Koozali.org: home of the SME Server

sshell

Aaron Greenwood

sshell
« on: June 12, 2001, 07:30:16 PM »
I am worried that my server / gateway may have been comprimised. First I noticed port 113 auth and port 6667 irc both open to the outside, listening at 0.0.0.0:113 and 0.0.0.0:6667 .

Then I notice in /etc/passwd points root and users to a shell /bin/sshell  insted of /bin/bash. What is sshell ?
I would appricate any feedback
Thank you

Justin

Re: sshell
« Reply #1 on: June 12, 2001, 07:34:15 PM »
Which version of e-smith are you running?

Justin

Aaron Greenwood

Re: sshell
« Reply #2 on: June 12, 2001, 07:53:23 PM »
sorry I'm running version 4.1.1 I did a fresh install about 5 weeks ago. I havent installed nay additional software exept Apache mp3 and trafshow.

Aaron Greenwood

Re: sshell
« Reply #3 on: June 12, 2001, 07:55:42 PM »
my mistake. it is version 4.1.2 sorry again

Justin

Re: sshell
« Reply #4 on: June 12, 2001, 08:00:24 PM »
Please send an email to security@e-smith.com to be on the safe side.

You are absolutely correct that some things look suspicious but I wouldn't jump to any conclusions yet.

They are usually quite good at monitoring these lists but send an email to the security team just to be sure.

Thanks,

Justin

Ross Laver

Re: sshell
« Reply #5 on: June 13, 2001, 05:27:39 PM »
>They are usually quite good at monitoring these lists but send an email to the security team just to be sure.

Indeed. If you believe your server has been compromised, you definitely should _not_  post your suspicions in a public forum. Please see:

http://forums.contribs.org/index.php?topic=1880.msg6258#msg6258

Luke Drumm

Re: sshell
« Reply #6 on: June 14, 2001, 02:16:59 PM »
Just out of interest, What is sshell? And is it normal for a 4.1.2 system to have a listener on port 113?

(As my system shows a similar setup).

Regards,
Luke

Luke Drumm

Re: sshell
« Reply #7 on: June 14, 2001, 02:20:18 PM »
Scrub that bit about sshell as I've just... err... 'tested' it. :)

Are there any man pages available for it? (eg. Can we configure the message it returns etc...)

Regards,
Luke

John Lewis

Re: sshell
« Reply #8 on: June 14, 2001, 08:21:59 PM »
Read this, and it will tell you exactly what has happened to your system.

http://grc.com/dos/grcdos.htm

Very, VERY, interesting.

-JL

Justin

Re: sshell
« Reply #9 on: June 14, 2001, 08:46:58 PM »
John Lewis wrote:
>
> Read this, and it will tell you exactly what has happened to
> your system.
>
> http://grc.com/dos/grcdos.htm

Be careful what you read, Steve can tell a good story but there are certain ambiguous claims made. However this is not the forum for this discussion.

Justin

Re: sshell
« Reply #10 on: June 15, 2001, 01:46:40 AM »
Aaron Greenwood wrote:
>
> I am worried that my server / gateway may have been
> comprimised. First I noticed port 113 auth and port 6667 irc
> both open to the outside, listening at 0.0.0.0:113 and
> 0.0.0.0:6667 .
>
> Then I notice in /etc/passwd points root and users to a shell
> /bin/sshell  insted of /bin/bash. What is sshell ?
> I would appricate any feedback
> Thank you

Are you using any battery backup software - specifically APC?

Justin.

Aaron Greenwood

Re: sshell
« Reply #11 on: June 15, 2001, 11:05:17 PM »
No APC software installed. I have discovered the following.
1. a fresh install of E-smith server has xinetd listeninng on port :113 (auth)
2. I had installed Portsentry which was listening on port :6667 (IRC) I dont know why that port should show as open and listaning to the outside, but it did, and Portsentry was the culprit.
3. sshell is what you get when you try to log on remotly as a regular user when this feature is disabled.

I was very alarmed after reading about the DOS attacks on grc.com. Long and short of it, he found a Trojan that listens on port :113 and :6667. when I saw this on my own machine I got concerned. Thats when I looked into my machine and was not sure if what I was finding was normal or not, so I posted it here for feedback.
I did e-mail security@e-smith.com, and they are looking into it. The reason I posted it first is beacuse I thought the answer might be simply explained as normal .
I have since read allot about Linux hacks and found out that if you have been compromized, you can not trust the output of your own commands, like ls, top, and netstat, as they can be replaced or modified by an intruder.
I hope I have not coused any one any alarm, in the futur I will be much more carefull about what I post in this forum. I may just be being parranoid.
Thanks for all or the response
Aaron

Shad L. Lords

Re: sshell
« Reply #12 on: June 16, 2001, 01:06:10 AM »
If you have installed portsentry then it will open all ports that it is watching.  It needs to do this in order to monitor them.  If you try telneting to them then will accept the connection then immediately close it and deny the attacking IP (if you have it set up that way).  

The one thing that I have noticed about getting portsentry working with e-smith is that you have to manually open up the ports below 1023 that you want to monitor or else it doesn't work on those ports.

-Shad

Kirrily Robert

Re: sshell
« Reply #13 on: June 20, 2001, 11:06:56 PM »
Aaron Greenwood wrote:

> Then I notice in /etc/passwd points root and users to a shell
> /bin/sshell  insted of /bin/bash. What is sshell ?
> I would appricate any feedback
> Thank you

This is the default shell installed by e-smith.  It's the thing that prints out the message to users who try to log into the server when they don't have a real shell:

------------------------------------------------------------
e-smith server and gateway
------------------------------------------------------------

Standard user login services have been disabled.

You may access e-smith server and gateway services such as POP
and SMTP using virtual private networking or port forwarding.

Type "end" and press ENTER to terminate this connection:




It's perfectly normal.

The port 6667 ... are you sure that's not just the default e-smith install making sure your users can use IRC from behind the server?

K.