[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uh-oh. Cracked allready. I think...



Unfortunately, this reply will be a lot of 'should haves'. There's not
much you can do after the fact. 

On Thu, May 23, 2002 at 05:06:23PM +0200, Kjetil Kjernsmo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
--snip--
> The story is that I installed Woody on three boxes, two workstations, and
> a server, starting at the beginning of may, using my old University
> network and installing most of it from network. I read most of "Securing
> Debian Manual". I disregarded most of the stuff that had to do with people
> having physical access to the box, that shouldn't represent a threat. I
> disabled everything that had to do with cleartext passwords. I must admit
> that I left fingerd, and that I export some NFS-things. 

Woody.... ahh woody. It's always been told to me (by someone who's even
on this list and on the debian security team) that 'Potato' should be
the only thing that's really trusted ("trusted") for security in Debian.
It's supposed to get security updates first. Arguments of the debian
release system aside, that's the general plan of debian it seems. You
shouldn't have used woody for a remote box. 

> 
> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did. 
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on 
> <URL: http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
> 

Great. And how does this compare to the baseline nessus you ran before
you made the box totally public? Or didn't you run it to start with? 

> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue what
> happened, and while I could turn off some more services, it seems like the
> biggest security problems are with ssh and smtp, that is, OpenSSH and
> Exim, so would a clean reinstall help a lot? 

Try installing chkrootkit. I'm not sure if it's apt-getable. If it
isn't, install it from source. And even then, if you think it's been
cracked, it probably was. However, talk to all your users and see what
they say. I assume this is a 'friends access' type box. How well do you
know all these friends? Have you met them all IRL? 

If your box has been cracked, the only real solution is to reinstall it.
Have your host shut it off and ship it back, or go get it. Don't leave
it online. It will become a place where the crackers invite friends to
do things and a jumping off point for attacks to other networks. And you
might be held responsible by your provider. 


Test for root kits, if yes, reinstall it. Don't trust it until you do. 

> Unfortunately, I can't report a break-in to the police. The computer crime
> police here in Norway has a political agenda I despice, and I don't want
> to give them any legitimacy. 

Well, there's not much most police will do about this. Most police don't
know enough about this. (Some do! And nothing against them please, but
most police just ship out all computer crime to overloaded state crime
labs). 

> Recent astrophysics graduate                  Problems worthy of attack
> University of Oslo, Norway            Prove their worth by hitting back
> E-mail: kjetikj@astro.uio.no                                - Piet Hein
> Homepage <URL:http://folk.uio.no/kjetikj/>
> Webmaster@skepsis.no                            OpenPGP KeyID: 6A6A0BBC

Hey, debian security ain't rocket science, but a rocket science degree
can't hurt  :) 

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (OSF1)
> Comment: For info see http://www.gnupg.org
> iD8DBQE87QV/lE/Gp2pqC7wRAnOwAKClkxaNInxG+/59Z+67CmyY6vzJyQCgmHl5
> dXGHMoenwxKHE2bQZQWI308=
> =VSU4
> -----END PGP SIGNATURE-----

Oh, and you'll want to revoke your PGP key if it was on this box, as you
can't trust your PGP keys anymore either. If you go around with this
same key and your private key was on a hacked box, that's bad. 


Best of luck.


j


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: