[luau] RH 9 server hacked -- what went wrong?

Rob Bootsma rbootsma at comtelhi.com
Fri Aug 22 14:36:01 PDT 2003 

Thanks, everyone, for sharing your comments.

No, this box was not firewalled, nor had I applied any security patches.
I had every intention of doing so, I just didn't realize I'd get hit so
quickly.  Like I said, it had only been up for a few days (and for most
of that time it was not even reachable from the Internet).

I admit, this box was pretty wide open.  Still, I'm curious to know
which exploit was used.  Here's the output of nmap.  (Sorry, Hoala, I
pulled this box off the Net as soon as I verified the hack.  I still
have the internal interface up).

Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
111/tcp    open        sunrpc
139/tcp    open        netbios-ssn
143/tcp    open        imap2
443/tcp    open        https
445/tcp    open        microsoft-ds
783/tcp    open        hp-alarm-mgr
953/tcp    open        rndc
993/tcp    open        imaps
995/tcp    open        pop3s
1241/tcp   open        msg
1723/tcp   open        pptp
10000/tcp  open        snet-sensor-mgmt

I'll take this as a painful but good learning experience.  Luckily there
was no data on the box yet.  If this had happened a week from now, I'd
be a lot worse off.

Rob

-----Original Message-----
From: luau-admin at videl.ics.hawaii.edu
[mailto:luau-admin at videl.ics.hawaii.edu] On Behalf Of Rob Bootsma
Sent: Friday, August 22, 2003 9:33 AM
To: luau at videl.ics.hawaii.edu
Subject: [luau] RH 9 server hacked -- what went wrong?

Hi all,

I just recently set up a RH 9 sever (less than a week ago), and it has
already been hacked.  I know I'm going to have to reinstall, but I was
hoping to find out what vulnerability was exploited so it doesn't happen
again next time.  I don't think any passwords were cracked.  They must
have used some other known exploit.  But which one?

Here's what I know.  It looks like they installed some sort of IRC
relay.  It also seems that they tampered with sshd and samba.  Some of
the packages from the rootkit they used include kool.tar.gz,
psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others).  Does
anyone know what these do?  Syslog was also tampered with (this was my
first clue).  Chkrootkit shows ifconfig, login, and pstree as infected.

So my question is, how did they get root?  Well, I guess they used this
rootkit, but how did they manage to install that?  Where is the
vulnerability?  If anyone has any suggestions of what to look for before
I wipe out this box, it would be greatly appreciated.

Aloha,
Rob
_______________________________________________
LUAU mailing list
LUAU at videl.ics.hawaii.edu
http://videl.ics.hawaii.edu/mailman/listinfo/luau

More information about the LUAU mailing list