Any experts here on intrusion postmortem? - kulua-l

Message from discussion Any experts here on intrusion postmortem?
Received-SPF: pass (google.com: domain of kendric.beac...@gmail.com designates 209.85.210.195 as permitted sender) client-ip=209.85.210.195;
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=hNjV2FfcxyglRFKv02BGQyIc1XdcKoayRZ5a8kd/73aVSXg37yWVAkwe38KMc3qq3y
         LyFTD1dpTFuXLygL6NRqOYh/acD9hILILCuYA1CHE0AbUOvT/vsjJ5UgprO95r3XWQU7
         Xvy5NShzWPLcOhn4Gw66O3KGv2PqfD1QFiCJM=
MIME-Version: 1.0
Date: Thu, 18 Jun 2009 15:32:06 -0500
Message-ID: <df0ecb960906181332k775a33a4y6b4ffd346d5c778d@mail.gmail.com>
Subject: Any experts here on intrusion postmortem?
From: Kendric Beachey <kendric.beac...@gmail.com>
To: kulua-l <kulua-l@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

My main linux box at home got hit by some sort of system cracker.  Not
a very good one, I think, or at least whatever he exploited wasn't as
dangerous as it could have been.

I do not think he got root...he just found a testing account that had
a password that was too easy to crack.  He didn't (or couldn't) make
much of an attempt to cover his tracks, as the tools I used to find
and disable his stuff were top, ps, ls, crontab, kill and
killall...usually the more dangerous crackers override those, from
what I understand.

My guess on how he got in:  I have AT&T U-Verse, including their
residential gateway.  I set its firewall up to let port 80 and port 22
point to my linux box, so I could ssh home from work, and so my wife
could do some html/css experiments on it (she hasn't done that yet
though).  Sometimes the gateway seems to get a bur under its saddle
and says "there is a router behind this router, do you want me to
resolve the problem?"  If you say yes, it puts one machine into
"DMZplus" mode, which as far as I can tell sends ALL ports to that
machine.  Nice.  My linux machine was DMZplus-ified when I went in to
shut off ports 80 and 22...no telling how long it had been that way.
So that doesn't narrow down what he could have exploited, but maybe
points to how the doors all got unlocked.

As near as I can tell the main activity he was doing was portscanning,
but what he might have done with the results, I don't know.  After
killing his account I shut the machine off.  We had been having
internet trouble across the board since the thunderstorm this weekend,
and I'm wondering whether maybe this cracker had something to do with
the trouble.  It's still not 100% great though and we have a tech
coming to our house this evening.

I'm thinking about burning the test account's home dir to a CD for
inspection.  I haven't deleted any of his files, only his crontab
entry that spawned a new job every minute if it got killed.  Would
anyone on the list want a look at the files?

Beyond that...to get the machine back to a usable state...does anyone
have any suggestions?  It seems like it would be foolish to assume
just killing that account would take care of the problem for good, but
would that be sufficient to hobble along for a week or so until I can
cp my own home dir elsewhere and reinstall?  Or would it be safer to
keep the machine off the network until I can get that done?

Kendric Beachey