On Sun, 2003-05-25 at 19:04, Jayson Vantuyl wrote:
> We've had a number of hacked boxen recently. It appears a certain
> person (Romanian we think) is specifically targeting us and our
> customers (looks like he hit a machine and found connections from others
> in their logs, went from there).
> The part that bothers me is that all of these systems were updated to
> the newest versions on debian.security.org (if apt-get was doing its
> job) and firewalled down to just the ports we needed (22, 25, 53, 80).
Did those machines have kernels with the ptrace vulnerability?
Did they have interactive users logging in from less secure machines?
Recently, a friend of mine also had some compromised Debian machines,
attacked from Romania and elsewhere. His personal machine was
successfully attacked twice:
We didn't make a careful analysis, but it is possible that a Samba
vulnerability was exploited for the first attack, since he had not made
security updates for a few months.
After that he made a fresh install and took proper care of updates from
debian.security.org, but... after a few days his machine was compromised
again; this time we believe the attack was performed through another
machine, running some Mandrake release which was lacking security
updates. The main user of this Mandrake system is also a regular user
on my friend's machine and somehow the intruder has taken advantage
of that for reaching Debian as the "normal" user. The only known
vulnerability on my friend's machine at the time was... the kernel
with the ptrace vulnerability, which the intruder may have exploited
(in fact we found an exploit for that among the intruder's files in the
Mandrake machine).
Best regards
J Esteves
Attachment:
signature.asc
Description: This is a digitally signed message part