Hi,
Yes, I should have RTFM ... I just read the description, and did emerge distcc ;)I'm sorry your machine got compromised.
As Alexandre said, since distcc is basically a remote shell, once
people are allowed to open a connection they can do pretty much
whatever they want inside that userid.
Now at least I've learnt something.
I have updated this to make it more clear:
http://distcc.samba.org/security.html
Do you think that text is OK, or should more be said?
Well, that's clear ;)
Yes, from what he has done, he (she?) was planning on setting up a warez ftp server. But since it's a router with about 1Gb free space he wouldn't have gotten far.Google finds this attack code
http://www.metasploit.com/projects/Framework/modules/exploits/distcc_exec.pm
You can see it is more a matter of malice than genius.
He just tried a ptrace root exploit which failed and probably gave up, searching for another target.
If they didn't get root on your machine then there may be a logYes, If only I noticed it one day before ... Metalog default is to keep log max 86400 seconds ...
message telling you the IP of the connection. You can use that to
trace back to the attack and complain to their network and/or the
police (not that they generally seem to care).
Yes that would be a good ide IMHO. Or, if it bother too much people, just put the private IP ranges in it by default.I'd like to make it safer by default; but the protocol probably needs to use plain TCP for performance. Here are some ideas. What do people here think?
- Make --allow mandatory; you have to say which networks are trusted
- Use a cleartext shared password; not much protection against local attackers but it might have helped in this case.
A good configuration was the correct solution.
Yes, if encryption/strong auth is wanted, ssh is the way to go but of course that's a significant overhead.- Work on making SSH more useful, though it will probably never be really fast
- Add weaker built-in encryption; this feels wrong
- Encourage people to choose nonstandard portsMmh, I personally don't like when changing standard app from their standard port ...
- Try to vet the command line; allow only particular commands. It's
not enough to just say "only run gcc" because an attacker might try to
send output to a file. This couldn't give total protection but it
might help.
I think the "deny by default" is a good choice because if the user want to make it work with external networks, he has to read the doc and so he WILL be aware of what it's doing.
Sylvain
__ distcc mailing list http://distcc.samba.org/
To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/distcc