Witam,
sorry za przydlugi list ale naprawde potrzebuje = fachowej pomocy.
Moje problemy, wg mojego podejrzenia sa zwiazane ze =
skryptem secure.sh,
ktory odpalilem w niedziele w poludnie (pakiet =
Slackmore wg artykulu z
: http://hacking.pl/articl=
"Zabezpieczanie")
Dziwne to gdyz od 12:00 do godziny 22:00 wszystko =
a pozniej po prostu stracilem zdalna kontrole nad =
routerem. Objawilo
sie to tym, ze nagle programy wykonywalne typu wget, =
mc przestaly sie
uruchamiac jakby prawa do nich cos mi zmienilo. Po =
zamknieciu sshd,
juz nie moglem sie zalogowac (access denied).
Komp, po tym jak do niego w nocy dotarlem, nie =
reagowal na zadne
polecenia, root nie przyjmowal hasla, nie mozna bylo =
rowniez
zrestartowac go przez CtrlAltDel.
Po recznym reboocie, Lilo sie odpala, jajko startuje =
bez problemu,
ale po dotarciu do INITTAB na konsoli jest:
- cannot execute /etc/rc.d/rc.S
- cannot execute /etc/rc.d/rc.M
- cannot execute /sbin/agetty
- cannot execute /sbin/agetty (ta linia sie powtarza =
wielokrotnie)
- potem wszystko staje, wywala jeszcze jakies info ze =
to wszystkie
taski dla tego levela i to koniec, wisi.
Odpalilem slacka z plyty i zamontowalem swoja partycje =
hda2.
Sprawdzilem obecnosc wszystkich plikow - sa.
W /rc.d wydaje sie byc wszystko ok. Pliki sa na =
miejscu a ls -l
pokazuje, ze maja -rwxr-xr-x. Dzwonilem do kolegi ze =
slackiem i mowil,
ze u niego tez tak jest wiec powinno chodzic.
A nie chodzi :(((
Sprawdzalem rowniez /etc/inittab i tam jest wszystko =
po staremu -
runlevel jest na 3 (nic tu nie grzebalem).
W logach jest wszystko ok. Messages, syslog, debug nie =
pokazuja nic co
bylo by podejrzane. Widac nawet moje proby wejscia =
przez sshd i bledne
haslo. Nie wiem czy ktos zrobil wlam, zrobil kuku i =
posprzatal po
sobie... Wszystkie pliki i katalogi sa na miejscu. =
Logcheck nic
na mojego emaila nie wyslal a portsentry nie =
raportowal o jakimkolwiek
skanowaniu.
Nie wiem co skopalem. Oprocz tego skryptu nic wiecej =
nie robilem.
Jutro poniedzialek, userzy wlacza net a tu =
Moze ktos z Was podpowie mi co jeszcze powinienem =
sprawdzic. Jesli
czeka mnie ponowna instalacja i konfiguracja to sie =
potne... najgorszy
ten stracony czas.
Ponizej podsylam ten rzeczony skrypt. Moze ktos z Was =
zauwazy cos
podejrzanego. Wczesniej wywalilem z niego kilka =
sekcji, ktore uznalem
za niepotrzebne i zapuscilem tylko to co =
nizej.
Bartek
======================= ========================== ==========
#!/bin/sh
# SECURE.sh performs the following tasks:
# Puts in /etc/hosts.deny file the ALL: ALL@ALL entry, =
for blocking all
# exterior access to the machine.
FILE="/etc/hosts.deny"
if [ "`cat ${FILE} | grep 'ALL: ALL@ALL'`" =
== "" ]
then
echo "Updating ${FILE} =
(ALL@ALL)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | egrep -v "# End =
of hosts.deny." > ${FILE}.tmp
echo "ALL: ALL@ALL" =
>> ${FILE}.tmp
echo "# End of =
hosts.deny." >> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
fi
# Puts in /etc/hosts.allow file the ALL: ALL@127.0.0.1 =
: ALLOW entry, giving
# access to the resources of the local =
machine.
FILE="/etc/hosts.allow"
if [ "`cat ${FILE} | grep 'ALL: =
ALL@127.0.0.1'`" == "" ]
then
echo "Updating ${FILE} =
(ALL@127.0.0.1)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | egrep -v "# End =
of hosts.allow." > ${FILE}.tmp
echo "ALL: =
ALL@127.0.0.1 =
: ALLOW" >> ${FILE}.tmp
echo "# End of =
hosts.allow.." >> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
tcpdchk
fi
# Changes in /etc/host.conf file the order hosts, bind =
sequence into the
# more secure order bind, hosts and adds the nospoof =
on sequence.
FILE="/etc/host.conf"
if [ "`cat ${FILE} | grep 'order hosts, =
bind'`" != "" ]
then
echo "Updating ${FILE} =
(order, nospoof)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | \
sed 's/order hosts, bind/order =
bind, hosts/' > ${FILE}.tmp
echo "nospoof on" =
>> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
fi
# Blocks in /etc/securetty file the access for the =
root to all consoles
# except /dev/tty1.
FILE="/etc/securetty"
if [ "`cat ${FILE} | egrep '^tty6'`" != =
"" ]
then
echo "Updating ${FILE} =
(tty?)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | \
sed 's/^tty2/# tty2/' | \
sed 's/^tty3/# tty3/' | \
sed 's/^tty4/# tty4/' | \
sed 's/^tty5/# tty5/' | \
sed 's/^tty6/# tty6/' \
> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
fi
# Removes from /etc/group file the news and uucp =
groups superfluous in most
# cases. It is equivalent to give groupdel news and =
groupdel uucp commands.
FILE="/etc/group"
if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
then
echo "Updating ${FILE} =
(groups)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | \
egrep -v '^news:' | \
egrep -v '^uucp:' \
> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
# groupdel news
# groupdel uucp
fi
# Removes from /etc/passwd file news, uucp, operator, =
sync, and shutdown
# users. It is equivalent to the sequence of =
# taking the appropriate parameters.
FILE="/etc/passwd"
if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
then
echo "Updating ${FILE} =
(users)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | \
egrep -v '^news:' | \
egrep -v '^uucp:' | \
egrep -v '^operator:' | \
egrep -v '^sync:' | \
egrep -v '^shutdown:' \
> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
# userdel sync
# userdel shutdown
# userdel news
# userdel uucp
# userdel operator
fi
# Performs the parallel actions with reference to = /etc/shadow file.
FILE="/etc/shadow"
if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
then
echo "Updating ${FILE} =
(users)."
if [ ! -e ${FILE}.old ] ; then cp =
-p ${FILE} ${FILE}.old ; fi
cat ${FILE} | \
egrep -v '^news:' | \
egrep -v '^uucp:' | \
egrep -v '^operator:' | \
egrep -v '^sync:' | \
egrep -v '^shutdown:' \
> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
# userdel sync
# userdel shutdown
# userdel news
# userdel uucp
# userdel operator
fi
# Takes away from all the scripts from /etc/rc.d =
# reading or executing them by the group or by other =
users.
DIRECTORY="/etc/rc.d/"
if [ "`ls -l ${DIRECTORY}* | grep =
\"\-rwxr\-xr\-x\"`" != "" ]
then
echo "Updating ${DIRECTORY}* =
(g-rx,o-rx)."
chmod g-rx,o-rx =
${DIRECTORY}*
fi
# Tests a few dozen of trouble programs and takes the =
SUID bit away from
# them. It stores the information about those =
modifications in the log file.
TEST="no"
LOG_NOSUID="0.nosuid.`hostname`"
> ${LOG_NOSUID}
echo >> ${LOG_NOSUID}
echo "Removed SUID or SGID:" >> =
${LOG_NOSUID}
echo >> ${LOG_NOSUID}
echo "Removed SUID:" >> =
${LOG_NOSUID}
for FILE in /usr/bin/at /usr/bin/crontab =
/usr/bin/fdmount /usr/bin/chage \
/usr/bin/chfn /usr/bin/chsh /usr/bin/expiry =
/usr/bin/gpasswd /usr/bin/newgrp \
/usr/bin/passwd /usr/bin/rcp /usr/bin/rlogin =
/usr/bin/rsh \
/usr/bin/traceroute /usr/X11R6/bin/xterm =
/usr/libexec/pt_chown /bin/su \
/bin/mount /bin/umount /bin/ping =
/opt/kde/bin/kcheckpass \
/opt/kde/bin/konsole_grantpty /opt/kde/bin/kppp =
\
/usr/lib/news/bin/inndstart =
/usr/lib/news/bin/startinnfeed \
/usr/lib/news/bin/rnews \
/opt/kde/bin/fileshareset \
/usr/libexec/ssh-keysign /usr/X11R6/bin/xscreensaver =
\
/usr/X11R6/bin/xcardinfo /usr/X11R6/bin/wmtune =
/usr/local/bin/thotswap \
/sbin/cardctl /usr/X11R6/bin/xlock
do
if [ -e ${FILE} ]
then
if [ =
"`ls -l ${FILE} | egrep \"\-r.s.\-x\"`" != =
"" ]
=
then
&nbs=
p; if [ "${TEST}" == "no" ]
&nbs=
p; then
&nbs=
p; echo "Removing some SUID and SGID =
attributes."
&nbs=
p; TEST="yes"
&nbs=
p; fi
&nbs=
p; echo "Chmoding ${FILE} (u-s)."
&nbs=
p; chmod u-s ${FILE}
fi
ls -l =
${FILE} | cut -b -35,57- >> ${LOG_NOSUID}
fi
done
# Does the similar action with reference to a dozen or =
so of the programs,
# taking SUID and SGID bits away from them.
echo >> ${LOG_NOSUID}
echo "Removed SUID and SGID:" >> =
${LOG_NOSUID}
for FILE in /usr/bin/cu /usr/bin/uux /usr/bin/uucp =
/usr/bin/uuname \
/usr/bin/uustat /usr/lib/uucp/uuchk =
/usr/lib/uucp/uuxqt /usr/lib/uucp/uucico \
/usr/lib/uucp/uuconv /usr/lib/uucp/uusched \
/usr/X11R6/bin/wmapm
do
if [ -e ${FILE} ]
then
if [ =
"`ls -l ${FILE} | egrep \"\-r.s.\-s\"`" != =
"" ]
=
then
&nbs=
p; echo "Chmoding ${FILE} (u-s,g-s)."
&nbs=
p; chmod u-s,g-s ${FILE}
fi
ls -l =
${FILE} | cut -b -36,57- >> ${LOG_NOSUID}
fi
done
# Puts in /etc/mail/sendmail.cf config file the =
# O PrivacyOptions=noexpn and O =
PrivacyOptions=novrfy. It prevents the
# system from remote checking of the accounts.
FILE="/etc/mail/sendmail.cf"
if [ "`cat ${FILE} | grep =
\"authwarnings\"`" != "" ]
then
TOTAL="`cat ${FILE} | =
grep -n \"\" | tail -n 1 | cut -d ":" -f =
-1`"
TOP="`cat ${FILE} | grep -n =
\"authwarnings\" | cut -d ":" -f -1`"
BOTTOM="`expr ${TOTAL} - =
${TOP}`"
fi
if [ "`cat ${FILE} | grep =
\"PrivacyOptions=noexpn\"`" == "" =
]
then
echo "Upgrading ${FILE} =
(noexpn, novrfy)."
cat ${FILE} | head -n ${TOP} =
> ${FILE}.tmp
echo "O =
PrivacyOptions=noexpn" >> ${FILE}.tmp
echo "O =
PrivacyOptions=novrfy" >> ${FILE}.tmp
cat ${FILE} | tail -n =
${BOTTOM} >> ${FILE}.tmp
mv ${FILE}.tmp ${FILE}
fi