[lug] Hacked Debian server - was Problematic Debian server

George Sexton georges at mhsoftware.com
Fri Jul 16 09:08:24 MDT 2010 

Here are my tips for hardening:

 

Disable Root Login on SSH

If you don't need widespread SSH login for accounts, create a group and only
allow that group to login via SSH.

Run SSH on a non-standard port. That cuts probing down immensely.

Create firewall rules that limit SSH probes. If you search the archives for
this list, you'll find a discussion. This can limit the number of tries per
bad guy to 3-4.

Configure automatic updates. For updates that won't install automatically,
install them on a weekly basis. OpenSUSE does this. I don't know about other
distros.

Check PHP web applications and ensure updates are applied. Subscribe to
appropriate newsletters.

Monitor server logs on a daily basis. Use something like logwatch to mail
them to you. This won't stop things, but it will help you find out faster.

 

The machine was probably hacked via a vulnerability in PHP. One way I've
seen this done is to grab /etc/shadow and then look up the passwords in a
hashed dictionary. Once they had that, they just logged in. Just because
what they did after the machine was compromised doesn't look like before
doesn't mean it wasn't PHP. You can sometimes see what they did by looking
at ~/.bash_history.

 

FWIW, here's a message thread from when I had a machine hacked using Webmin.
The thread contains info on what I found from looking at the machine.

 

http://archive.lug.boulder.co.us/Week-of-Mon-20070903/035231.html

 

I'm not aware that keys are considered less secure than passwords. Actually
the opposite from my understanding.

 

George Sexton

MH Software, Inc.

303 438-9585

www.mhsoftware.com

 

From: lug-bounces at lug.boulder.co.us [mailto:lug-bounces at lug.boulder.co.us]
On Behalf Of Gordon Golding
Sent: Thursday, July 15, 2010 1:42 PM
To: lug at lug.boulder.co.us
Subject: [lug] Hacked Debian server - was Problematic Debian server

 

Gateway PC (Vista dual boot with last October Debian install) was stalling
during reboot with a Nautilus error, the GUI wouldn't come up.

On july 12 - the main gateway router needed to be reset - a very rare
occurrence. 
Also, many files in bin and sbin were replaced with a 543237 byte
executable.

So - for many "user" commands, like cat, ifconfig, route.. and ones run at
startup, like mount, fsck...
there were 3 files:

cat - 543237 bytes with old date
cat with name cat + string "wti6mjpJg3PyaTsCzq0s" july 12
cat with name cat + string "didn't write this one down" july 12
 
When you run cat (or anything), it runs normally, returns to command lne.
Then after a pause, there is a message"tried to access /dev/mem between
2bf000->2c1000

/root/.ssh was changed on july 12, also things like ssl libraries.  Lots of
things were changed, maybe by an automatic update, but don't think that
matters at this point.

Actually isn't my machine - I use Fedora and haven't used Debian.   I'm
trying to do what I can to help out, they aren't heavy linux people.
Biggest worry is- we get it back up, and someone just hacks it the same way.

At this point, I'm thinking: Just bring it back up fresh, but Need advice on
securing it - or any other good advice  ;-)

This machine was installed last October by someone not around any more, so
no idea how it was set up.

It runs:
Samba
Subversion
Apache2 - also running PHP
     Pet peeve of mine - 1.5 years ago, lost several servers, very secure
Fedora and RedHat and a Mac, and others - programmer opened
     up PHP includes and let hackers inside.
ssh
The router is only open to those ports.
Machine is being reinstalled on fresh disk drive (keeping old drive for user
data).  Will get all newest updates.

What to do after this?  When I saw a hack elsewhere through PHP, it looked
totally different - this looks like a stumbled root kit.
Seen anything like this?

I used to use the CIS procedures as a guide for hardening Fedora, before
they fell behind the rapid releases.  What's a good resource for Debian
hardening?

Specific question:
This machine is accessed by users in Germany. The hacked machine was trying
to talk back to Germany.
This machine used keys for easy user access.
I've heard the argument that:
"Their machine gets hacked, now they are on your machine.  Always make a
user sign in with a strong password."

Just out of curiosity:  Is the main gateway router dying the same day these
files were changed just a coincidence?  
I don't remember hearing before of a hacked server bringing down the gateway
router.

Thoughts?  Advice?

 

Gordon Golding

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20100716/0ae6e5ed/attachment.html>

More information about the LUG mailing list