Dnia pon 9. czerwca 2003 00:54, napisałeś:
polecam pierw przejżec co sie dzieje w skrypcje =
zanim się go odpali :)
skrypt dopisuje do host.allow i host.deny =
localhost!
wiec o ssh mozesz zapomniec ( zdalnie ) :- )
ten skrypt blokuje ci wszystkie tty
masz mozliwosc zalogowanie na jedną konsole i to =
siedząc przy kompie :)
ctrlaltdel to tez sprawka SECURE.sh
brak dostepu do niektórych programow moze byc =
spowodowane zdjeciem suidow z
niektórych progsów itp itd bla bla
heh ZANIM KLEPNIESZ W ENTER looknij o co chodzi = :))
FATlacz
> Witam,
>
> sorry za przydlugi list ale naprawde potrzebuje =
fachowej pomocy.
>
> Moje problemy, wg mojego podejrzenia sa zwiazane =
ze skryptem secure.sh,
> ktory odpalilem w niedziele w poludnie (pakiet =
Slackmore wg artykulu z
>
> : http://hacking.pl/articl=
>
> "Zabezpieczanie")
>
> Dziwne to gdyz od 12:00 do godziny 22:00 =
wszystko chodzilo jak trzeba
> a pozniej po prostu stracilem zdalna kontrole =
nad routerem. Objawilo
> sie to tym, ze nagle programy wykonywalne typu =
wget, mc przestaly sie
> uruchamiac jakby prawa do nich cos mi zmienilo. =
Po zamknieciu sshd,
> juz nie moglem sie zalogowac (access =
>
> Komp, po tym jak do niego w nocy dotarlem, nie =
reagowal na zadne
> polecenia, root nie przyjmowal hasla, nie mozna =
bylo rowniez
> zrestartowac go przez CtrlAltDel.
>
> Po recznym reboocie, Lilo sie odpala, jajko =
startuje bez problemu,
> ale po dotarciu do INITTAB na konsoli =
jest:
>
> - cannot execute /etc/rc.d/rc.S
> - cannot execute /etc/rc.d/rc.M
> - cannot execute /sbin/agetty
> - cannot execute /sbin/agetty (ta linia sie =
powtarza wielokrotnie)
>
> - potem wszystko staje, wywala jeszcze jakies =
> taski dla tego levela i to koniec, wisi.
>
> Odpalilem slacka z plyty i zamontowalem swoja =
partycje hda2.
> Sprawdzilem obecnosc wszystkich plikow - =
sa.
> W /rc.d wydaje sie byc wszystko ok. Pliki sa na =
miejscu a ls -l
> pokazuje, ze maja -rwxr-xr-x. Dzwonilem do =
kolegi ze slackiem i mowil,
> ze u niego tez tak jest wiec powinno =
>
> A nie chodzi :(((
>
> Sprawdzalem rowniez /etc/inittab i tam jest =
wszystko po staremu -
> runlevel jest na 3 (nic tu nie =
grzebalem).
>
> W logach jest wszystko ok. Messages, syslog, =
> bylo by podejrzane. Widac nawet moje proby =
wejscia przez sshd i bledne
> haslo. Nie wiem czy ktos zrobil wlam, zrobil =
kuku i posprzatal po
> sobie... Wszystkie pliki i katalogi sa na =
miejscu. Logcheck nic
> na mojego emaila nie wyslal a portsentry nie =
raportowal o jakimkolwiek
> skanowaniu.
>
> Nie wiem co skopalem. Oprocz tego skryptu nic =
wiecej nie robilem.
> Jutro poniedzialek, userzy wlacza net a tu =
>
> Moze ktos z Was podpowie mi co jeszcze =
powinienem sprawdzic. Jesli
> czeka mnie ponowna instalacja i konfiguracja to =
sie potne... najgorszy
> ten stracony czas.
>
> Ponizej podsylam ten rzeczony skrypt. Moze ktos =
z Was zauwazy cos
> podejrzanego. Wczesniej wywalilem z niego kilka =
sekcji, ktore uznalem
> za niepotrzebne i zapuscilem tylko to co =
nizej.
>
>
> Bartek
>
>
> =
==========================
==========================
=======
>
> #!/bin/sh
>
> # SECURE.sh performs the following tasks:
>
> # Puts in /etc/hosts.deny file the ALL: ALL@ALL =
> # exterior access to the machine.
>
> FILE="/etc/hosts.deny"
> if [ "`cat ${FILE} | grep 'ALL: =
ALL@ALL'`" == "" ]
> then
> echo "Updating =
${FILE} (ALL@ALL)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | egrep -v =
"# End of hosts.deny." > ${FILE}.tmp
> echo "ALL: =
ALL@ALL" >> ${FILE}.tmp
> echo "# End of =
hosts.deny." >> ${FILE}.tmp
> mv ${FILE}.tmp =
${FILE}
> fi
>
> # Puts in /etc/hosts.allow file the ALL: =
ALL@127.0.0.1 : ALLOW entry,
> giving # access to the resources of the local =
machine.
>
> FILE="/etc/hosts.allow"
> if [ "`cat ${FILE} | grep 'ALL: =
ALL@127.0.0.1'`" == "" ]
> then
> echo "Updating =
${FILE} (ALL@127.0.0.1)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | egrep -v =
"# End of hosts.allow." > ${FILE}.tmp
> echo "ALL: =
ALL@127.0.0.1 =
: ALLOW" >> ${FILE}.tmp
> echo "# End of =
hosts.allow.." >> ${FILE}.tmp
> mv ${FILE}.tmp =
${FILE}
> tcpdchk
> fi
>
> # Changes in /etc/host.conf file the order =
hosts, bind sequence into the
> # more secure order bind, hosts and adds the =
nospoof on sequence.
>
> FILE="/etc/host.conf"
> if [ "`cat ${FILE} | grep 'order hosts, =
bind'`" != "" ]
> then
> echo "Updating =
${FILE} (order, nospoof)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | \
> sed 's/order hosts, =
bind/order bind, hosts/' > ${FILE}.tmp
> echo "nospoof =
on" >> ${FILE}.tmp
> mv ${FILE}.tmp =
${FILE}
> fi
>
> # Blocks in /etc/securetty file the access for =
the root to all consoles
> # except /dev/tty1.
>
> FILE="/etc/securetty"
> if [ "`cat ${FILE} | egrep '^tty6'`" =
!= "" ]
> then
> echo "Updating =
${FILE} (tty?)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | \
> sed 's/^tty2/# tty2/' | =
\
> sed 's/^tty3/# tty3/' | =
\
> sed 's/^tty4/# tty4/' | =
\
> sed 's/^tty5/# tty5/' | =
\
> sed 's/^tty6/# tty6/' =
\
>
> > ${FILE}.tmp
>
> mv ${FILE}.tmp =
${FILE}
> fi
>
> # Removes from /etc/group file the news and uucp =
groups superfluous in most
> # cases. It is equivalent to give groupdel news =
and groupdel uucp commands.
>
> FILE="/etc/group"
> if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
> then
> echo "Updating =
${FILE} (groups)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | \
> egrep -v '^news:' | \
> egrep -v '^uucp:' =
\
>
> > ${FILE}.tmp
>
> mv ${FILE}.tmp =
${FILE}
> # groupdel news
> # groupdel uucp
> fi
>
> # Removes from /etc/passwd file news, uucp, =
operator, sync, and shutdown
> # users. It is equivalent to the sequence of =
> # taking the appropriate parameters.
>
> FILE="/etc/passwd"
> if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
> then
> echo "Updating =
${FILE} (users)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | \
> egrep -v '^news:' | \
> egrep -v '^uucp:' | =
\
> egrep -v '^operator:' | =
\
> egrep -v '^sync:' | =
\
> egrep -v '^shutdown:' =
\
>
> > ${FILE}.tmp
>
> mv ${FILE}.tmp =
${FILE}
> # userdel sync
> # userdel =
shutdown
> # userdel news
> # userdel uucp
> # userdel =
operator
> fi
>
> # Performs the parallel actions with reference =
to /etc/shadow file.
>
> FILE="/etc/shadow"
> if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
> then
> echo "Updating =
${FILE} (users)."
> if [ ! -e ${FILE}.old ] =
; then cp -p ${FILE} ${FILE}.old ; fi
> cat ${FILE} | \
> egrep -v '^news:' | \
> egrep -v '^uucp:' | =
\
> egrep -v '^operator:' | =
\
> egrep -v '^sync:' | =
\
> egrep -v '^shutdown:' =
\
>
> > ${FILE}.tmp
>
> mv ${FILE}.tmp =
${FILE}
> # userdel sync
> # userdel =
shutdown
> # userdel news
> # userdel uucp
> # userdel =
operator
> fi
>
>
> # Takes away from all the scripts from /etc/rc.d =
> # reading or executing them by the group or by =
other users.
>
> DIRECTORY="/etc/rc.d/"
> if [ "`ls -l ${DIRECTORY}* | grep =
\"\-rwxr\-xr\-x\"`" != "" ]
> then
> echo "Updating =
${DIRECTORY}* (g-rx,o-rx)."
> chmod g-rx,o-rx =
${DIRECTORY}*
> fi
>
>
> # Tests a few dozen of trouble programs and =
takes the SUID bit away from
> # them. It stores the information about those =
modifications in the log
> file.
>
> TEST="no"
> =
LOG_NOSUID="0.nosuid.`hostname`"
>
> > ${LOG_NOSUID}
>
> echo >> ${LOG_NOSUID}
> echo "Removed SUID or SGID:" >> =
${LOG_NOSUID}
> echo >> ${LOG_NOSUID}
> echo "Removed SUID:" >> =
${LOG_NOSUID}
> for FILE in /usr/bin/at /usr/bin/crontab =
/usr/bin/fdmount /usr/bin/chage \
> /usr/bin/chfn /usr/bin/chsh /usr/bin/expiry =
/usr/bin/gpasswd
> /usr/bin/newgrp \ /usr/bin/passwd /usr/bin/rcp =
/usr/bin/rlogin /usr/bin/rsh
> \
> /usr/bin/traceroute /usr/X11R6/bin/xterm =
/usr/libexec/pt_chown /bin/su \
> /bin/mount /bin/umount /bin/ping =
/opt/kde/bin/kcheckpass \
> /opt/kde/bin/konsole_grantpty /opt/kde/bin/kppp =
\
> /usr/lib/news/bin/inndstart =
/usr/lib/news/bin/startinnfeed \
> /usr/lib/news/bin/rnews \
> /opt/kde/bin/fileshareset \
> /usr/libexec/ssh-keysign =
/usr/X11R6/bin/xscreensaver \
> /usr/X11R6/bin/xcardinfo /usr/X11R6/bin/wmtune =
/usr/local/bin/thotswap \
> /sbin/cardctl /usr/X11R6/bin/xlock
> do
> if [ -e ${FILE} ]
> then
> =
"" ]
> =
then
> =
if [ "${TEST}" == "no" ]
> =
then
> =
echo "Removing some SUID and =
SGID attributes."
> =
TEST="yes"
> =
fi
> =
echo "Chmoding ${FILE} (u-s)."
> =
chmod u-s ${FILE}
> =
fi
> =
ls -l ${FILE} | cut -b -35,57- >> ${LOG_NOSUID}
> fi
> done
>
> # Does the similar action with reference to a =
> # taking SUID and SGID bits away from =
them.
>
> echo >> ${LOG_NOSUID}
> echo "Removed SUID and SGID:" >> =
${LOG_NOSUID}
> for FILE in /usr/bin/cu /usr/bin/uux =
/usr/bin/uucp /usr/bin/uuname \
> /usr/bin/uustat /usr/lib/uucp/uuchk =
/usr/lib/uucp/uuxqt
> /usr/lib/uucp/uucico \ /usr/lib/uucp/uuconv =
/usr/lib/uucp/uusched \
> /usr/X11R6/bin/wmapm
> do
> if [ -e ${FILE} ]
> then
> =
"" ]
> =
then
> =
echo "Chmoding ${FILE} (u-s,g-s)."
> =
chmod u-s,g-s ${FILE}
> =
fi
> =
ls -l ${FILE} | cut -b -36,57- >> ${LOG_NOSUID}
> fi
> done
>
> # Puts in /etc/mail/sendmail.cf config file the =
> # O PrivacyOptions=noexpn and O =
PrivacyOptions=novrfy. It prevents the
> # system from remote checking of the =
accounts.
>
> FILE="/etc/mail/sendmail.cf"
> if [ "`cat ${FILE} | grep =
\"authwarnings\"`" != "" ]
> then
> TOTAL="`cat =
${FILE} | grep -n \"\" | tail -n 1 | cut -d ":" -f =
-1`"
> TOP="`cat ${FILE} =
| grep -n \"authwarnings\" | cut -d ":" -f =
-1`"
> BOTTOM="`expr =
${TOTAL} - ${TOP}`"
> fi
> if [ "`cat ${FILE} | grep =
\"PrivacyOptions=noexpn\"`" == "" =
]
> then
> echo "Upgrading =
${FILE} (noexpn, novrfy)."
> cat ${FILE} | head =
-n ${TOP} > ${FILE}.tmp
> echo "O =
PrivacyOptions=noexpn" >> ${FILE}.tmp
> echo "O =
PrivacyOptions=novrfy" >> ${FILE}.tmp
> cat ${FILE} | tail =
-n ${BOTTOM} >> ${FILE}.tmp
> mv ${FILE}.tmp =
${FILE}
> fi
--
++++++++++++++++++++++++++++++++++++++++++++++++++++++
- [ Register Linux User #306725 | BLUG register =
member #0306]
- [ http://www.ibq.pl | tel: 604665016 | =
laczo@ibq.pl &=
nbsp; &n=
bsp;
++++++++++++++++++++++++++++++++++++++++++++++++++++++