[luau] RH 9 server hacked -- what went wrong?
Jaymes Schooler
jimsch at ichgroup.com
Fri Aug 22 09:54:00 PDT 2003
I recently had the same thing happen to one of my web servers. They were
able to gain access through the news service which I had inadvertently left
running at installation time. Then they promoted the news user to uid0 and
were able to gain access to root privileges. They created a user called
system with uid0 also.. My final option was to disconnect ...Remove the root
kits and change all passwords. Also I set nologin for user news, secured
that service, and changed my firewall configuration to not allow ssh through
on the outside interface....Right now the only services I am allowing to
pass on the outside interface are web, secure web, dns, smtp and pop3...I
also have these services inspected at the router to ensure they go where
they're supposed to.
Also it didn't help that with the root kits installed they were e-mailing my
passwd, passwd-, shadow and shadow- files to what appeared to be some server
in California.. further investigation indicated that those were arp spoofed,
so I really don't know where it went...If you haven't done so...You should
also make a report to CERN...
-----Original Message-----
From: luau-admin at videl.ics.hawaii.edu
[mailto:luau-admin at videl.ics.hawaii.edu]On Behalf Of Rob Bootsma
Sent: Friday, August 22, 2003 9:33 AM
To: luau at videl.ics.hawaii.edu
Subject: [luau] RH 9 server hacked -- what went wrong?
Hi all,
I just recently set up a RH 9 sever (less than a week ago), and it has
already been hacked. I know I'm going to have to reinstall, but I was
hoping to find out what vulnerability was exploited so it doesn't happen
again next time. I don't think any passwords were cracked. They must
have used some other known exploit. But which one?
Here's what I know. It looks like they installed some sort of IRC
relay. It also seems that they tampered with sshd and samba. Some of
the packages from the rootkit they used include kool.tar.gz,
psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does
anyone know what these do? Syslog was also tampered with (this was my
first clue). Chkrootkit shows ifconfig, login, and pstree as infected.
So my question is, how did they get root? Well, I guess they used this
rootkit, but how did they manage to install that? Where is the
vulnerability? If anyone has any suggestions of what to look for before
I wipe out this box, it would be greatly appreciated.
Aloha,
Rob
_______________________________________________
LUAU mailing list
LUAU at videl.ics.hawaii.edu
http://videl.ics.hawaii.edu/mailman/listinfo/luau
More information about the LUAU
mailing list