Re: Debian Stable server hacked

Fri, 08 Aug 2003 15:29:34 -0700

Thanx for the replies so far.

Christian Hammers wrote:

Try "nmap" to see which services are reachable from the network. 

Port       State       Service
22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https

from within the campus network adds:

Port       State       Service
21/tcp     open        ftp
139/tcp    open        netbios-ssn

Rich Puhek wrote:

NOTE: Ok, firewalled at the network border, but could poorly-secured
 internal windows machines have been used as a springboard for an
attack?
The same goes for the below services, are you sure that all the
machines and people on the same side of the firewall are completely
trustworthy? This is a big hole if you're only firewalling at the
border of your campus network, and have a wide variety of machines
out there...

It's likely that there are numerous compromised systems wihtin the campus, unfortunately. They could have used one of those, that's possible. That means they must have exploited sshd, apache, apache-ssl, proftpd or samba.

bind9 is open to a local 172.20-network (student housing), so is also candidate... Can't rule it out, but i can't imagine i would be the only one having problems...

mysql is only open to three of my other servers.
snmpd is only open to my monitoring server

Was anyone else logged in at the time? Perhaps one of your admins had
a weak or compromised password?


Nope. No one was logged in at that time. The few logins in the logfile
are accounted for.


Alan James wrote: 
Maybe they brute forced the root password ? Do you have
"PermitRootLogin yes" in sshd_config ?


No, i didn't at that moment. But there's no sign of an succesfull root
login. Not in ps aux, not in netstat and no ssh traffic other than my
own session in tcpdump. I guess a brute-force would show up in the ssh
logfiles. Only thing there is four times "Did not receive identification
string".

You say that you have apache and php4 installed. Are you running any
php applications that may have been compromised ? Although I'd expect
those to leave the attacker with access to www-data rather than root.

Thought of that myself. Checked the apache logfiles and went through the
scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and squirrelmail-1.4.0. But then there's still the www-data -> root question...

regards,

Thijs Welman






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to