Thank you everyone for all your replies. Just on the side, yes, Gisborne has
the only airport in the world (at least the southern hemisphere) with a
railroad going right through the middle. The planes wait for the trains...
I have shut the system down to the outside world, changed a lot of
passwords, and down a huge amount of detective work but to no avail, I will
be attaching a printer to our service line before we switch it back on.
Here is the content of the replies.
I WROTE:
We are running a Alpha 2000 4/200 over a network running TCP/IP and Netbeui.
The Digital Unix Version is 3.32c.
The problem is this, I suspect that I have a intruder that has shown up in
the last week. I have one modem line in that is used for servicing and
switch off and on as required. The first question is, Can I attach a printer
to that modem or line to record the keystrokes that anyone over the modem
may be making?
Other than that, having only been in the game a couple of years, is there
anything else obvious I should look for in the system that may have been
modified or altered by an
intruder.
I guess this is a fairly open question, just a few tips and pointers would
help. How have other managers dealt with security problems in the past?
Thanks in advance...
REPLIES REPLIES REPLIES
ONE:
The only thing I really have to say is you should use kerberos to help
prevent some logins (it's better than nothing at all) and check your
syslogs. Also check for set-uid executables of things like csh. funny
time stamps on system files, that sort of thing.
TWO:
First start by turning the modem off! Next, mark everyones account so that
they must change their passwords. If someone has hacked your system and the
only external access is via a dial-up asynch line then they got in through a
weak or already known password.
DISUSER all of you old accounts that are not used, and your PRIV'd accounts
like FIELD that are not necessary. DO NOT disable SYSTEM or you could get
yourself into a mess.
Your first suspect should be your own employees. Any recent layoffs or
firings, especially in your DP staff?
Make sure you have a good, clean backup of your system. The chances of a
virus are nill, but if they get in, it could be for distructive reasons.
THREE:
Your problem was addressed in the book "The Cuckoo's Egg" by
Clifford Stoll. Printers attached to modem lines were used
in that to catch a hacker.
On security in general, you should employ tcp-wrappers, use
a firewall, and report possible attacks to cert_at_cert.org.
FOUR:
It's fairly easy to create a "Y" cable to record serial port output to
a printer. In order to record non-echoed keyboard input, you'd need two
printers. Any good computer book store should have a book on serial
communications with a diagram in it. (Alternatively, a library would
probably have one too.)
You might want to do an archie or alta-vista search for a package called
tripwire. Tripwire may help you find out what files have been changed.
FIVE:
If the user is getting in through a particular account and you want to
gather a little info about what they are doing you could try the following.
Find out what shell the breached account is using ie. /bin/csh /bin/ksh
etc..
Go into the home directory of this account and edit the appropriate .????rc
file. eg. .cshrc, .kshrc etc.
Set the HISTORY environment variable to some huge number.
When the intruder gets in, take a look at the .history file in the breached
account to see what commands they executed.
SIX:
Check for modifyed system binaries, like telnetd, rlogind, rshd, /bin/login,
.rhosts-files, possibly edited configuration-files, NFS-modifications,
YP/NIS-modifications, new accounts added, activity on system accounts like
bin, daemon. And a 1000 more things...
This is just some of the things a cracker can modify. You should also
check for hidden directories where crackers sometimes hide pirated software.
Some directories I've seen has been named "..rd", ".login", ".cshrc", "...",
".cache", "..<space><space>", "..<tab>", "..^W^A^R^E^S" and some more...
You can check with the last-command to get information on logins.
You should run your ftp-daemon with the debug-flag for a while to get some
more information on possible spreading of software.
Even though you don't see any cracker logged on he can still be lurking
in the shadows, read your mail etc, it all depends on how much priveledge he
has on the system. Once in it's not too hard to get root-access...
cont...
I've been dealing with it on and of a number of times this year, the attacks
seems to be more and more frequent these days...
One thing you must take into consideration is if you want to catch the
cracker. If you do, keep the system open and log as much as you can.
Talk to the police, hopefully they have a department for computer-crime.
Talk to the CERT (if you have anyone in New Zeeland).
Consider installing the system from scratch if you want to close the cracker
out. Get the latest patches from Digital, install tcp_wrappers, disable all
unnessecary daemons like finger, disable all the old accounts and make
people sign a paper when they get their new account.
This paper can contain some legal text about the importance of
keeping a secure password, and that the account is personal. You should also
include a line that says that you can at any time shut them out of the system
if there are security problems with their account...
This is just basic steps to take.
You can check out the following URLs for more information:
ftp://ftp.win.tue.nl/pub/security/* Tcp_wrappers, logdaemon etc...
http://www.cert.org CERT-messages, general info...
http://bob.usuf2.usuhs.mil/security.html
http://ausg.dartmouth.edu/security.html
Good luck in your hunt!
SEVEN:
I would get the book Practical Unix & Internet Security published
by OReilly Press ISBN 1-56592-148-8 this book most likely is the best
info around.
I would change all passwords to root, field and other accounts.
Check logs
get tripwire and install
get a modem with dial back capabilties
put a password on the terminal server port that the modem is attached (I
assume you are using terminal servers)
find a suid and guid files on system check and use as bench mark - check
the file perodically.
find out who has .rhost files in there directory - what is your policy on
.rhost files?
Are you using anonymous ftp - if so is it set correctly?
check the host.equiv file for proper settings
Just a few thoughts.
EIGHT
If you are willing to work with the wiring on your communication cables....
Just attach the itransmit and signal ground pins from the rs-232 connectors
to the receive and ground pins on your rs-232 printer. A breakout box
works well for this. Stan
----------------------------------------------------------------------------
----------
Ian Apperley
Systems Administrator
Tairawhiti Healthcare Ltd
Gisborne - The California of the South, check us out on the Web...
http://www.bpc.co.nz/
New Zealand
----------------------------------------------------------------------------
----------
Received on Thu Jun 13 1996 - 23:19:32 NZST