[lug] Fun with being hacked

D. Stimits stimits at idcomm.com
Tue Aug 14 13:07:03 MDT 2001 

"Keith.Herold" wrote:
> 
> Well, yeah, I sort of assumed that gdm was a little diversion.  I'm not
> using bind, but rpc is running (for nfs, right).  This machine isn't serving
> a printer, so it seems unlikely that the printer port was an issue.  We (the
> lab) don't have a firewall up, because no one wants to spend the week to a
> month necessary to get the thing going, but, since we get hacked every
> month, I think I might get a little more insistent.  Unfortunately, I don't
> have the previous configuration.  This is research box, but all of the code
> I write and the data are in at least three other machines so I typically
> don't worry about backing configurations up.  Next time I think I will run
> tripwire and put a firewall up on this machine alone.

rpc and nfs are huge risks if not perfectly maintained, I would guess
this is the source of entry/root kit. You don't necessarily have to set
up a *full* firewall to make packet filtering helpful. For example,
instead of closing off all things then opening up what you need (though
this is highly desirable), you could start by simply closing off rpc and
other vulnerable ports to non-local ip's. It's important to remember
that some programs, even if they are configured to not make service
available to certain ip's, can still parse input in order to make
decisions about what is allowed or not...if the weakness is in the
parsing itself, you still have an entry point. Windows IIS/ISAPI is a
big sample of that, it's a big wide open invitation to test everything
on the system. Linux does a much better job, but when a single entry
point is known, script kiddies will test for that particular opening in
an automated way, and not miss a single vulnerable machine. Having root
squash on nfs is a huge bonus on an unfirewalled machine, but blocking
packets before they hit is even better. You should always configure all
machines, including those behind a firewall, to have firewall
capabilities, since even setting up a logging rule is a great debugging
tool. And if something should happen, it is easy to quickly add rules,
compared to recompiling a kernel and rebooting.

> 
> As for the IP, I don't believe it is the originator, just because the same
> hole is being used from many different addresses.  When I came in to check
> it out, I found 8 copies of autotelnet running; the source code for the
> exploit says that the attack may take more than an hour, so I gather the
> punk ran a bunch of copies and thinks he/she will get on later to check it
> out.

Probably so. Or maybe the running programs are making reports over irc
or a newsgroup (irc is tcp/ip, you can use telnet if you understand the
irc codes, much like ftp being just another telnet client to hide some
of the raw codes of ftp).

> 
> My version of openssh is only a month or so old; in any case, it will be
> time to generate all new keys again.

My guess is that OpenSSH was not the entry point, but that it was
replaced with a trojan version after an nfs break. I would definitely
save any logs available, and after reinstall, add special logging and
blocking rules for the specific ip's (or better yet, their /24's since
likely the subnet of one attacker was scanned completely looking for
machines to break, and the breakins you see are from just one of a
series of broken machines on the /24). This would allow you to not
interfere with current operations while preparing for better protection.
And unless you have a need to open the ports for nfs/rpc, lpd, syslog,
dns/bind to the general public, firewall those to accept only the ip's
they depend on (dns is easy if you have an isp with 2 or 3 name servers,
then you only need to make it visible to those servers). You might also
want to block X11 ports to the outside world, unless you have someone
with a high bandwidth connection that actually does remote X11 display.

D. Stimits, stimits at idcomm.com

> 
> --Keith
> > -----Original Message-----
> > From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
> > Behalf Of D. Stimits
> > Sent: Tuesday, August 14, 2001 11:05 AM
> > To: lug at lug.boulder.co.us
> > Subject: Re: [lug] Fun with being hacked
> >
> >
> > Knowing that the cracker was using gdm to hide doesn't say the attack
> > was actually through gdm originally. Making a system account the login
> > would tend to be less suspicious (in theory, not reality for gdm) than
> > some brand new account. Knowing how they got in would require knowing
> > exactly what ports were open and to whom. In this case, the original
> > crack might not even be from 161.184.79.143, though this is where it is
> > now being used from. Older versions of sshd had one weakness or another.
> > Opening bind, rpc, or the printer ports would also be a route in. Do you
> > have ipchains or other firewall running? Do you have the configuration
> > now, and better yet, also from before the crack?
> >
> > D. Stimits, stimits at idcomm.com
> >
> >
> > HEROLD wrote:
> > >
> > > So, I noticed an interesting message in my messages file this morning:
> > >
> > > Aug 12 04:43:14 pharynx sshd2[812]: connection from "161.184.79.143"
> > > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password
> > accepted.
> > > Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication
> > for user gdm
> > > accepted.
> > > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
> > > s161-184-79-143.ab.hsia.telus.net, authenticated.
> > >
> > > Apparently this has been happening since around the 28th of July.
> > >
> > > I also found a package called "autotelnet" installed in
> > > /tmp/.../autotelnet, which is a hack designed to break into
> > telnetd using
> > > a buffer overflow (gives root shell of course).
> > >
> > > Of course, my next actions will be to reformat and reinstall RH7.1, and,
> > > once again, apply every RPM in existence.  The problem is that I am not
> > > running telnetd, and in fact	CResourceLocation* p_location = NULL;
 turned off all the services except sshd
> > > (openssh). I
> > > did a check on the telnet port and had the connection refused.  It seems
> > > to me that the autotelnet was installed afterwards, to probe and attack
> > > other machines.  I do not, however, have any idea of how they got in in
> > > the first place.
> > >
> > > Does gdm normally have a passwd?  there is a gdm listed in the user
> > > accounts, but I thought that was just so gnome could do it's thing?
> > > Should I password it next time?
> > >
> > > In general, since RH7.1 does not install the xwindows linuxconf, what's
> > > a quick way to find out what services are running on a machine?
> > >
> > > Thanks,
> > > Keith
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list