Re: Debian Stable server hacked

To: debian-security@lists.debian.org
Subject: Re: Debian Stable server hacked
From: Thijs Welman <thijs@balpol.tudelft.nl>
Date: Wed, 06 Aug 2003 17:56:47 +0200
Message-id: <[🔎] 3F31253F.5000002@balpol.tudelft.nl>
In-reply-to: <[🔎] 3F3116DE.2060005@etnsystems.com>
References: <[🔎] 3F310A43.9060101@balpol.tudelft.nl> <[🔎] 3F3116DE.2060005@etnsystems.com>

Thanx for the replies so far.

Christian Hammers wrote:

Try "nmap" to see which services are reachable from the network.


Port       State       Service
22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https

from within the campus network adds:

Port       State       Service
21/tcp     open        ftp
139/tcp    open        netbios-ssn

Rich Puhek wrote:

NOTE: Ok, firewalled at the network border, but could poorly-secured
 internal windows machines have been used as a springboard for an
attack?
The same goes for the below services, are you sure that all the
machines and people on the same side of the firewall are completely
trustworthy? This is a big hole if you're only firewalling at the
border of your campus network, and have a wide variety of machines
out there...

It's likely that there are numerous compromised systems wihtin thecampus, unfortunately. They could have used one of those, that'spossible. That means they must have exploited sshd, apache, apache-ssl,proftpd or samba.

bind9 is open to a local 172.20-network (student housing), so is alsocandidate... Can't rule it out, but i can't imagine i would be the onlyone having problems...


mysql is only open to three of my other servers.
snmpd is only open to my monitoring server

Was anyone else logged in at the time? Perhaps one of your admins had
a weak or compromised password?


Nope. No one was logged in at that time. The few logins in the logfile
are accounted for.


Alan James wrote:

Maybe they brute forced the root password ? Do you have
"PermitRootLogin yes" in sshd_config ?


No, i didn't at that moment. But there's no sign of an succesfull root
login. Not in ps aux, not in netstat and no ssh traffic other than my
own session in tcpdump. I guess a brute-force would show up in the ssh
logfiles. Only thing there is four times "Did not receive identification
string".

You say that you have apache and php4 installed. Are you running any
php applications that may have been compromised ? Although I'd expect
those to leave the attacker with access to www-data rather than root.


Thought of that myself. Checked the apache logfiles and went through the

scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 andsquirrelmail-1.4.0. But then there's still the www-data -> root question...


regards,

Thijs Welman

Reply to:

Follow-Ups:
- Re: Debian Stable server hacked
  - From: "Teun Vink" <teun@moonblade.net>
- Re: Debian Stable server hacked
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

References:
- Debian Stable server hacked
  - From: Thijs Welman <thijs@balpol.tudelft.nl>
- Re: Debian Stable server hacked
  - From: Rich Puhek <rpuhek@etnsystems.com>

Prev by Date: Re: Debian Stable server hacked
Next by Date: Re: Debian Stable server hacked
Previous by thread: Re: Debian Stable server hacked
Next by thread: Re: Debian Stable server hacked
Index(es):
- Date
- Thread