[ SlackList ] [ WkikiSlack ]


Slack mi padl - wolanie o pomoc!

From: kobartek <kobartek@poczta.fm>
Date: Mon Jun 09 2003 - 00:54:15 CEST
[slacklist] Slack mi padl - wolanie o pomoc!

Witam,

sorry za przydlugi list ale naprawde potrzebuje = fachowej pomocy.

Moje problemy, wg mojego podejrzenia sa zwiazane ze = skryptem secure.sh,
ktory odpalilem w niedziele w poludnie (pakiet = Slackmore wg artykulu z
: http://hacking.pl/articl=
"Zabezpieczanie")

Dziwne to gdyz od 12:00 do godziny 22:00 wszystko =
a pozniej po prostu stracilem zdalna kontrole nad = routerem. Objawilo
sie to tym, ze nagle programy wykonywalne typu wget, = mc przestaly sie
uruchamiac jakby prawa do nich cos mi zmienilo. Po = zamknieciu sshd,
juz nie moglem sie zalogowac (access denied).

Komp, po tym jak do niego w nocy dotarlem, nie = reagowal na zadne
polecenia, root nie przyjmowal hasla, nie mozna bylo = rowniez
zrestartowac go przez CtrlAltDel.

Po recznym reboocie, Lilo sie odpala, jajko startuje = bez problemu,
ale po dotarciu do INITTAB na konsoli jest:

- cannot execute /etc/rc.d/rc.S
- cannot execute /etc/rc.d/rc.M
- cannot execute /sbin/agetty
- cannot execute /sbin/agetty (ta linia sie powtarza = wielokrotnie)

- potem wszystko staje, wywala jeszcze jakies info ze = to wszystkie
taski dla tego levela i to koniec, wisi.

Odpalilem slacka z plyty i zamontowalem swoja partycje = hda2.
Sprawdzilem obecnosc wszystkich plikow - sa.
W /rc.d wydaje sie byc wszystko ok. Pliki sa na = miejscu a ls -l
pokazuje, ze maja -rwxr-xr-x. Dzwonilem do kolegi ze = slackiem i mowil,
ze u niego tez tak jest wiec powinno chodzic.

A nie chodzi :(((

Sprawdzalem rowniez /etc/inittab i tam jest wszystko = po staremu -
runlevel jest na 3 (nic tu nie grzebalem).

W logach jest wszystko ok. Messages, syslog, debug nie = pokazuja nic co
bylo by podejrzane. Widac nawet moje proby wejscia = przez sshd i bledne
haslo. Nie wiem czy ktos zrobil wlam, zrobil kuku i = posprzatal po
sobie... Wszystkie pliki i katalogi sa na miejscu. = Logcheck nic
na mojego emaila nie wyslal a portsentry nie = raportowal o jakimkolwiek
skanowaniu.

Nie wiem co skopalem. Oprocz tego skryptu nic wiecej = nie robilem.
Jutro poniedzialek, userzy wlacza net a tu =

Moze ktos z Was podpowie mi co jeszcze powinienem = sprawdzic. Jesli
czeka mnie ponowna instalacja i konfiguracja to sie = potne... najgorszy
ten stracony czas.

Ponizej podsylam ten rzeczony skrypt. Moze ktos z Was = zauwazy cos
podejrzanego. Wczesniej wywalilem z niego kilka = sekcji, ktore uznalem
za niepotrzebne i zapuscilem tylko to co = nizej.


Bartek


======================= ========================== ==========

#!/bin/sh

# SECURE.sh performs the following tasks:

# Puts in /etc/hosts.deny file the ALL: ALL@ALL entry, = for blocking all
# exterior access to the machine.

FILE="/etc/hosts.deny"
if [ "`cat ${FILE} | grep 'ALL: ALL@ALL'`" = == "" ]
then
    echo "Updating ${FILE} = (ALL@ALL)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | egrep -v "# End = of hosts.deny." > ${FILE}.tmp
    echo "ALL: ALL@ALL" = >> ${FILE}.tmp
    echo "# End of = hosts.deny." >> ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
fi

# Puts in /etc/hosts.allow file the ALL: ALL@127.0.0.1 = : ALLOW entry, giving
# access to the resources of the local = machine.

FILE="/etc/hosts.allow"
if [ "`cat ${FILE} | grep 'ALL: = ALL@127.0.0.1'`" == "" ]
then
    echo "Updating ${FILE} = (ALL@127.0.0.1)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | egrep -v "# End = of hosts.allow." > ${FILE}.tmp
    echo "ALL: = ALL@127.0.0.1          =   : ALLOW" >> ${FILE}.tmp
    echo "# End of = hosts.allow.." >> ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
    tcpdchk
fi

# Changes in /etc/host.conf file the order hosts, bind = sequence into the
# more secure order bind, hosts and adds the nospoof = on sequence.

FILE="/etc/host.conf"
if [ "`cat ${FILE} | grep 'order hosts, = bind'`" != "" ]
then
    echo "Updating ${FILE} = (order, nospoof)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | \
    sed 's/order hosts, bind/order = bind, hosts/' > ${FILE}.tmp
    echo "nospoof on" = >> ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
fi

# Blocks in /etc/securetty file the access for the = root to all consoles
# except /dev/tty1.

FILE="/etc/securetty"
if [ "`cat ${FILE} | egrep '^tty6'`" != = "" ]
then
    echo "Updating ${FILE} = (tty?)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | \
    sed 's/^tty2/# tty2/' | \
    sed 's/^tty3/# tty3/' | \
    sed 's/^tty4/# tty4/' | \
    sed 's/^tty5/# tty5/' | \
    sed 's/^tty6/# tty6/' \
    > ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
fi

# Removes from /etc/group file the news and uucp = groups superfluous in most
# cases. It is equivalent to give groupdel news and = groupdel uucp commands.

FILE="/etc/group"
if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
then
    echo "Updating ${FILE} = (groups)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | \
    egrep -v '^news:' | \
    egrep -v '^uucp:' \
    > ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
    # groupdel news
    # groupdel uucp
fi

# Removes from /etc/passwd file news, uucp, operator, = sync, and shutdown
# users. It is equivalent to the sequence of =
# taking the appropriate parameters.

FILE="/etc/passwd"
if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
then
    echo "Updating ${FILE} = (users)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | \
    egrep -v '^news:' | \
    egrep -v '^uucp:' | \
    egrep -v '^operator:' | \
    egrep -v '^sync:' | \
    egrep -v '^shutdown:' \
    > ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
    # userdel sync
    # userdel shutdown
    # userdel news
    # userdel uucp
    # userdel operator
fi

# Performs the parallel actions with reference to = /etc/shadow file.

FILE="/etc/shadow"
if [ "`cat ${FILE} | egrep '^news:'`" != "" ]
then
    echo "Updating ${FILE} = (users)."
    if [ ! -e ${FILE}.old ] ; then cp = -p ${FILE} ${FILE}.old ; fi
    cat ${FILE} | \
    egrep -v '^news:' | \
    egrep -v '^uucp:' | \
    egrep -v '^operator:' | \
    egrep -v '^sync:' | \
    egrep -v '^shutdown:' \
    > ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
    # userdel sync
    # userdel shutdown
    # userdel news
    # userdel uucp
    # userdel operator
fi


# Takes away from all the scripts from /etc/rc.d =
# reading or executing them by the group or by other = users.

DIRECTORY="/etc/rc.d/"
if [ "`ls -l ${DIRECTORY}* | grep = \"\-rwxr\-xr\-x\"`" != "" ]
then
    echo "Updating ${DIRECTORY}* = (g-rx,o-rx)."
    chmod g-rx,o-rx = ${DIRECTORY}*
fi


# Tests a few dozen of trouble programs and takes the = SUID bit away from
# them. It stores the information about those = modifications in the log file.

TEST="no"
LOG_NOSUID="0.nosuid.`hostname`"
> ${LOG_NOSUID}
echo >> ${LOG_NOSUID}
echo "Removed SUID or SGID:" >> = ${LOG_NOSUID}
echo >> ${LOG_NOSUID}
echo "Removed SUID:" >> = ${LOG_NOSUID}
for FILE in /usr/bin/at /usr/bin/crontab = /usr/bin/fdmount /usr/bin/chage \
/usr/bin/chfn /usr/bin/chsh /usr/bin/expiry = /usr/bin/gpasswd /usr/bin/newgrp \
/usr/bin/passwd /usr/bin/rcp /usr/bin/rlogin = /usr/bin/rsh \
/usr/bin/traceroute /usr/X11R6/bin/xterm = /usr/libexec/pt_chown /bin/su \
/bin/mount /bin/umount /bin/ping = /opt/kde/bin/kcheckpass \
/opt/kde/bin/konsole_grantpty /opt/kde/bin/kppp = \
/usr/lib/news/bin/inndstart = /usr/lib/news/bin/startinnfeed \
/usr/lib/news/bin/rnews \
/opt/kde/bin/fileshareset \
/usr/libexec/ssh-keysign /usr/X11R6/bin/xscreensaver = \
/usr/X11R6/bin/xcardinfo /usr/X11R6/bin/wmtune = /usr/local/bin/thotswap \
/sbin/cardctl /usr/X11R6/bin/xlock
do
    if [ -e ${FILE} ]
    then
        if [ = "`ls -l ${FILE} | egrep \"\-r.s.\-x\"`" != = "" ]
        = then
          &nbs= p; if [ "${TEST}" == "no" ]
          &nbs= p; then
          &nbs= p;     echo "Removing some SUID and SGID = attributes."
          &nbs= p;     TEST="yes"
          &nbs= p; fi
          &nbs= p; echo "Chmoding ${FILE} (u-s)."
          &nbs= p; chmod u-s ${FILE}
        fi
        ls -l = ${FILE} | cut -b -35,57- >> ${LOG_NOSUID}
    fi
done

# Does the similar action with reference to a dozen or = so of the programs,
# taking SUID and SGID bits away from them.

echo >> ${LOG_NOSUID}
echo "Removed SUID and SGID:" >> = ${LOG_NOSUID}
for FILE in /usr/bin/cu /usr/bin/uux /usr/bin/uucp = /usr/bin/uuname \
/usr/bin/uustat /usr/lib/uucp/uuchk = /usr/lib/uucp/uuxqt /usr/lib/uucp/uucico \
/usr/lib/uucp/uuconv /usr/lib/uucp/uusched \
/usr/X11R6/bin/wmapm
do
    if [ -e ${FILE} ]
    then
        if [ = "`ls -l ${FILE} | egrep \"\-r.s.\-s\"`" != = "" ]
        = then
          &nbs= p; echo "Chmoding ${FILE} (u-s,g-s)."
          &nbs= p; chmod u-s,g-s ${FILE}
        fi
        ls -l = ${FILE} | cut -b -36,57- >> ${LOG_NOSUID}
    fi
done

# Puts in /etc/mail/sendmail.cf config file the =
# O PrivacyOptions=noexpn and O = PrivacyOptions=novrfy. It prevents the
# system from remote checking of the accounts.

FILE="/etc/mail/sendmail.cf"
if [ "`cat ${FILE} | grep = \"authwarnings\"`" != "" ]
then
    TOTAL="`cat  ${FILE} | = grep -n \"\" | tail -n 1 | cut -d ":" -f = -1`"
    TOP="`cat ${FILE} | grep -n = \"authwarnings\" | cut -d ":" -f -1`"
    BOTTOM="`expr ${TOTAL} - = ${TOP}`"
fi
if [ "`cat ${FILE} | grep = \"PrivacyOptions=noexpn\"`" == "" = ]
then
    echo "Upgrading ${FILE} = (noexpn, novrfy)."
    cat  ${FILE} | head -n ${TOP} = > ${FILE}.tmp
    echo "O = PrivacyOptions=noexpn" >> ${FILE}.tmp
    echo "O = PrivacyOptions=novrfy" >> ${FILE}.tmp
    cat  ${FILE} | tail -n = ${BOTTOM} >> ${FILE}.tmp
    mv ${FILE}.tmp ${FILE}
fi


Received on Sat Feb 21 03:42:19 2004
This archive was generated by hypermail 2.1.8. Wyprawa Shackleton 2014