[TCLUG] Input/output error, missing files

Mon Nov 22 22:17:40 CST 2004

John T. Hoffoss wrote:
> On Sun, 21 Nov 2004 21:30:00 -0600, Ryan O'Rourke <tclug at ryanorourke.org> wrote:
> 
>>Mike Miller wrote:
>>
>>>I keep copies of ls and ps binaries on my system so that I can use them
>>>if I think I've been cracked.
>>
>>I don't understand what good that does if your system has been rooted
>>though. Why can't an attacker just change those saved binaries as well?
> 
> An attacker could. I would pull down binary copies from a known-good
> source, or use knoppix, etc. as you have.

I'm even more confused now since I've been doing a little 
investigating. As noted in a previous post, I've booted to Knoppix and 
mounted the primary drive. I get the same "Input/output error" when 
trying to ls that psfind script in /usr/local/bin that I got when I 
was booted to the suspected compromised system.
How could that be if Knoppix's ls is pristine? Could these be 
legitimate I/O errors - possibly a bad hard drive, or a failing mobo?
I also am still not seeing any data on the secondary drive. In fact, 
it won't even mount. It just spits out that standard "wrong filesystem 
type blah, blah" error when trying:
mount -w -t ext3 /dev/hdb1 /mnt/hdb1

>>Now the question is - how do I go about figuring out how it was done?
>>[...]
> 
> This is very often difficult to do [...] Check
> things like file atimes and mtimes to see what files have been created
> or modified recently. You can also research what rootkit was used, and
> check out what other things that rootkit could have modified. You
> could also try to 'honeypot' the system, and stick an in-line sniffer
> in there to monitor system accesses.

I'll do some googling. Thanks for these suggestions.

>>I'm kind of suspecting that one of my Windows users may be at fault
>>here. Is it possible that one of them may have been compromised first
>>and then the attacker used a password or key found in WinSCP to
>>compromise my system? [...] 
> 
> What was the open port?

22 - SSH. I have about a half dozen friends across the country who I 
give SCP access to. They all use WinSCP and a few of them have pretty 
questionable security know-how.
On my side I was using two different brands of routers and the 
built-in Fedora Core 1 firewall. I must confess that I hadn't updated 
my Fedora box in several months... in the midst of a move, wanted to 
upgrade anyway, not enough time, la la la. But there haven't been any 
remote kernel or SSH vulns in the past 6 months, have there? I'm 
pretty sure there weren't any for either router.
Yes, I know that a router who is simply doing port forwarding is NOT 
an extremely effective line of defense, but I figured the router 
coupled with the Fedora firewall would suffice to keep the kiddies at 
bay from the OutsideWorld.

> Regardless, I would say that yes, a compromised Windows system is very
> commonly the source of an attack.

So, am I correct in assuming that it wouldn't be extremely difficult 
to compromise a Windows box and use keys or saved sessions from WinSCP 
to gain access to my Linux box? I don't know enough about WinSCP to 
know how feasible this scenario is.

-- Ryan

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list