[luau] RH 9 server hacked -- what went wrong?

Keith krjw at optonline.net
Fri Aug 22 10:26:01 PDT 2003 

* Rob Bootsma <rbootsma at comtelhi.com> [22/08/2003 1533EDT]:
> Hi all,

Aloha.

> I just recently set up a RH 9 sever (less than a week ago), and it has
> already been hacked.  I know I'm going to have to reinstall, but I was
> hoping to find out what vulnerability was exploited so it doesn't happen
> again next time.  I don't think any passwords were cracked.  They must
> have used some other known exploit.  But which one?

Firewalls are your friend.  These days they are so cheap, even for home
use, that there is no reason not to have one.  It is in your best
interest to have one, set up an inbound default policy of DENY for at
least all priveledged ports and only open up those that you absolutely
need.  Then, if you get hacked, it would be easier to determine the
vulnerable service.

I like RH but they have a habbit of enabling nearly every service by
default. 98% of the time there is no need for this.  Another good
practice is, after installing and before plugging the cat5 into your
NIC, run through your default runlevel's rc directory and turn all
unnecessary services off with chkconfig.  Issue a

	bash$ chkconfig --list | grep :on

to see what is enabled.  You'll see that there is a lot enabled by
default, depending of course on what you've installed.

> Here's what I know.  It looks like they installed some sort of IRC
> relay.  It also seems that they tampered with sshd and samba.  Some of
> the packages from the rootkit they used include kool.tar.gz,
> psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others).  Does
> anyone know what these do?  Syslog was also tampered with (this was my
> first clue).  Chkrootkit shows ifconfig, login, and pstree as infected.

Both ssh and samba have troubled histories, although not nearly as bad
as something like sendmail.  :) Investigate the openssh and samba web
sites for security bulletins.  re ssh: no matter what the circumstance,
you should *never* have protocol v1 enabled on your sshd.  Use 2 and 2
only.  v1 is broken.

Read up on the linux security howto.  Find a copy at
http://www.tldp.org/ .

> So my question is, how did they get root?  Well, I guess they used this
> rootkit, but how did they manage to install that?  Where is the
> vulnerability?  If anyone has any suggestions of what to look for before
> I wipe out this box, it would be greatly appreciated.

You might be able to find proof of the exploit and hence what was
exploited.  Look for file names with weird characters (might be proof of
a format string vulnerability, common to things like wu-ftpd).  Look
through whatever logs you have and look carefully.

In the future think about using something like Tripwire for intrusion
detection if you are really paranoid.  If you have programming skills
there are a number of interesting IDS methods you can whip up using
perl, cvs, and ssh.  (Linux Journal had an article or two not too long
ago...)


> Aloha,
> Rob


Regards,
krjw.
-- 
Keith R. John Warno                  [k r j w  at  optonline dot net]
"It's your money. You paid for it."
       -- George "Dubuhyuh" Bush, LaCrosse, Wis., Oct. 18, 2000

More information about the LUAU mailing list