[Leaplist] Server break-in attempt through NAGIOS user

John Simpson jms1 at jms1.net
Fri Sep 7 01:06:51 EDT 2007 

On 2007-09-06, at 1716, David Simmons wrote:
>
>  Just was able to catch a 'break in attempt' on one
> of my webservers
>
>  It was from the RIPE network in
> Amserdam....IP address was 86.126.41.177

RIPE is the overall regional authority which assigns large blocks of  
IP addresses to the large network operators in europe and parts of  
africa. that IP address is actually in romania.

> they were logging in through the NAGIOS user

why does the nagios user have a valid password to begin with? i  
normally "lock" users like this, by editing /etc/shadow and changing  
one character of their encrypted password to a character which is not  
a possible output from the crypt() or MD5 hashing operation, and  
which is also not recognized as "special" by the system's scripts.

valid output from crypt() is the set containing upper- and lower-case  
letters, digits, ".", and "/". output from the MD5 hashing function  
is the same set, with "$" added to it. and many systems recognize "*"  
and "!" as "special" characters which serve as flags for different  
things (usually "*" means "password is stored in NIS", and "!" means  
"account is locked".)

so i normally replace the first character of the encrypted password  
with a "%" character. it makes the account so that there IS no valid  
password for it, without the OS scripts thinking the account is  
"locked" or that it should be consulting an probably-non-existent NIS  
server.

> Just a word of caution to double-check those servers....

always good advice.

that, along with "watch your logs", and running a port-scanner  
against your server every so often, just to make sure nothing shows  
up which shouldn't be there. most "root kits" modify the "netstat"  
and "lsof" binaries so that certain sockets aren't shown, so if nmap  
finds something listening which "netstat -an" or "lsof -nPi" don't  
show you, you have fairly strong grounds to suspect you've been rooted.

----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <jms1 at jms1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.leap-cf.org/pipermail/leaplist/attachments/20070907/068d1355/PGP.bin

More information about the Leaplist mailing list