Re: another kernel vulnerability
Hi, Ricardo Kustner wrote: Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 regards, Thijs Welman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
Hi, Ricardo Kustner wrote: Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 regards, Thijs Welman
Debian Stable server hacked
Hi, Last sunday, August 3rd 2003, one of my servers was hacked which i, by coincidence, was able to catch 'in progress'. My loganalyzer showed four Did not receive identification string from w.x.y.z logentries from sshd. This happens all the time and i certainly don't check all of them out, but i happen to do so this time. I noticed suspicious network connections with netstat[1]. Shortly thereafter i noticed i had two init processes and multiple syslogd processes. I killed the syslogd processes immediately, as the networktraffic appeared to be IRC-traffic. Then i practically sealed the machine from outside with my firewall, allowing me to do some further research. I found the following: - The extra init process was somehow spawned, but the originally binary seems to have been deleted [2]. - All base system programs where ok, including init and syslogd. Md5s matched. - in / there was rpm-4.0.4.i386.tar.gz. I found that the content was installed. It matches the archive on ftp.rpm.org (md5) - I didn't find any other out-of-the-ordinary files - chkrootkit didn't find anything but the extra init proces running. I'm puzzled about how they managed to get those processes running (as root). There are no local accounts, other than some accounts for the sysadmins. Does anyone have any idea how they might have done this? Anyone seen similar hacks recently? I'd sure like to solve this problem, but at this moment i wouldn't know how, so suggestions are more than welcome. Unfortunately i don't have the resources to get an IDS system up and running... regards and tia, Thijs Welman Delft University of Technology the Netherlands - [0] My server is running Debian stable with: - linux-2.4.21-ac4 custom compiled kernel without LKM-support - sshd - apache - apache-ssl - php4 - smbd/nmbd (firewalled at the university network border) - postfix (not accessible from outside) - bind9 (not accessible from outside) - mysql (firewalled) - proftpd (firewalled) - snmpd (firewalled) - amanda-client from inetd (firewalled) All packages are unmodified releases from Debian stable and, yes, i do update packes from security.debian.org as soon as there are any updates. :) [1] netstat -anp at that time: tcp 00 MYIP:36789 IP#1:21ESTABLISHED 12642/wget tcp 14480 MYIP:36790 IP#1:20ESTABLISHED 12642/wget tcp 00 MYIP:44367 IP#2:60666 ESTABLISHED 10051/syslogd tcp 00 MYIP:33397 IP#2:60666 ESTABLISHED 10051/syslogd tcp 0 80 MYIP:53731 IP#3:59780 ESTABLISHED 10764/init Note: i found out 'init' and 'syslogd' where 'extra' processes. My normal init and syslogd were running normally (seemed untouched) [2] lsof output: init 1 root cwdDIR3,34096 2 / init 1 root rtdDIR3,34096 2 / init 1 root txtREG3,3 27844 312195 /sbin/init init 1 root memREG3,3 90210 179291 /lib/ld-2.2.5.so init 1 root memREG3,3 1153784 179294 /lib/libc-2.2.5.so init 1 root 10u FIFO3,3 49116 /dev/initctl init 9 root cwdDIR3,34096 2 / init 9 root rtdDIR3,34096 2 / init 9 root txtREG3,3 29304 312205 /sbin/init (deleted) init 9 root0u CHR1,3 49079 /dev/null init 9 root1u CHR1,3 49079 /dev/null init 9 root2u CHR1,3 49079 /dev/null init 9 root3u CHR1,2 49078 /dev/kmem init 9 root4u sock0,0 19 can't identify protocol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
Thanx for the replies so far. Christian Hammers wrote: Try nmap to see which services are reachable from the network. Port State Service 22/tcp openssh 80/tcp openhttp 443/tcpopenhttps from within the campus network adds: Port State Service 21/tcp openftp 139/tcpopennetbios-ssn Rich Puhek wrote: NOTE: Ok, firewalled at the network border, but could poorly-secured internal windows machines have been used as a springboard for an attack? The same goes for the below services, are you sure that all the machines and people on the same side of the firewall are completely trustworthy? This is a big hole if you're only firewalling at the border of your campus network, and have a wide variety of machines out there... It's likely that there are numerous compromised systems wihtin the campus, unfortunately. They could have used one of those, that's possible. That means they must have exploited sshd, apache, apache-ssl, proftpd or samba. bind9 is open to a local 172.20-network (student housing), so is also candidate... Can't rule it out, but i can't imagine i would be the only one having problems... mysql is only open to three of my other servers. snmpd is only open to my monitoring server Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password? Nope. No one was logged in at that time. The few logins in the logfile are accounted for. Alan James wrote: Maybe they brute forced the root password ? Do you have PermitRootLogin yes in sshd_config ? No, i didn't at that moment. But there's no sign of an succesfull root login. Not in ps aux, not in netstat and no ssh traffic other than my own session in tcpdump. I guess a brute-force would show up in the ssh logfiles. Only thing there is four times Did not receive identification string. You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Thought of that myself. Checked the apache logfiles and went through the scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and squirrelmail-1.4.0. But then there's still the www-data - root question... regards, Thijs Welman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
Hi, Matt Zimmerman wrote: If you don't also subscribe to debian-security-announce, then you are missing important things like kernel updates. There are several local root exploits in the stock woody kernel which have been fixed by security updates that would not be installed automatically. You cannot rely on apt alone to secure your system. Thanks. I forgot to mantion that i am subscribed to debian-security-announce as well (ofcourse ;)). As far as the kernel updates are concerned: i use my own kernel. At this moment that's 2.4.21 with Alan Cox' patches (ac4). Could be there's an exploit in that kernelversion. Maybe i should consider to go back to a debian-packagekernel... Anyone any comment on or experience with debian vs custom kernels? -- Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
Hi, Matt Zimmerman wrote: If you don't also subscribe to debian-security-announce, then you are missing important things like kernel updates. There are several local root exploits in the stock woody kernel which have been fixed by security updates that would not be installed automatically. You cannot rely on apt alone to secure your system. Thanks. I forgot to mantion that i am subscribed to debian-security-announce as well (ofcourse ;)). As far as the kernel updates are concerned: i use my own kernel. At this moment that's 2.4.21 with Alan Cox' patches (ac4). Could be there's an exploit in that kernelversion. Maybe i should consider to go back to a debian-packagekernel... Anyone any comment on or experience with debian vs custom kernels? -- Thijs
Debian Stable server hacked
Hi, Last sunday, August 3rd 2003, one of my servers was hacked which i, by coincidence, was able to catch 'in progress'. My loganalyzer showed four Did not receive identification string from w.x.y.z logentries from sshd. This happens all the time and i certainly don't check all of them out, but i happen to do so this time. I noticed suspicious network connections with netstat[1]. Shortly thereafter i noticed i had two init processes and multiple syslogd processes. I killed the syslogd processes immediately, as the networktraffic appeared to be IRC-traffic. Then i practically sealed the machine from outside with my firewall, allowing me to do some further research. I found the following: - The extra init process was somehow spawned, but the originally binary seems to have been deleted [2]. - All base system programs where ok, including init and syslogd. Md5s matched. - in / there was rpm-4.0.4.i386.tar.gz. I found that the content was installed. It matches the archive on ftp.rpm.org (md5) - I didn't find any other out-of-the-ordinary files - chkrootkit didn't find anything but the extra init proces running. I'm puzzled about how they managed to get those processes running (as root). There are no local accounts, other than some accounts for the sysadmins. Does anyone have any idea how they might have done this? Anyone seen similar hacks recently? I'd sure like to solve this problem, but at this moment i wouldn't know how, so suggestions are more than welcome. Unfortunately i don't have the resources to get an IDS system up and running... regards and tia, Thijs Welman Delft University of Technology the Netherlands - [0] My server is running Debian stable with: - linux-2.4.21-ac4 custom compiled kernel without LKM-support - sshd - apache - apache-ssl - php4 - smbd/nmbd (firewalled at the university network border) - postfix (not accessible from outside) - bind9 (not accessible from outside) - mysql (firewalled) - proftpd (firewalled) - snmpd (firewalled) - amanda-client from inetd (firewalled) All packages are unmodified releases from Debian stable and, yes, i do update packes from security.debian.org as soon as there are any updates. :) [1] netstat -anp at that time: tcp 00 MYIP:36789 IP#1:21ESTABLISHED 12642/wget tcp 14480 MYIP:36790 IP#1:20ESTABLISHED 12642/wget tcp 00 MYIP:44367 IP#2:60666 ESTABLISHED 10051/syslogd tcp 00 MYIP:33397 IP#2:60666 ESTABLISHED 10051/syslogd tcp 0 80 MYIP:53731 IP#3:59780 ESTABLISHED 10764/init Note: i found out 'init' and 'syslogd' where 'extra' processes. My normal init and syslogd were running normally (seemed untouched) [2] lsof output: init 1 root cwdDIR3,34096 2 / init 1 root rtdDIR3,34096 2 / init 1 root txtREG3,3 27844 312195 /sbin/init init 1 root memREG3,3 90210 179291 /lib/ld-2.2.5.so init 1 root memREG3,3 1153784 179294 /lib/libc-2.2.5.so init 1 root 10u FIFO3,3 49116 /dev/initctl init 9 root cwdDIR3,34096 2 / init 9 root rtdDIR3,34096 2 / init 9 root txtREG3,3 29304 312205 /sbin/init (deleted) init 9 root0u CHR1,3 49079 /dev/null init 9 root1u CHR1,3 49079 /dev/null init 9 root2u CHR1,3 49079 /dev/null init 9 root3u CHR1,2 49078 /dev/kmem init 9 root4u sock0,0 19 can't identify protocol
Re: Debian Stable server hacked
Thanx for the replies so far. Christian Hammers wrote: Try nmap to see which services are reachable from the network. Port State Service 22/tcp openssh 80/tcp openhttp 443/tcpopenhttps from within the campus network adds: Port State Service 21/tcp openftp 139/tcpopennetbios-ssn Rich Puhek wrote: NOTE: Ok, firewalled at the network border, but could poorly-secured internal windows machines have been used as a springboard for an attack? The same goes for the below services, are you sure that all the machines and people on the same side of the firewall are completely trustworthy? This is a big hole if you're only firewalling at the border of your campus network, and have a wide variety of machines out there... It's likely that there are numerous compromised systems wihtin the campus, unfortunately. They could have used one of those, that's possible. That means they must have exploited sshd, apache, apache-ssl, proftpd or samba. bind9 is open to a local 172.20-network (student housing), so is also candidate... Can't rule it out, but i can't imagine i would be the only one having problems... mysql is only open to three of my other servers. snmpd is only open to my monitoring server Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password? Nope. No one was logged in at that time. The few logins in the logfile are accounted for. Alan James wrote: Maybe they brute forced the root password ? Do you have PermitRootLogin yes in sshd_config ? No, i didn't at that moment. But there's no sign of an succesfull root login. Not in ps aux, not in netstat and no ssh traffic other than my own session in tcpdump. I guess a brute-force would show up in the ssh logfiles. Only thing there is four times Did not receive identification string. You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Thought of that myself. Checked the apache logfiles and went through the scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and squirrelmail-1.4.0. But then there's still the www-data - root question... regards, Thijs Welman
