regarding the sniffing....
I'm not a linux Guru, but I think he should also
use SSL for the admin interface...
infact the admin password for shell access and
webadmin are the same... and if the hacker
is sniffing the port 80 then he will be able to
manage his access....thru Telnet and even SSH...
Keep us informed :)
take care,
Dave
----- Original Message -----
Sent: Monday, August 27, 2001 5:28
AM
Subject: Re: [cobalt-security] RaQ1
hacked
My gut instinct on this is that there is a sniffer somewhere
between him and his server -- your advice to him to use SSH instead of telnet
would solve that problem. He should also check his computer for worms/viruses,
and check all of his other servers for interfaces running in promiscuous mode.
He should also get in touch with his ISP and have them look for
sniffers.
Hope this helps,
-Andrew
Hey guys, /color>
There's another list member who's had his RaQ1 hacked twice now
- within 18 hours of restoring it with all patches and putting the RaQ2
OS on it and getting it back online, it was hacked again. He'd like
some advice. He's tried posting to the list but it won't come through
for some reason, so I'm trying for him.
The first letter is the one
he sent me, the second is some questions that I asked him to answer, so
that y'all will have more info.
CarrieB
FIRST LETTER: I had
a RaQ1 running with all the software patches installed in the requested
order from Cobalt and had Anon FTP running on one site. It got hacked
into on 08/15/01 and I received an email from the server
advising that there was a problem with crond, to restart the server.
Not thinking I went ahead and restarted it, it would not get past
"Starting Up" on the lcd screen. We removed the drive and accessed it
from a linux pc and found that somebody had been in it and changed
some files in the startup and had it referencing Intel compiled
files. Not knowing what other damage had been done I used the RaQ1 OS
restore disk and decided to update it to the RaQ2 software.
I
did this and followed the instructions for installing the patches in
the proper order, even the one that is out of order regarding RaQ1
hardware using RaQ2 software. Once all the patches were installed we
put it back online and I uploaded the sites back to it. It went
online on Wednesday 08/22/01 at 1336. On Thursday 08/23/01 at 0920 I
again received an email from the server that there was a problem with
crond, to restart the server. I have yet to do this.
Going
through the log files there are a large amount of information missing
on late Wednesday night and early Thursday morning. Then at
around 0840 there are several failed login attempts to telnet, then
at around 0915-0920 there are several files that have been changed
and or created. I am still every 15 minutes getting an email saying
cannot execute binary file "/bin/ps".
I have a lot of log
files that just do not look right. Under one log file there is a
startup "fork" message that is there when I first reloaded
the software and another when it was shutdown and reconnected to the
network. Around 0925-0950 there are 7 entries of Startup "fork". From
there on I am also seeing this message kernel: Swansea University
Computer Society IPX 0.34 for NET3.035 kernel: IPX Portions Copyright (c)
1995 Caldera, Inc. kernel: Appletalk 0.17 for Linux NET3.035 modprobe:
can't locate module binfmt-0 in the messages log. This message repeats
itself at a random time frame, from 2 minutes apart to almost 9
minutes apart.
I don't know what to do. If it was a fresh load with
all of the supposed security patches with NO Anon FTP running, how
did they get in? They had less than 18 hours total to hit
it.
If you can help or direct me I would appreciate it very much. I
have all of the log files and corrupted/created files saved on my pc
and compressed in zip format in case he comes back and tries to block
me out or clean up the log files completely
SECOND
LETTER: I appreciate your replying to my questions. I have had this
server for about two and a half years, without any trouble. I am more
of a dos/windows person than linux so most of the stuff you had me do
below is kind of new. My main job is a police officer and I have the
server and small business on the side for some stress relief (and it
isn't relieving anything right now). We (me and one of our criminal
investigators) have started tracking the user of the ip that logged
into this server to try and get a name. Here in Virginia, computer
hacking if considered malicious is a felony and who knows what we
might be able to find. I have below the questions you posted to me
along with the answers I have for them. Seeing that he hit it
again this morning I am going to go through the logs again right now
and see what I can find.
C - Do any of your users, besides you
(admin), have telnet access? P - Only Me
C - What funny stuff
shows up when you do a "last | less" (no quotes) from the command
line? P - I can account for all except for admin ttyp0 ust001 Thu Aug
23 0914-0922 (00:08) admin ttyp0 ust001 Sun Aug 26 0921-0926
(00:04)
C - Is there any funny stuff in /root/.bash_history? (Read
this with pico.) P - Read .bash_history in /root 0 lines
read
C - Is there anything besides ftp and pop3 service uncommented
in /etc/inetd.conf? P - ftp, telnet, pop-3, imap are the only ones
uncommented
C - When you do a "top -c" from the command line, what
strange processes do you see running? P - The ones that show up
running are: top -c, init, kflushd, kswapd, md_thread(twice), nfsiod
(three), /usr/sbin/ht (three), /sbin/mgetty, update (bdfl,
/sbin/kernel
C - You said you removed the hard drive, so I am hoping
that you have this RaQ in your possession and it's not co-located
somewhere. P - It's co-located about 12 miles from me at my ISP. They
have around 12 or 13 various RaQ products and have also had several
of them hit in the last few weeks. It seems from what we have back
traced that the hits are coming from Canada (on mine) and they have
also got hits from Europe. I do not feel that anyone at the local isp
is doing the hacking as I know all of them and they have been
business partners for several years. They have requested our services
for prosecuting hackers several times over the last couple of years
also.
C - Then before you put it back online, install:SSH (disable
telnet after installing SSH and confirming that it works) P -
Exactly what is SSH and how do you get to command line with
Telnet disabled?
C - PortSentry (www.psionic.com) Logcheck
(www.psionic.com) P - I have the Portsentry and tried to install it on
Friday night and could not get it to run. It compiled with no errors,
installed with no errors but would not run. Not sure what I may have
done wrong, I thought I followed the simple instructions pretty
closely, Guess not.
C - IPChains (can get an RPM of this just about
anywhere)PMFirewall (to configure IPChains for you) P - What does
this do that the above two (Portsentry and SSH) not do?
C - TripWire
(keep a copy of the tripwire database on a different machine or on
CD; have TripWire run a database check every night to see what
files, if any, have been changed and email you about them) P -
Also about this.
C - Take away shell access for all of your users
besides yourself. There is no reason any of them need it; besides to
hack or cause havoc. And that's more usernames/passwords out there
floating around for someone to crack or find and get into sensitive
parts of your machine. P - No one else on the machine has any special
access other than FrontPage access on a couple sites, the other two
sites I manage for the customers.
C - I wish I could be of more
help, but without access to the machine I can't dig around and see
how he came in. I'm also not nearly as much of a security expert as
the guys on the security list. But I do know that BEFORE that machine
goes online, it should be braced like a fortress, and IPChains is the
only way you're going to be able to do that. P - At this point I have
spent a considerable amount more than I anticipated to on redoing the
machine and now I have to reload it again, at least I don't have to
find the special network card and cd again.
C - If you like, I can
try posting your question to the security list and see if it goes
through? P - If you would please.
That's it! I've given him
some instructions on how to install all of this stuff, answered his
questions about IPChains, Tripwire, etc. His name is Patrick. As I
have no experience with the RaQ1's and 2's, I'm hoping some of the gurus
on the list can help him out. I'm not sure what little differences there
are in using these programs on the MIPs vs. the Intel
processor.
Carrie
_______________________________________________ cobalt-security
mailing
list cobalt-security@xxxxxxxxxxxxxxx http://list.cobalt.com/mailman/listinfo/cobalt-security
|