I was cleaning up my Linux server today when I found in the mail queue a message that took the life out of me:


From
root <root>
To
huckit@china.com
Date
Sun, 6 May 2001 00:39:26 +0100
Subject

EDIT: The contents of my /etc/passwd file and the output of ifconfig


Now, luckily my server cannot send outgoing mails only local, that's why it stuck in the queue.
Also I found I had left a # on my /etc/hosts.allow that essencially allowed everyone to telnet/rlogin/rexex/ftp to my box.

I have now fixed that, but I still wonder how he got in in the first place. I mean, you still need a password!!!.

I looked at /var/log/messages and it seems it has been edited out and cannot find anything from 11:45 to 1:15 that night.

Anywhere else I can look to find how he got in?

The box runs RH6.2 and I use a modem to connect but I usually leave it 24Hrs in weekends (it's free).

Thanks.

otheos, go to: http://www.hackerwacker.com and click on the link for a free trial port scan, it takes quite awhile and is more through then the scan at GRC! This will let you know what ports are open, then you'll know what to fix!

As far as passwords...crackin most passwords is "kiddie-play"! For a secure password, use a combination of numbers, letters (lower case and caps combined), and other characters, at least 11 characters (always an odd number) long! And also, don't use words, names, or phrases! Here's an example: 4ngRwP*1%da There is NO "dictionary" that can crack this type password!

randy48
are you sure of this? Have you tried cracking any codes l8ly and if not I'm sure where there is a will there's a way. NO I cannot crack codes just wondering if there is a full proof code and if this is what your saying. BD

99.99999% of the script kiddies and idiots that get a kick out of hacking/cracking remote machines use programs that run a "dictionary" to find login/passwords! I'll admit that once-upon-a-time, under another alias, I used to play around and was fairly good (got a few temporary analyst jobs). Would a password like that be 100% crack proof? Nothing is! A password made up as I recommended would take approximately 15 hours to manually crack! Not many people are that dedicated! To the best of my knowledge, there aren't any "tools" around that could do it!

very strange, i just went to the site randy suggested. and it say's i have already had my trial scan, so i logged in under a different user name and it still wouldnt go it say's my ip address has already had it's trial scan, and i've never been there before.

They could have got it with a filedropper, but I doubt it. The most logical answer, besides cracking, is that the script kiddie who did this did it with a buffer overflow that exploited something you we're running. Go search for exploits of your version of RHL and find a patch.

Otheos
if you would like me too EMAIL me your server IP and I will have my port sniffer give you a good going over and then I can email you back the results of your scans.

i make sure i have most ports closed and stay up to date. also i use ssh . my redhat 6.2 box never got rooted (there were quite a few attempts though).
i also stayed up to date and made sure all my packages were updated about once a week (okay, there were a few times it i would get lazy and it would be longer...)
debian is noce for this apt-get can automate all the updates, i think up2date (the redhat tool) can also. not sure if it came with 6.2 though...

almost hacked? if someone is mailing out messages from 'root' (even if they're not getting sent due to system settings, they're still making it as far as your mail queue and that's good enough) and they were able to modify your /var/log/messages (something that only a superuser _should_ have read/write access for) then i'd say the chances are you probably were hacked and even if you change your root password at this point it won't matter much because i can almost guarantee that the first thing they did when the system was compromised was slap on a rootkit. that's not good news. if i were you i'd back up your data (preferrably no config files) and flatten that box. as soon as you reinstall, and before you plug the network cable in, install tripwire. i've run tests against this IDS time and time again and have yet to be disappointed. it will tell you what was added/removed/modified and when and then give you specifics about what happened. www.tripwire.com (http://www.tripwire.com) ... and if you choose to do this and need any assistance writing a policy file i'd be happy to help. if you want something that will act as more of a preventative than an 'after-the-fact' sorta thing (i recommend both, of course) check out LIDS ... www.lids.org. (http://www.lids.org.) it essentially provides kernel level system protection.

cheers,

psyklone

Thank you for your input!

Mntsnow YGM.

As for the almost, I was being sarcastic.

I download tripwire as I type this and hopefully give it a try later this afternoon.

I'll let you know what I found.

Thanks again

I know the feeling well. We only have our system online (DSL) when we are actually using it, but inspite of this I got attacked a couple of months ago. I believe that I caught him while he was trying to install a rootkit. I think he went right through a hole in my ipchains created by a trojan in a utility called "Firestarter" that I downloaded from an untrusted source. However, the offending IP address was logged, and when I traced the address back it turned out to be an FTP archive at Sourceforge that contained, of all things, a rootkit and a password utility.

Not knowing the extent of the dammage - I formatted.

Since then I have tightened security somewhat to say the least. I now use PM firewall as a config utility for ipchains, created new passwords, killed off unnecessary services, my hosts.deny file looks like "All:All," and of course I keep my packages a little more up to date.

otheos ..

just so you know, tripwire won't tell you anything about an attack unless it was installed prior to the attack. basically what it does is build a checksum database of the files on your system that you want it to watch for ... things like config files, boot file, etc. once the database is in place and you run your policy against it that's how it knows that files were added/deleted/modified.

cheers,

psyklone

O,

YGM back http://www.sysopt.com/forum/smile.gif

Thanks again for the input everyone.

Well Sunday was a glorious day (not the usual stuff here in Wales), so shut the thing down and went out sailing, great time! (no wonder why you didn't hear from me Mntsnow :-)

Last night I took your some time to take the system clean, install nicely 6.2 from the start (although I should have used 7.1 but 6.2 works so....), redid my tcp wrappers, and the firewall in higher security. After all it was a big hole in my hosts.allow file that allowed him/her to access.

I did some tests and it looks safe but you never know (so Mntsnow I will be in contact once I have a static IP again.)

Thanks again and take care of your system's security.

Passwords? Why bother even trying to run a dictionary inorder to brute force entry into a Linux box. A simple TCP/IP fragment exploit to create a machine code overrun to execute a custom assmebly program works much more efficiently. In similar order, IPChains has so many security holes it is not even funny. But that is from my personal experience. http://www.sysopt.com/forum/wink.gif

Catch ya' later,
Robert Richmond

If you want the once-and-for-all about secure Linux check this out: http://www.nsa.gov/releases/selinux_01022001.html The infamous NSA has released a secure Linux under the GPL - that means including the source code, so no hidden NSA back-doors. If you really want to bullet proof your computer system you should give this a look.

"Both the President's National Coordinator for Security,
Infrastructure Protection, and Counter-Terrorism and the
President's Information Technology Advisory Committee have
recently called for increasing the federal government's role as both
user and contributor to open source software. "Open source
software plays an increasingly important role in federal IT systems.
I'm delighted the NSA's security experts are making this valuable
contribution to the open source community," said Jeffery Hunker,
Senior Director for Critical Infrastructure at the White House
National Security Council."

[This message has been edited by CMonster (edited 05-14-2001).]

The NSA version incorporates several advanced options for increased security, but the base network layer is still the standard Linux TCP/IP implementation. Thus, this distribution can still be comprimised with a moderate amount of effort. May I recommend alt.2600 for further research?

Linux is a great OS, but it is not the most secure solution I've seen. Perhaps one of the more complex to hack OS I've seen is VMS. According to my research, to gain access is limited issue, but VMS can be set to log all command operations to several hidden/encrpyted files, even at the root user level.

Robert Richmond

VMS - ah yes, the mother of Windows NT

Windows security - just like we always suspected: "Last Thursday, Microsoft admitted its engineers planted a secret password in its software that could be used to gain illegitimate access to hundreds of thousands of Internet sites worldwide. Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software.

While the software giant acknowledges that the function was "absolutely against our policy," it plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site. The company is also asking customers to delete the computer file called "dvwssr.dll", which contains the offending code. It is installed on Microsoft's Internet-server software with FrontPage 98 extensions." http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno

[This message has been edited by CMonster (edited 05-14-2001).]