Continuing a thread that seems to have been developing on this group,
we too have had some recent security problems on Solaris 9 systems
(Inova 600 and a data station).
The problems first started when users discovered that they couldn't log
into the CDE desk top. Rebooting solved that problem, but it was then
discovered that the VNMRJ locator wasn't working due to the postgres_daemon
not starting. After consultation with Glenn Sullivan at Varian, it was determined
that this was due to a failure of the start-up script in rc3.d, but we hadn't the
foggiest idea why.
After poking around the system for a while, I discovered the installation of
the SunBack-A (also known as SunOS/Rootkit-A) rootkit. So, we had
been hacked! How the hackers actually got in, I really don't know, and we were
reasonably up to data on patches. In fact, I think we had all security patches
released by Sun installed. This rootkit replaces a number of system binaries (ps, ls,
etc.)
with versions that hide the hackers activities, and in our case it appears that
they were using our system to probe other systems for rpc buffer overflow
vulnerabilities. They also added other accounts with root or daemon
access rights. They were not all that efficient at wiping the logs, however,
as the lastlog showed a number of logins to these new accounts from a
couple of IP addresses in Romania, and an attempt to send email to a Yahoo
account.
We have taken the following actions:
- Complete re-install of the OS on both computers.
-Activation of Sun's built-in tcp_wrapper implementation. Note that the
generic (non-Sun) tcp_wrapper program doesn't seem to handle IPv6 protocol,
and requires editing of inetd.conf. Note also that you have to include
the console IP addresses10.0.0... etc in hosts.allow, or the console won't boot.
Complete replacement of inetd with ssh and sftp wasn't considered as it would
complicate the rather frequent console re-boots. I guess removal of everything but
tftp from inetd.conf might be a solution.
- Removal of unnecessary services (e.g. finger) from inetd.conf
-Adding the following lines to /etc/system to help stop some buffer overflow
problems, (as suggested by our Comp. Services people):
* Begin non-executable stack (do not edit)
set noexec_user_stack = 1
set noexec_user_stack_log = 1
* End non-executable stack (do not edit)
- Installation of the giant patch bundle released April 8 (one week
following our hack).
-We are strongly considering hardware firewalls for the labs, although
we are being strongly discouraged from doing so by the local network administrators.
Any feedback on the relative merits, ease of set-up, etc. of the
different types would be appreciated.
For further information on these rootkits just google SunBack and solaris.
For information on similar problems at Stanford:
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
Cheers!
-Kirk
Kirk Marat, Ph. D., NMR Facility Manager
Dept. of Chemistry
University of Manitoba
Winnipeg, MB, R3T 2N2, CANADA
ph. (204) 474-6259 FAX: (204) 474-7608
kirk_marat_at_umanitoba.ca
ALL SPAM forwarded to Spam Cop
Received on Thu Apr 15 2004 - 14:07:58 MST