[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Uh-oh. Cracked allready. I think...

Hash: SHA1

Dear all,

Please accept my apologies for not lurking. I got my first own server box
in server-hosting last week, and I thought I configured it well, but it
appears to be cracked allready. :-( Well, I'm a real newbie, and so I'm
having a steep learning curve.

At least I can't remember installing gnutella on it, yet, nmap says it
runs there... So I'm seeking advice. 

To address this first: It is the gnutella server that causes alarm, so is
there anything I could have done that would install gnutella but escape my
attention? I certainly never did apt-get install gnutella (I tried apt-get
remove gnutella yesterday, with no effect). Is it likely that if I don't
know how it got there, has been installed by a cracker?
I've tried to telnet 6346 but get no connection.

The story is that I installed Woody on three boxes, two workstations, and
a server, starting at the beginning of may, using my old University
network and installing most of it from network. I read most of "Securing
Debian Manual". I disregarded most of the stuff that had to do with people
having physical access to the box, that shouldn't represent a threat. I
disabled everything that had to do with cleartext passwords. I must admit
that I left fingerd, and that I export some NFS-things. 

I have shadow passwords and MD5 passwords. I also have inetd. I didn't
really understand that much of the PAM stuff, but there aren't going to be
many users on this system, and all users will be able to perform the same
tasks. I tried to set the suggested PermitRootLogin for ssh to no, but ssh
gave me some messsage that I thought meant it did't recognize it. Besides,
updating stuff would be hard so I have sshed to the root account many
times. I complied in IPtables in the kernel, but I haven't read up on how
to use it. I have also installed some of the harden packages. 

Last night, I thought my system was running quite well, though I had
noticed gnutella running. I figured it was time to run nessus, so I did. 
It seems to report many holes, some holes that I guess would be
exploitable. I put the report on 
<URL: http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >

I first made sure these ~/.qpopper-options wouldn't be read, so that's
taken care of. There are lots of complaints about OpenSSH there, and the
SMTP server (Exim). So, what to do about these things...?

If it has been cracked, what should I do? I could run up to my hosts and
have them turn it off, I guess. But then what? I have really no clue what
happened, and while I could turn off some more services, it seems like the
biggest security problems are with ssh and smtp, that is, OpenSSH and
Exim, so would a clean reinstall help a lot? 

Unfortunately, I can't report a break-in to the police. The computer crime
police here in Norway has a political agenda I despice, and I don't want
to give them any legitimacy. 


- -- 
Kjetil Kjernsmo
Recent astrophysics graduate                  Problems worthy of attack
University of Oslo, Norway            Prove their worth by hitting back
E-mail: kjetikj@astro.uio.no                                - Piet Hein
Homepage <URL:http://folk.uio.no/kjetikj/>
Webmaster@skepsis.no                            OpenPGP KeyID: 6A6A0BBC

Version: GnuPG v1.0.6 (OSF1)
Comment: For info see http://www.gnupg.org


To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: