[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Uh-oh. Cracked allready. I think...



What to do?

If you really are cracked, wipe the system and start fresh, with recent
copies of ssh and exim.

If I had to make a bet between what is listed, I'd say it was ssh
exploited, because those have been floating around for quite a while.

- James

> -----Original Message-----
> From: Kjetil Kjernsmo [mailto:kjetil.kjernsmo@astro.uio.no] 
> Sent: Thursday, May 23, 2002 11:06 AM
> To: debian-security@lists.debian.org
> Subject: Uh-oh. Cracked allready. I think...
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dear all,
> 
> Please accept my apologies for not lurking. I got my first 
> own server box in server-hosting last week, and I thought I 
> configured it well, but it appears to be cracked allready. 
> :-( Well, I'm a real newbie, and so I'm having a steep learning curve.
> 
> At least I can't remember installing gnutella on it, yet, 
> nmap says it runs there... So I'm seeking advice. 
> 
> To address this first: It is the gnutella server that causes 
> alarm, so is there anything I could have done that would 
> install gnutella but escape my attention? I certainly never 
> did apt-get install gnutella (I tried apt-get remove gnutella 
> yesterday, with no effect). Is it likely that if I don't know 
> how it got there, has been installed by a cracker? I've tried 
> to telnet 217.77.32.186 6346 but get no connection.
> 
> The story is that I installed Woody on three boxes, two 
> workstations, and a server, starting at the beginning of may, 
> using my old University network and installing most of it 
> from network. I read most of "Securing Debian Manual". I 
> disregarded most of the stuff that had to do with people 
> having physical access to the box, that shouldn't represent a 
> threat. I disabled everything that had to do with cleartext 
> passwords. I must admit that I left fingerd, and that I 
> export some NFS-things. 
> 
> I have shadow passwords and MD5 passwords. I also have inetd. 
> I didn't really understand that much of the PAM stuff, but 
> there aren't going to be many users on this system, and all 
> users will be able to perform the same tasks. I tried to set 
> the suggested PermitRootLogin for ssh to no, but ssh gave me 
> some messsage that I thought meant it did't recognize it. 
> Besides, updating stuff would be hard so I have sshed to the 
> root account many times. I complied in IPtables in the 
> kernel, but I haven't read up on how to use it. I have also 
> installed some of the harden packages. 
> 
> Last night, I thought my system was running quite well, 
> though I had noticed gnutella running. I figured it was time 
> to run nessus, so I did. 
> It seems to report many holes, some holes that I guess would 
> be exploitable. I put the report on 
> <URL: 
> http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.ht
ml >

I first made sure these ~/.qpopper-options wouldn't be read, so that's
taken care of. There are lots of complaints about OpenSSH there, and the
SMTP server (Exim). So, what to do about these things...?

If it has been cracked, what should I do? I could run up to my hosts and
have them turn it off, I guess. But then what? I have really no clue
what happened, and while I could turn off some more services, it seems
like the biggest security problems are with ssh and smtp, that is,
OpenSSH and Exim, so would a clean reinstall help a lot? 

Unfortunately, I can't report a break-in to the police. The computer
crime police here in Norway has a political agenda I despice, and I
don't want to give them any legitimacy. 

Best,

Kjetil
- -- 
Kjetil Kjernsmo
Recent astrophysics graduate                  Problems worthy of attack
University of Oslo, Norway            Prove their worth by hitting back
E-mail: kjetikj@astro.uio.no                                - Piet Hein
Homepage <URL:http://folk.uio.no/kjetikj/>
Webmaster@skepsis.no                            OpenPGP KeyID: 6A6A0BBC




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OSF1)
Comment: For info see http://www.gnupg.org

iD8DBQE87QV/lE/Gp2pqC7wRAnOwAKClkxaNInxG+/59Z+67CmyY6vzJyQCgmHl5
dXGHMoenwxKHE2bQZQWI308=
=VSU4
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: