Re: [luau] RH 9 server hacked -- what went wrong?
On 26 Aug 2003 at 12:04, Mark Pettit wrote: > There is no consumer-level product that will do that. I know, that was my wishlist!! It would be nice though. I will look into the Linksys. > However, Linux > iptables can do most, if not all, of what you are asking for. And > they can be set up for relatively cheap; $100 or less if you buy a > used computer on ebay. > I personally use either my SMC or my Linux floppy based Freesco router at home (old but works well on a DX2/66 32MB ram), I've also tried several other more up to date firewall distros on various hardware with very good results. I've done quite a few small networks as side jobs and I feel more comfortable from a call back potential, leaving them with a self contained home router (+wireless) then a headless Pentium that looks like the boogyman to them.
Re: [luau] RH 9 server hacked -- what went wrong?
* Yuser <[EMAIL PROTECTED]> [26/08/2003 1717EDT]:
> On Fri, 22 Aug 2003, Keith wrote:
>
> > Firewalls are your friend. These days they are so cheap, even for home
> > use, that there is no reason not to have one. It is in your best
> > interest to have one, set up an inbound default policy of DENY for at
> > least all priveledged ports and only open up those that you absolutely
> > need. Then, if you get hacked, it would be easier to determine the
> > vulnerable service.
> >
>
> Good advice but do you know of any of the cheaper home units (SMC,
> Netgear, Siemens, Dlink, Linksys etc..) that can actually be configured
> with default DENY?
Hrmm. Actually I do not know of any of these cheaper home units that'd
do what you want. I personally use a dedicated linux box for this sort
of thing. :) It is about as versatile as you can get with a firewall.
If you cannot do it with ip{chains,tables} you probably cannot do it.
You can build yourself a nice linux firewall with nothing more than a
floppy and/or CD and a i{3,4}86 with no hdd and 64MB RAM, complete with
detailed logging and reporting capabilities. OK you probably won't have
a nice web interface for configuration but such things are mostly
cosmetic anyway.
HOSEF should have a workshop about linux firewalls if one hasn't been
done already. :)
Maybe you'd consider buying a brick? Check out
http://www.openbrick.org/ but note that the page might be closed at the
moment because they are protesting software patents (like the vim
people and many others).
Here is a pic of the brick:
http://www.linuxdevices.com/files/misc/openbrick.jpg
Note these things are pricy; if you really need a cheap solution then a
brick is not the answer for you.
Alternatively, considering that Cisco acquired Linksys not too long ago,
you should see a few decent home-use firewalls coming out from them,
hopefully minus the buggy history of IOS...
Regards,
krjw.
--
Keith R. John Warno [k r j w at optonline dot net]
"It's your money. You paid for it."
-- George "Dubuhyuh" Bush, LaCrosse, Wis., Oct. 18, 2000
Re: [luau] RH 9 server hacked -- what went wrong?
>Good advice but do you know of any of the cheaper home units (SMC, >Netgear, Siemens, Dlink, Linksys etc..) that can actually be configured >with default DENY? Yes. The Linksys routers are default deny. You must specifically say what ports are allowed in. >Everyone I have seen is default allow and you block from there. You can >block various things like IRC and SMTP but you have to do it manually. I >have a few floppy linux routers that I mess with that are default DENY >but they each have disadvantages too. >A cheap self contained router/firewall that had the >ability to default deny, block by IP and range, block by DNS name, and >block by time period would be great. While I'm dreaming, I'd also like >the ability of limiting the services forwarding fuction to specific ip's >instead of the firewall blindly forwarding selected ports over to another >machine, like now I forward ssh port 22 to my Linux machine but have to >maintain specific rules on that machine of where I can connect from, same >with port 80 to a second machine. There is no consumer-level product that will do that. However, Linux iptables can do most, if not all, of what you are asking for. And they can be set up for relatively cheap; $100 or less if you buy a used computer on ebay. -- Mark K. Pettit [EMAIL PROTECTED]
Re: [luau] RH 9 server hacked -- what went wrong?
On Fri, 22 Aug 2003, Keith wrote: > Firewalls are your friend. These days they are so cheap, even for home > use, that there is no reason not to have one. It is in your best > interest to have one, set up an inbound default policy of DENY for at > least all priveledged ports and only open up those that you absolutely > need. Then, if you get hacked, it would be easier to determine the > vulnerable service. > Good advice but do you know of any of the cheaper home units (SMC, Netgear, Siemens, Dlink, Linksys etc..) that can actually be configured with default DENY? Everyone I have seen is default allow and you block from there. You can block various things like IRC and SMTP but you have to do it manually. I have a few floppy linux routers that I mess with that are default DENY but they each have disadvantages too. A cheap self contained router/firewall that had the ability to default deny, block by IP and range, block by DNS name, and block by time period would be great. While I'm dreaming, I'd also like the ability of limiting the services forwarding fuction to specific ip's instead of the firewall blindly forwarding selected ports over to another machine, like now I forward ssh port 22 to my Linux machine but have to maintain specific rules on that machine of where I can connect from, same with port 80 to a second machine. Can anyone think of more :)
RE: [luau] RH 9 server hacked -- what went wrong?
Definitely block port 445 both UDP and TCP this port is a very common target for machines running Samba and unless you really need ftp from the outside interface I would shut that one down also. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rob Bootsma Sent: Friday, August 22, 2003 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [luau] RH 9 server hacked -- what went wrong? Thanks, everyone, for sharing your comments. No, this box was not firewalled, nor had I applied any security patches. I had every intention of doing so, I just didn't realize I'd get hit so quickly. Like I said, it had only been up for a few days (and for most of that time it was not even reachable from the Internet). I admit, this box was pretty wide open. Still, I'm curious to know which exploit was used. Here's the output of nmap. (Sorry, Hoala, I pulled this box off the Net as soon as I verified the hack. I still have the internal interface up). Port State Service 21/tcp openftp 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 139/tcpopennetbios-ssn 143/tcpopenimap2 443/tcpopenhttps 445/tcpopenmicrosoft-ds 783/tcpopenhp-alarm-mgr 953/tcpopenrndc 993/tcpopenimaps 995/tcpopenpop3s 1241/tcp openmsg 1723/tcp openpptp 1/tcp opensnet-sensor-mgmt I'll take this as a painful but good learning experience. Luckily there was no data on the box yet. If this had happened a week from now, I'd be a lot worse off. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Bootsma Sent: Friday, August 22, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [luau] RH 9 server hacked -- what went wrong? Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
Re: [luau] RH 9 server hacked -- what went wrong?
* Warren Togami <[EMAIL PROTECTED]> [22/08/2003 1850EDT]: [...] > > I like RH but they have a habbit of enabling nearly every service by > > default. > > Eh? This has not been true for years now. I stand corrected! Although I believe a safer default is to have most -- if not all -- services off rather than on (especially true for network daemons). RH install procedures could do better to prompt the user verbosely as to which services he/she wishes their box to run. I don't believe any such attempt at this is made. Then again I could be wrong; I haven't done an RH install since 1996 or '97. These days I do post install configuration and hardening of RH boxes and custom distro development. :) > > 98% of the time there is no need for this. Another good > > practice is, after installing and before plugging the cat5 into your > > NIC, run through your default runlevel's rc directory and turn all > > unnecessary services off with chkconfig. Issue a > > > > bash$ chkconfig --list | grep :on > > Total agreement with using chkconfig to see your automatically started > services and disable things which you don't need. Indeed this is critical if anyone would like a secure box. Box cannot be hacked over the 'net if no connect() can be made. :) Aloha! krjw. -- Keith R. John Warno [k r j w at optonline dot net] The words stuck in my mind\ Alive from what I've learned\ I have to seize the day -- Dream Theater, "A Change of Seasons"
RE: [luau] RH 9 server hacked -- what went wrong?
Thanks, everyone, for sharing your comments. No, this box was not firewalled, nor had I applied any security patches. I had every intention of doing so, I just didn't realize I'd get hit so quickly. Like I said, it had only been up for a few days (and for most of that time it was not even reachable from the Internet). I admit, this box was pretty wide open. Still, I'm curious to know which exploit was used. Here's the output of nmap. (Sorry, Hoala, I pulled this box off the Net as soon as I verified the hack. I still have the internal interface up). Port State Service 21/tcp openftp 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 139/tcpopennetbios-ssn 143/tcpopenimap2 443/tcpopenhttps 445/tcpopenmicrosoft-ds 783/tcpopenhp-alarm-mgr 953/tcpopenrndc 993/tcpopenimaps 995/tcpopenpop3s 1241/tcp openmsg 1723/tcp openpptp 1/tcp opensnet-sensor-mgmt I'll take this as a painful but good learning experience. Luckily there was no data on the box yet. If this had happened a week from now, I'd be a lot worse off. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Bootsma Sent: Friday, August 22, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [luau] RH 9 server hacked -- what went wrong? Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
Re: [luau] RH 9 server hacked -- what went wrong?
On Fri, Aug 22, 2003 at 11:26:25AM -1000, Ho'ala Greevy wrote: > chkconfig --list | grep 3:on > > > will reveal better results. Init3 is the run level you want to > concentrate on. Respectfully, I disagree. You want to reduce the running services on all your runlevels. Most of the RH installations I have seen boots at runlevel 5 and have GDM startup. > Rob, would you mind sharing the IP of your cracked box before > you blow it away? i'm sure at least one of us wouldn't mind > running nessus against it :) Not while IRC drones are running on it. Unless you like playing with fire, do not keep a compromised system running. Swap out the drive and reinstall. Save nessus for the systems that you do not yet think are compromised. -Vince
Re: [luau] RH 9 server hacked -- what went wrong?
On Fri, Aug 22, 2003 at 09:33:08AM -1000, Rob Bootsma wrote: > So my question is, how did they get root? Well, I guess they > used this rootkit, but how did they manage to install that? > Where is the vulnerability? If anyone has any suggestions > of what to look for before I wipe out this box, it would be > greatly appreciated. Without knowing more, I suspect you performed a full install, disabled iptables, and did not verify that only minimal services were running. If you want to run forensics, set the HD aside and reinstall on new media. Do not boot or mount the partitions read/write. -Vince
Re: [luau] RH 9 server hacked -- what went wrong?
chkconfig --list | grep 3:on will reveal better results. Init3 is the run level you want to concentrate on. Rob, would you mind sharing the IP of your cracked box before you blow it away? i'm sure at least one of us wouldn't mind running nessus against it :) -ho'ala Keith said: > Another good practice is, after installing and before plugging the cat5 > into your NIC, run through your default runlevel's rc directory and turn > all> unnecessary services off with chkconfig. Issue a > > bash$ chkconfig --list | grep :on > > to see what is enabled. You'll see that there is a lot enabled by > default, depending of course on what you've installed. - Spam & Virus Protection provided by Pau Spam: Risk-FREE 30-Day Trial* http://pauspam.net
Re: [luau] RH 9 server hacked -- what went wrong?
On Fri, 2003-08-22 at 10:27, Keith wrote: > Firewalls are your friend. These days they are so cheap, even for home > use, that there is no reason not to have one. It is in your best > interest to have one, set up an inbound default policy of DENY for at > least all priveledged ports and only open up those that you absolutely > need. Then, if you get hacked, it would be easier to determine the > vulnerable service. If you use Red Hat Linux, it will give you an option to setup a "firewall" during installation or you can use the firewall configuration tool later to enable it to block ports. > > I like RH but they have a habbit of enabling nearly every service by > default. Eh? This has not been true for years now. > 98% of the time there is no need for this. Another good > practice is, after installing and before plugging the cat5 into your > NIC, run through your default runlevel's rc directory and turn all > unnecessary services off with chkconfig. Issue a > > bash$ chkconfig --list | grep :on Total agreement with using chkconfig to see your automatically started services and disable things which you don't need. Warren
Re: [luau] RH 9 server hacked -- what went wrong?
* Rob Bootsma <[EMAIL PROTECTED]> [22/08/2003 1533EDT]: > Hi all, Aloha. > I just recently set up a RH 9 sever (less than a week ago), and it has > already been hacked. I know I'm going to have to reinstall, but I was > hoping to find out what vulnerability was exploited so it doesn't happen > again next time. I don't think any passwords were cracked. They must > have used some other known exploit. But which one? Firewalls are your friend. These days they are so cheap, even for home use, that there is no reason not to have one. It is in your best interest to have one, set up an inbound default policy of DENY for at least all priveledged ports and only open up those that you absolutely need. Then, if you get hacked, it would be easier to determine the vulnerable service. I like RH but they have a habbit of enabling nearly every service by default. 98% of the time there is no need for this. Another good practice is, after installing and before plugging the cat5 into your NIC, run through your default runlevel's rc directory and turn all unnecessary services off with chkconfig. Issue a bash$ chkconfig --list | grep :on to see what is enabled. You'll see that there is a lot enabled by default, depending of course on what you've installed. > Here's what I know. It looks like they installed some sort of IRC > relay. It also seems that they tampered with sshd and samba. Some of > the packages from the rootkit they used include kool.tar.gz, > psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does > anyone know what these do? Syslog was also tampered with (this was my > first clue). Chkrootkit shows ifconfig, login, and pstree as infected. Both ssh and samba have troubled histories, although not nearly as bad as something like sendmail. :) Investigate the openssh and samba web sites for security bulletins. re ssh: no matter what the circumstance, you should *never* have protocol v1 enabled on your sshd. Use 2 and 2 only. v1 is broken. Read up on the linux security howto. Find a copy at http://www.tldp.org/ . > So my question is, how did they get root? Well, I guess they used this > rootkit, but how did they manage to install that? Where is the > vulnerability? If anyone has any suggestions of what to look for before > I wipe out this box, it would be greatly appreciated. You might be able to find proof of the exploit and hence what was exploited. Look for file names with weird characters (might be proof of a format string vulnerability, common to things like wu-ftpd). Look through whatever logs you have and look carefully. In the future think about using something like Tripwire for intrusion detection if you are really paranoid. If you have programming skills there are a number of interesting IDS methods you can whip up using perl, cvs, and ssh. (Linux Journal had an article or two not too long ago...) > Aloha, > Rob Regards, krjw. -- Keith R. John Warno [k r j w at optonline dot net] "It's your money. You paid for it." -- George "Dubuhyuh" Bush, LaCrosse, Wis., Oct. 18, 2000
RE: [luau] RH 9 server hacked -- what went wrong?
I recently had the same thing happen to one of my web servers. They were able to gain access through the news service which I had inadvertently left running at installation time. Then they promoted the news user to uid0 and were able to gain access to root privileges. They created a user called system with uid0 also.. My final option was to disconnect ...Remove the root kits and change all passwords. Also I set nologin for user news, secured that service, and changed my firewall configuration to not allow ssh through on the outside interfaceRight now the only services I am allowing to pass on the outside interface are web, secure web, dns, smtp and pop3...I also have these services inspected at the router to ensure they go where they're supposed to. Also it didn't help that with the root kits installed they were e-mailing my passwd, passwd-, shadow and shadow- files to what appeared to be some server in California.. further investigation indicated that those were arp spoofed, so I really don't know where it went...If you haven't done so...You should also make a report to CERN... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rob Bootsma Sent: Friday, August 22, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [luau] RH 9 server hacked -- what went wrong? Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
Re: [luau] RH 9 server hacked -- what went wrong?
I have to wonder if, after installing the server, you made certain that you ran up2date or apt-get (if you installed apt) to update all the packages. What services did you have running? Was the machine firewalled? --scott On Friday, August 22, 2003, at 09:33 AM, Rob Bootsma wrote: Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
[luau] RH 9 server hacked -- what went wrong?
Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob
