Re: Advice Needed On Recent Rootings

To: Jayson Vantuyl <kagato@souja.net>
Cc: John Keimel <john@keimel.com>, Debian Security <debian-security@lists.debian.org>
Subject: Re: Advice Needed On Recent Rootings
From: Adam Majer <adamm@galacticasoftware.com>
Date: Mon, 2 Jun 2003 15:38:21 -0500
Message-id: <[🔎] 20030602203821.GA18163@galacticasoftware.com>
In-reply-to: <20030528045821.GA7093@yagami.infodump.net>
References: <20030525180430.GB32546@yagami.infodump.net> <20030525182528.GE3395@keimel.com> <20030528045821.GA7093@yagami.infodump.net>

On Tue, May 27, 2003 at 11:58:21PM -0500, Jayson Vantuyl wrote:
> He appears to modify the kernel image in memory via /dev/kmem (a
> next-generation LKM attack).  I've considered removing /dev/kmem (does
> anything use it?) but I don't know about any side effects (and it
> doesn't prevent him mknod'ing it).  It appears he actually has some sort

(link below helps here :)

> of kernel-level TTY logger *AND* a kernel-hack to hide files and
> processes.  The only comfort in this is that some of our kernels are
> apparently so exotic that his meddling crashes the machine during the
> break-in (instead of leaving a more compromized system).  In general,
> all of the rootkits are the same flavor (and seem unrelated to the LKM
> stuff).

> Uhhh, that's me.  Trust me when I say I'm as technical as it gets (short
> of the Gods like Linus).  It's not a single machine, it's a whole bunch
> of them.  It's not a password problem either.  He seems to have hacked
> multiple of them within an hour of each other (his rootkit files aren't
> very clever about covering up mtime).  I just can't tell how he got in.
> I've got some process accouting logs to go through, but they're ...
> verbose.

There are many ways of getting into the system. I was running the same
thing and got cracked. Now, grsecurity is the only way to fly :)

http://www.grsecurity.net

Go there, DL the patches and _use_ them. It's a real pain to set up
really tight ACLs, but then even root cannot do anything. So cracking
SSH or something might get him access to the box, but not access to
the entire machine.

Futhermore, if you need to run SSH, don't allow everyone to access
it - only allow access to it from known IP ranges. Why? Because 
sshd has to be run SETUID and SETGID. Even with grsecurity this allows
the attacker to delete user data.

With something like sendmail or apache, it only needs to see a very
limited part of the file system, so even braking these will not do
any real damage.

Also, grsecurity has stack randomization, etc... so buffer overflows
are a guessing game at best.

- Adam

PS. Any exploits against grsecurity? :)

Reply to:

Follow-Ups:
- Re: Advice Needed On Recent Rootings
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Re: Advice Needed On Recent Rootings
Next by Date: Re: Advice Needed On Recent Rootings
Previous by thread: Re: Advice Needed On Recent Rootings
Next by thread: Re: Advice Needed On Recent Rootings
Index(es):
- Date
- Thread