[lug] Fun with being hacked

D. Stimits stimits at idcomm.com
Tue Aug 14 13:13:17 MDT 2001


"Holshouser, David" wrote:
> 
> in a case like this (or any other case of hacking for that matter), is it
> sufficient to boot to the CD for the latest version of your distribution and
> do an upgrade, or is a format required?

It might be sufficient to detect specific package replacements if you
know exactly which packages to look at, but the versions on the CD are
not 100% current. I would guess a KRUD CD isn't too bad, but there is a
period of time before updates reach even a KRUD CD, and you are
vulnerable during that time. When I do this sort of thing, I will not
*ever* let my machine touch the Internet without a firewall. During the
time between original install and update through
ftp://updates.redhat.com, I summarily deny everything except for what is
necessary to dial in to my ISP, and the actual updates.redhat.com site.
An example of why it is important to be so paranoid is that immediately
after I dialed up to get my email I received a Code Red hit, which does
not require more than a few seconds to install (if you run Win/IIS), and
the time it takes to download one update would have allowed some
exploits to be installed 10 times over (if I didn't have a slow
connection, I'd suggest 100 times over).

D. Stimits, stimits at idcomm.com

> 
> > -----Original Message-----
> > From: Keith.Herold [mailto:herold at cslr.Colorado.EDU]
> > Sent: Tuesday, August 14, 2001 11:39 AM
> > To: lug at lug.boulder.co.us
> > Subject: RE: [lug] Fun with being hacked
> >
> >
> > Well, yeah, I sort of assumed that gdm was a little
> > diversion.  I'm not
> > using bind, but rpc is running (for nfs, right).  This
> > machine isn't serving
> > a printer, so it seems unlikely that the printer port was an
> > issue.  We (the
> > lab) don't have a firewall up, because no one wants to spend
> > the week to a
> > month necessary to get the thing going, but, since we get hacked every
> > month, I think I might get a little more insistent.
> > Unfortunately, I don't
> > have the previous configuration.  This is research box, but
> > all of the code
> > I write and the data are in at least three other machines so
> > I typically
> > don't worry about backing configurations up.  Next time I
> > think I will run
> > tripwire and put a firewall up on this machine alone.
> >
> > As for the IP, I don't believe it is the originator, just
> > because the same
> > hole is being used from many different addresses.  When I
> > came in to check
> > it out, I found 8 copies of autotelnet running; the source
> > code for the
> > exploit says that the attack may take more than an hour, so I
> > gather the
> > punk ran a bunch of copies and thinks he/she will get on
> > later to check it
> > out.
> >
> > My version of openssh is only a month or so old; in any case,
> > it will be
> > time to generate all new keys again.
> >
> > --Keith
> > > -----Original Message-----
> > > From: lug-admin at lug.boulder.co.us
> > [mailto:lug-admin at lug.boulder.co.us]On
> > > Behalf Of D. Stimits
> > > Sent: Tuesday, August 14, 2001 11:05 AM
> > > To: lug at lug.boulder.co.us
> > > Subject: Re: [lug] Fun with being hacked
> > >
> > >
> > > Knowing that the cracker was using gdm to hide doesn't say
> > the attack
> > > was actually through gdm originally. Making a system
> > account the login
> > > would tend to be less suspicious (in theory, not reality
> > for gdm) than
> > > some brand new account. Knowing how they got in would
> > require knowing
> > > exactly what ports were open and to whom. In this case, the original
> > > crack might not even be from 161.184.79.143, though this is
> > where it is
> > > now being used from. Older versions of sshd had one
> > weakness or another.
> > > Opening bind, rpc, or the printer ports would also be a
> > route in. Do you
> > > have ipchains or other firewall running? Do you have the
> > configuration
> > > now, and better yet, also from before the crack?
> > >
> > > D. Stimits, stimits at idcomm.com
> > >
> > >
> > > HEROLD wrote:
> > > >
> > > > So, I noticed an interesting message in my messages file
> > this morning:
> > > >
> > > > Aug 12 04:43:14 pharynx sshd2[812]: connection from
> > "161.184.79.143"
> > > > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password
> > > accepted.
> > > > Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication
> > > for user gdm
> > > > accepted.
> > > > Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
> > > > s161-184-79-143.ab.hsia.telus.net, authenticated.
> > > >
> > > > Apparently this has been happening since around the 28th of July.
> > > >
> > > > I also found a package called "autotelnet" installed in
> > > > /tmp/.../autotelnet, which is a hack designed to break into
> > > telnetd using
> > > > a buffer overflow (gives root shell of course).
> > > >
> > > > Of course, my next actions will be to reformat and
> > reinstall RH7.1, and,
> > > > once again, apply every RPM in existence.  The problem is
> > that I am not
> > > > running telnetd, and in fact turned off all the services
> > except sshd
> > > > (openssh). I
> > > > did a check on the telnet port and had the connection
> > refused.  It seems
> > > > to me that the autotelnet was installed afterwards, to
> > probe and attack
> > > > other machines.  I do not, however, have any idea of how
> > they got in in
> > > > the first place.
> > > >
> > > > Does gdm normally have a passwd?  there is a gdm listed
> > in the user
> > > > accounts, but I thought that was just so gnome could do
> > it's thing?
> > > > Should I password it next time?
> > > >
> > > > In general, since RH7.1 does not install the xwindows
> > linuxconf, what's
> > > > a quick way to find out what services are running on a machine?
> > > >
> > > > Thanks,
> > > > Keith
> > > >
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list