[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advice Needed On Recent Rootings

One point I would make is to absolutely take the hacked boxes out of
service and _completely_ rebuild them. Fdisk and format the drives and
only run services which you want on them. The more extra stuff you put
in there, the more the chance of missing something. I would also
consider running iptables to make sure the ports you aren't watching are
blocked. (I have had excellent luck with gShield,
http://muse.linuxmafia.org). I have gShield set up to block most every
port, and have had a very very good experience with it.

Scan the boxes with nmap and nessus before putting them online (both
with and without the firewall rules in place). I gave a presentation on
it to my Linux user group called Reasonably Secure Builds, which is at
http://www.tux.org/~storm. The presentation is about 2 years old, but
still has some good information.

Specific port issues:

22 - There are no known exploits for OpenSSH to my knowledge. That said,
it is always possible that there is something in the latest version. To
be safe, if you can, avoid version 1 protocol at all costs. ssh v1 is
broken and vulnerable. Use only version 2 if you can.

25 - It is entirely possible this is how the attacker got in. If you can
avoid ftp (by using scp/sftp), do so. This will close 25% of your known
open ports. And anonymous ftp is especially vulnerable.

53 - BIND has been a source of vulnerabilities. Make sure you are
running the latest version of BIND. BIND 9.2.2 is probably fairly safe.
Avoid BIND 4 and if you have to use BIND 8, make sure it is the latest
(8.3.4). But if you are running BIND 8, you could probably upgrade to 9.
(this, of course, on the assumption that you are running BIND in the
first place. I can't speak to other name server packages.)

80 - make sure you are running the latest and greatest version of
Apache.

And remember, you can never prove you were _not_ 0wned, you can only
prove that you were.

HTH,

On Sun, 2003-05-25 at 14:04, Jayson Vantuyl wrote:
> We've had a number of hacked boxen recently.  It appears a certain
> person (Romanian we think) is specifically targeting us and our
> customers (looks like he hit a machine and found connections from others
> in their logs, went from there).
> 
> We have no idea how he's getting in, but we've got his rootkit fairly
> nailed down (he uses a few slightly different ones).
> 
> We've caught a few systems as he was breaking in (we have
> .bash_history files and the site he downloads his rootkits from).
> 
> The part that bothers me is that all of these systems were updated to
> the newest versions on debian.security.org (if apt-get was doing its
> job) and firewalled down to just the ports we needed (22, 25, 53, 80).
> 
> My boss is thinking they might have some sort of crack for OpenSSH (only
> service I can say all of these have in common) and he's considering
> trying a switch to the nonfree one just to see if it helps.
> 
> While I don't like this (OpenSSH is open and it should be that way), has
> anyone else had this kind of experience?  Is there some big hack I
> should know about?
> 
> I've checked CERT and the SANS list.  Both of them were helpful, but
> most of the answers said "run the newest version of X", which I have
> assumed apt-get fixed (in stable at least).  I mean, some versions were
> older, but I had heard most of them had backported fixes.  Is this
> happening to anyone else?
> 
> I'm at a complete loss as to how to explain this one, help would be
> appreciated.  The only comforting thought is that I can't imaging Redhat
> would have done any better.
> 
> Jayson Vantuyl
> Computing Edge, Inc.
-- 
--Brad
============================================================================
Bradley M. Alexander                |
gTLD SysAdmin, Security Engineer    |   storm [at] tux.org
Debian/GNU Linux Developer          |   storm [at] debian.org
============================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
============================================================================
Of all of the things I have lost, I think I miss my mind the most.
Reply to: