     egrep -v '^sync:' | = \
>     egrep -v '^shutdown:' = \
>
>     > ${FILE}.tmp
>
>     mv ${FILE}.tmp = ${FILE}
>     # userdel sync
>     # userdel = shutdown
>     # userdel news
>     # userdel uucp
>     # userdel = operator
> fi
>
>
> # Takes away from all the scripts from /etc/rc.d =
> # reading or executing them by the group or by = other users.
>
> DIRECTORY="/etc/rc.d/"
> if [ "`ls -l ${DIRECTORY}* | grep = \"\-rwxr\-xr\-x\"`" != "" ]
> then
>     echo "Updating = ${DIRECTORY}* (g-rx,o-rx)."
>     chmod g-rx,o-rx = ${DIRECTORY}*
> fi
>
>
> # Tests a few dozen of trouble programs and = takes the SUID bit away from
> # them. It stores the information about those = modifications in the log
> file.
>
> TEST="no"
> = LOG_NOSUID="0.nosuid.`hostname`"
>
> > ${LOG_NOSUID}
>
> echo >> ${LOG_NOSUID}
> echo "Removed SUID or SGID:" >> = ${LOG_NOSUID}
> echo >> ${LOG_NOSUID}
> echo "Removed SUID:" >> = ${LOG_NOSUID}
> for FILE in /usr/bin/at /usr/bin/crontab = /usr/bin/fdmount /usr/bin/chage \
> /usr/bin/chfn /usr/bin/chsh /usr/bin/expiry = /usr/bin/gpasswd
> /usr/bin/newgrp \ /usr/bin/passwd /usr/bin/rcp = /usr/bin/rlogin /usr/bin/rsh
> \
> /usr/bin/traceroute /usr/X11R6/bin/xterm = /usr/libexec/pt_chown /bin/su \
> /bin/mount /bin/umount /bin/ping = /opt/kde/bin/kcheckpass \
> /opt/kde/bin/konsole_grantpty /opt/kde/bin/kppp = \
> /usr/lib/news/bin/inndstart = /usr/lib/news/bin/startinnfeed \
> /usr/lib/news/bin/rnews \
> /opt/kde/bin/fileshareset \
> /usr/libexec/ssh-keysign = /usr/X11R6/bin/xscreensaver \
> /usr/X11R6/bin/xcardinfo /usr/X11R6/bin/wmtune = /usr/local/bin/thotswap \
> /sbin/cardctl /usr/X11R6/bin/xlock
> do
>     if [ -e ${FILE} ]
>     then
>         = "" ]
>         = then
>          =    if [ "${TEST}" == "no" ]
>          =    then
>          =        echo "Removing some SUID and = SGID attributes."
>          =        TEST="yes"
>          =    fi
>          =    echo "Chmoding ${FILE} (u-s)."
>          =    chmod u-s ${FILE}
>         = fi
>         = ls -l ${FILE} | cut -b -35,57- >> ${LOG_NOSUID}
>     fi
> done
>
> # Does the similar action with reference to a =
> # taking SUID and SGID bits away from = them.
>
> echo >> ${LOG_NOSUID}
> echo "Removed SUID and SGID:" >> = ${LOG_NOSUID}
> for FILE in /usr/bin/cu /usr/bin/uux = /usr/bin/uucp /usr/bin/uuname \
> /usr/bin/uustat /usr/lib/uucp/uuchk = /usr/lib/uucp/uuxqt
> /usr/lib/uucp/uucico \ /usr/lib/uucp/uuconv = /usr/lib/uucp/uusched \
> /usr/X11R6/bin/wmapm
> do
>     if [ -e ${FILE} ]
>     then
>         = "" ]
>         = then
>          =    echo "Chmoding ${FILE} (u-s,g-s)."
>          =    chmod u-s,g-s ${FILE}
>         = fi
>         = ls -l ${FILE} | cut -b -36,57- >> ${LOG_NOSUID}
>     fi
> done
>
> # Puts in /etc/mail/sendmail.cf config file the =
> # O PrivacyOptions=noexpn and O = PrivacyOptions=novrfy. It prevents the
> # system from remote checking of the = accounts.
>
> FILE="/etc/mail/sendmail.cf"
> if [ "`cat ${FILE} | grep = \"authwarnings\"`" != "" ]
> then
>     TOTAL="`cat  = ${FILE} | grep -n \"\" | tail -n 1 | cut -d ":" -f = -1`"
>     TOP="`cat ${FILE} = | grep -n \"authwarnings\" | cut -d ":" -f = -1`"
>     BOTTOM="`expr = ${TOTAL} - ${TOP}`"
> fi
> if [ "`cat ${FILE} | grep = \"PrivacyOptions=noexpn\"`" == "" = ]
> then
>     echo "Upgrading = ${FILE} (noexpn, novrfy)."
>     cat  ${FILE} | head = -n ${TOP} > ${FILE}.tmp
>     echo "O = PrivacyOptions=noexpn" >> ${FILE}.tmp
>     echo "O = PrivacyOptions=novrfy" >> ${FILE}.tmp
>     cat  ${FILE} | tail = -n ${BOTTOM} >> ${FILE}.tmp
>     mv ${FILE}.tmp = ${FILE}
> fi

--
++++++++++++++++++++++++++++++++++++++++++++++++++++++
- [ Register Linux User #306725 | BLUG register = member #0306]
- [ http://www.ibq.pl | tel: 604665016 | = laczo@ibq.pl          &= nbsp;           &n= bsp;          
++++++++++++++++++++++++++++++++++++++++++++++++++++++


Received on Sat Feb 21 03:42:18 2004
This archive was generated by hypermail 2.1.8. Wyprawa Shackleton 2014