mkdir 123
If it doesn?t work, your system is probably infected. You can also filter output from tcpdump for signs of suspicious behavior ? and the Linux.com article gives a command line recipe for that.
This is just me not knowing, no other reason.
Dan
Discussion on:
View:
Show:
Normally, you can create directories with names that start with a numeral in standard Unix shells. Systems on which key binaries have been replaced in accordance with the specific class of infection to which I refer in the article apparently exhibit differing behavior.
My guess is that one of the replaced binaries is mkdir, and that it is not a perfectly crafted replacement. Most programming languages do not allow certain types of entities (constants and variables, in particular) to be created with names that start with numeral characters. It is likely that the manner in which the replacement binary counterfeits the general functionality of the original relies on behavior that, in its source language, is thusly limited.
It may even be the case that the replacement file in question isn't even a binary. It may be a source file executed by an interpreter.
I can only really speculate as to the causes of this sort of anomalous behavior, however, as I have not personally discovered such an infection and experimented with it.
My guess is that one of the replaced binaries is mkdir, and that it is not a perfectly crafted replacement. Most programming languages do not allow certain types of entities (constants and variables, in particular) to be created with names that start with numeral characters. It is likely that the manner in which the replacement binary counterfeits the general functionality of the original relies on behavior that, in its source language, is thusly limited.
It may even be the case that the replacement file in question isn't even a binary. It may be a source file executed by an interpreter.
I can only really speculate as to the causes of this sort of anomalous behavior, however, as I have not personally discovered such an infection and experimented with it.
I read that last night and went... hu??? But, now that you explained that... It makes sence... And I did verify that I could create a numeric directory before I asked that question.
Dan
Dan
What's your suggestion about large Unix servers (e.g. Sun, AIX) that only support 8 character passwords? This limit is documented in the "passwd" man pages for the respective servers.
SunOS 5.9: "Only the first eight characters are significant"
AIX 5.2: "The passwd command uses only the first eight characters of your password for local and NIS passwords."
SunOS 5.9: "Only the first eight characters are significant"
AIX 5.2: "The passwd command uses only the first eight characters of your password for local and NIS passwords."
In many cases, significant password length is configurable -- and the specifics of configuration can vary from system to system. For instance, in HP-UX 11, password length is set by PASS_MAX in , and on Debian GNU/Linux you can change that with the command `dpkg-reconfigure passwd`.
A limit to eight significant characters sounds like the behavior you get with crypt passwords, which is pretty common among Unix systems designed to an older standard. Look into options on your SunOS and AIX systems for "upgrading" your password hashing algorithm to a strong cryptographic algorithm like AES/Rijndael, Blowfish, or Twofish, or replacing crypt() with bigcrypt() at least (same thing, just with longer key lengths -- though the behavior of crypt itself is pretty sketchy for security purposes, regardless of the key length it allows).
I'm not directly familiar with either SunOS or AIX, unfortunately. For more specifics, hopefully someone with direct experience with one or both will chime in with some more authoritative answers.
A limit to eight significant characters sounds like the behavior you get with crypt passwords, which is pretty common among Unix systems designed to an older standard. Look into options on your SunOS and AIX systems for "upgrading" your password hashing algorithm to a strong cryptographic algorithm like AES/Rijndael, Blowfish, or Twofish, or replacing crypt() with bigcrypt() at least (same thing, just with longer key lengths -- though the behavior of crypt itself is pretty sketchy for security purposes, regardless of the key length it allows).
I'm not directly familiar with either SunOS or AIX, unfortunately. For more specifics, hopefully someone with direct experience with one or both will chime in with some more authoritative answers.
I've asked around amongst some of my friends with different proprietary UNIX experience than me. The answer seems to be that you need to patch them to use shadow passwords -- which, apparently, they don't by default.
Also . . . I mentioned using AES/Rijndael, Blowfish, or Twofish. I should also mention that even MD5 for passwords would be better than plain crypt for passwords, and would allow for passwords of a significant length greater than eight characters. It's just not as strong an algorithm as the others I've mentioned, so if you can go with something stronger than MD5 you should do so, but if MD5 is the best the system will support you should go with MD5.
Also . . . I mentioned using AES/Rijndael, Blowfish, or Twofish. I should also mention that even MD5 for passwords would be better than plain crypt for passwords, and would allow for passwords of a significant length greater than eight characters. It's just not as strong an algorithm as the others I've mentioned, so if you can go with something stronger than MD5 you should do so, but if MD5 is the best the system will support you should go with MD5.
from my very limited look at Sun's Solaris, version 10, they actually changed to password system to enable longer passwords.
looking into moving the systems to newer versions of the software.
SunOS [ properly called Solaris now ] newest version has been updated to use stronger passwords.
newer versions also make it much easier for the department to maintain the software. You don't have to backport patches.
SunOS [ properly called Solaris now ] newest version has been updated to use stronger passwords.
newer versions also make it much easier for the department to maintain the software. You don't have to backport patches.
SunOS didn't become Solaris so much as get replaced by it.
Bill Joy, who packaged up the first BSD Unix distribution (and invented vi), went on to co-found Sun Microsystems. He helped create the original SunOS, which was essentially the first proprietary BSD Unix. Marketed under the name SunOS 5.0, however, was a SysV Unix system that later came to be known as Solaris.
As such, Solaris and classic SunOS are somewhat incompatible codebases with differing system defaults (between the BSD and SysV lines of Unix evolution). Of course, Jack reports using SunOS 5.9, so upgrade to Solaris is the right answer in this case (assuming upgrade is possible here) -- I just decided to be pedantic.
Alas, I haven't used Solaris enough to be able to give any specific advice on password configuration. Hopefully Jack finds some of what I offered in other posts helpful.
Bill Joy, who packaged up the first BSD Unix distribution (and invented vi), went on to co-found Sun Microsystems. He helped create the original SunOS, which was essentially the first proprietary BSD Unix. Marketed under the name SunOS 5.0, however, was a SysV Unix system that later came to be known as Solaris.
As such, Solaris and classic SunOS are somewhat incompatible codebases with differing system defaults (between the BSD and SysV lines of Unix evolution). Of course, Jack reports using SunOS 5.9, so upgrade to Solaris is the right answer in this case (assuming upgrade is possible here) -- I just decided to be pedantic.
Alas, I haven't used Solaris enough to be able to give any specific advice on password configuration. Hopefully Jack finds some of what I offered in other posts helpful.
Here is how it works: SunOS is (still) the name of the kernel
that is now part of the larger package known as Solaris
Operating Environment. Kinda like XNU is the name of kernel
of the larger package known as Mac OS X, or even
WindowsNT 5.1 being the kernel of Windows XP.
that is now part of the larger package known as Solaris
Operating Environment. Kinda like XNU is the name of kernel
of the larger package known as Mac OS X, or even
WindowsNT 5.1 being the kernel of Windows XP.
SunOS is the operating system brand family of which Solaris is a member. It's not the kernel. The kernel is the Solaris kernel. The OS brand itself is distinct from the OS family. Taken as an analogy to a real-life family of humans, one might call the Solaris OS an adopted child of the SunOS family, as it is not much related to the preceding generations of the SunOS family "genetically".
While XNU is the name of the NeXT generations of that kernel family, Darwin is the name of the more recent MacOS X generations. The relationship between the names SunOS and Solaris is similar to that between the names XNU and Darwin, except that Darwin is an actual "genetic" descendant of XNU rather than a red-headed stepchild, and XNU is a more appropriate branding term for the MacOS X kernel than SunOS is for the Solaris OS these days.
NT 5.1 is the name of the architecture, which includes but is not limited to (or synonymous with) the kernel. The kernel has no brand name other than "the Windows NT kernel".
I'm just getting pedantic now, though.
While XNU is the name of the NeXT generations of that kernel family, Darwin is the name of the more recent MacOS X generations. The relationship between the names SunOS and Solaris is similar to that between the names XNU and Darwin, except that Darwin is an actual "genetic" descendant of XNU rather than a red-headed stepchild, and XNU is a more appropriate branding term for the MacOS X kernel than SunOS is for the Solaris OS these days.
NT 5.1 is the name of the architecture, which includes but is not limited to (or synonymous with) the kernel. The kernel has no brand name other than "the Windows NT kernel".
I'm just getting pedantic now, though.
OK, so I did overstate just how low level the name SunOS stretches, but
nonetheless, Solaris was just a new marketing term for SunOS. What it meant
was SunOS + OpenWindows + CDE + Java = Solaris. Please run "uname -sr" on
any Solaris machine and you will surely get "SunOS 5.xx". SunOS is still how
the system (kernel + shells + utils) is know at Sun, Solaris is the final package
for the market. Note that OpenSolaris is not Solaris, but it is SunOS kernel. The
BSD to SysV transition (the "genetics" that you referred to) took place before
they came up with Solaris branding. Again, Solaris is just a another one of
Sun's marketing names (I won't be surprise if they re-brand it SolarSystemX
one day...
).
As for Darwin and XNU, here is how that works:
Mach microkernel
|
V
XNU hybrid kernel (Mach + BSD)
|
V
Darwin OS (XNU + open source shells and utilities)
|
V
Mac OS X (Darwin OS + Apple's proprietary GUI and frameworks)
As for Windows - I'll take the 5th , and I shouldn't have mentioned it at all,
as I have little knowledge in that area.
nonetheless, Solaris was just a new marketing term for SunOS. What it meant
was SunOS + OpenWindows + CDE + Java = Solaris. Please run "uname -sr" on
any Solaris machine and you will surely get "SunOS 5.xx". SunOS is still how
the system (kernel + shells + utils) is know at Sun, Solaris is the final package
for the market. Note that OpenSolaris is not Solaris, but it is SunOS kernel. The
BSD to SysV transition (the "genetics" that you referred to) took place before
they came up with Solaris branding. Again, Solaris is just a another one of
Sun's marketing names (I won't be surprise if they re-brand it SolarSystemX
one day...
).As for Darwin and XNU, here is how that works:
Mach microkernel
|
V
XNU hybrid kernel (Mach + BSD)
|
V
Darwin OS (XNU + open source shells and utilities)
|
V
Mac OS X (Darwin OS + Apple's proprietary GUI and frameworks)
As for Windows - I'll take the 5th
, and I shouldn't have mentioned it at all, as I have little knowledge in that area.
"Solaris was just a new marketing term for SunOS. What it meant was SunOS + OpenWindows + CDE + Java = Solaris."
No. SunOS, up to version 5, was a BSD Unix derivative. After version 5, when Sun started calling it Solaris, it was a System V Unix derivative. SysV and BSD are entirely separate codebases, thanks to AT&T's attempt to make any competing Unix system illegal in the late '80s.
"Please run 'uname -sr' on any Solaris machine and you will surely get 'SunOS 5.xx'."
SunOS is like the name "Windows" now -- there's "Windows" and there's "Windows NT", the latter of which is part of the former's family of OSes. "Windows NT" the OS is not just "Windows" the OS, though. The family relationship is a corporate one, not strictly a technological one. Solaris is the OS, with a relationship to SunOS via revenue streams rather than technological evolution.
"The BSD to SysV transition (the 'genetics' that you referred to) took place before they came up with Solaris branding."
Wrong. The Solaris name was applied with the release of the first SVR5 release of a SysV Unix from Sun, which in terms of the SunOS family qualified as SunOS 5.0. At that time, Sun Microsystems called the new release "Solaris 2" and named the micro-releases leading up to that point "Solaris 1". As soon as Sun's SysV Unix became a product, it was called Solaris.
"Again, Solaris is just a another one of
Sun's marketing names"
Every OS name is, to some extent, a "marketing name". What does that prove?
"As for Darwin and XNU, here is how that works:"
You'd better cite your sources, because they differ from mine. There is, as far as I'm aware, a Darwin kernel that is part of the core Darwin OS, which is used as the foundation for MacOS X.
No. SunOS, up to version 5, was a BSD Unix derivative. After version 5, when Sun started calling it Solaris, it was a System V Unix derivative. SysV and BSD are entirely separate codebases, thanks to AT&T's attempt to make any competing Unix system illegal in the late '80s.
"Please run 'uname -sr' on any Solaris machine and you will surely get 'SunOS 5.xx'."
SunOS is like the name "Windows" now -- there's "Windows" and there's "Windows NT", the latter of which is part of the former's family of OSes. "Windows NT" the OS is not just "Windows" the OS, though. The family relationship is a corporate one, not strictly a technological one. Solaris is the OS, with a relationship to SunOS via revenue streams rather than technological evolution.
"The BSD to SysV transition (the 'genetics' that you referred to) took place before they came up with Solaris branding."
Wrong. The Solaris name was applied with the release of the first SVR5 release of a SysV Unix from Sun, which in terms of the SunOS family qualified as SunOS 5.0. At that time, Sun Microsystems called the new release "Solaris 2" and named the micro-releases leading up to that point "Solaris 1". As soon as Sun's SysV Unix became a product, it was called Solaris.
"Again, Solaris is just a another one of
Sun's marketing names"
Every OS name is, to some extent, a "marketing name". What does that prove?
"As for Darwin and XNU, here is how that works:"
You'd better cite your sources, because they differ from mine. There is, as far as I'm aware, a Darwin kernel that is part of the core Darwin OS, which is used as the foundation for MacOS X.
Seems as if using AppArmor woul avoid all this mess. openSUSE and SLES servers ship with a basic Apache template.
It's not difficult to avoid this mess. Something as simple as using SSH when doing remote management would probably avoid all this mess.
I use denyhosts http://denyhosts.sourceforge.net
A simple Python tool which adds ips to /etc/hosts.deny after too many bad passwords.
A second advantage of this type of tool is that you can warn other admins when their servers are compromised.
Install it and watch the logfiles, you'll be surprised at how ofteh your machines are attacked.
A simple Python tool which adds ips to /etc/hosts.deny after too many bad passwords.
A second advantage of this type of tool is that you can warn other admins when their servers are compromised.
Install it and watch the logfiles, you'll be surprised at how ofteh your machines are attacked.
Also, don't run regular FTP, or if you are, plan on phasing it out. (I'm in this situation with my server.) If they're sniffing passwords, FTP might be one way they're building a password dictionary.
Don't use your root or user account passwords as your ftp account passwords - and if possible don't allow ftp for user accounts.
I'm guessing that most Linux hosts don't use telnet or rsh, and do use ssh, so getting a remote shell is secure. BUT, they are probably running unsecured FTP for their customers, and they might also be using FTP themselves... perhaps with the root password. OR, they are using sudo and their user passwords, but, they are also not being careful, and using their user passwords as FTP passwords.
In any event, the attackers can try all the usernames and passwords to try and get in over SSH.
Don't use your root or user account passwords as your ftp account passwords - and if possible don't allow ftp for user accounts.
I'm guessing that most Linux hosts don't use telnet or rsh, and do use ssh, so getting a remote shell is secure. BUT, they are probably running unsecured FTP for their customers, and they might also be using FTP themselves... perhaps with the root password. OR, they are using sudo and their user passwords, but, they are also not being careful, and using their user passwords as FTP passwords.
In any event, the attackers can try all the usernames and passwords to try and get in over SSH.
Because of this thread, I installed
denyhosts from one of SuSE's
repositories, the one called utilities:
It immediately pulled 30 ip addresses that
had tried to log into my home server.
This is a much have utility.
denyhosts from one of SuSE's
repositories, the one called utilities:
It immediately pulled 30 ip addresses that
had tried to log into my home server.
This is a much have utility.
I couldn't have posted the reply in the proper thread location as apparently: "You have
reached your maximum message level." anyways...
Well dude, I doubt that you're all that interested in my sources as you seem to be
pretty sure in your "incorrect" and "uh...no" conclusions.
Good day.
P.S. Thanks for the mkdir 123 tip, I do appreciate it, honestly.
reached your maximum message level." anyways...
Well dude, I doubt that you're all that interested in my sources as you seem to be
pretty sure in your "incorrect" and "uh...no" conclusions.
Good day.
P.S. Thanks for the mkdir 123 tip, I do appreciate it, honestly.
I'm always interested in sources -- and always willing to admit error when I find evidence of it. I'm pretty sure of my position, but that doesn't mean my position can't change.
I'm glad you got some value from the article with regard to testing for webserver infection.
I'm glad you got some value from the article with regard to testing for webserver infection.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
