[lug] Hacked Debian server - was Problematic Debian server

Bear Giles bgiles at coyotesong.com
Fri Jul 16 10:00:47 MDT 2010 

Another thing to consider is rssh (restricted shell allowing scp, sftp, 
cvs, svn, rsync and rdist).  Few non-admin users require more than that 
on remote systems.

(It should go without saying that it would be better to use an encrypted 
svn: connection instead of doing svn via a ssh shell, but that may not 
always be possible.)

Bear


On 07/16/2010 09:08 AM, George Sexton wrote:
>
> Here are my tips for hardening:
>
> Disable Root Login on SSH
>
> If you don't need widespread SSH login for accounts, create a group 
> and only allow that group to login via SSH.
>
> Run SSH on a non-standard port. That cuts probing down immensely.
>
> Create firewall rules that limit SSH probes. If you search the 
> archives for this list, you'll find a discussion. This can limit the 
> number of tries per bad guy to 3-4.
>
> Configure automatic updates. For updates that won't install 
> automatically, install them on a weekly basis. OpenSUSE does this. I 
> don't know about other distros.
>
> Check PHP web applications and ensure updates are applied. Subscribe 
> to appropriate newsletters.
>
> Monitor server logs on a daily basis. Use something like logwatch to 
> mail them to you. This won't stop things, but it will help you find 
> out faster.
>
> The machine was probably hacked via a vulnerability in PHP. One way 
> I've seen this done is to grab /etc/shadow and then look up the 
> passwords in a hashed dictionary. Once they had that, they just logged 
> in. Just because what they did after the machine was compromised 
> doesn't look like before doesn't mean it wasn't PHP. You can sometimes 
> see what they did by looking at ~/.bash_history.
>
> FWIW, here's a message thread from when I had a machine hacked using 
> Webmin. The thread contains info on what I found from looking at the 
> machine.
>
> http://archive.lug.boulder.co.us/Week-of-Mon-20070903/035231.html
>
> I'm not aware that keys are considered less secure than passwords. 
> Actually the opposite from my understanding.
>
> George Sexton
>
> MH Software, Inc.
>
> 303 438-9585
>
> www.mhsoftware.com
>
> *From:* lug-bounces at lug.boulder.co.us 
> [mailto:lug-bounces at lug.boulder.co.us] *On Behalf Of *Gordon Golding
> *Sent:* Thursday, July 15, 2010 1:42 PM
> *To:* lug at lug.boulder.co.us
> *Subject:* [lug] Hacked Debian server - was Problematic Debian server
>
> Gateway PC (Vista dual boot with last October Debian install) was 
> stalling during reboot with a Nautilus error, the GUI wouldn't come up.
>
> On july 12 - the main gateway router needed to be reset - a very rare 
> occurrence.
> Also, many files in bin and sbin were replaced with a 543237 byte 
> executable.
>
> So - for many "user" commands, like cat, ifconfig, route.. and ones 
> run at startup, like mount, fsck...
> there were 3 files:
>
> cat - 543237 bytes with old date
> cat with name cat + string "wti6mjpJg3PyaTsCzq0s" july 12
> cat with name cat + string "didn't write this one down" july 12
>
> When you run cat (or anything), it runs normally, returns to command 
> lne.  Then after a pause, there is a message"tried to access /dev/mem 
> between 2bf000->2c1000
>
> /root/.ssh was changed on july 12, also things like ssl libraries.  
> Lots of things were changed, maybe by an automatic update, but don't 
> think that matters at this point.
>
> Actually isn't my machine - I use Fedora and haven't used Debian.   
> I'm trying to do what I can to help out, they aren't heavy linux people.
> Biggest worry is- we get it back up, and someone just hacks it the 
> same way.
>
> At this point, I'm thinking: Just bring it back up fresh, but Need 
> advice on securing it - or any other good advice  ;-)
>
> This machine was installed last October by someone not around any 
> more, so no idea how it was set up.
>
> It runs:
> Samba
> Subversion
> Apache2 - also running PHP
>      Pet peeve of mine - 1.5 years ago, lost several servers, very 
> secure Fedora and RedHat and a Mac, and others - programmer opened
>      up PHP includes and let hackers inside.
> ssh
> The router is only open to those ports.
> Machine is being reinstalled on fresh disk drive (keeping old drive 
> for user data).  Will get all newest updates.
>
> What to do after this?  When I saw a hack elsewhere through PHP, it 
> looked totally different - this looks like a stumbled root kit.
> Seen anything like this?
>
> I used to use the CIS procedures as a guide for hardening Fedora, 
> before they fell behind the rapid releases.  What's a good resource 
> for Debian hardening?
>
> Specific question:
> This machine is accessed by users in Germany. The hacked machine was 
> trying to talk back to Germany.
> This machine used keys for easy user access.
> I've heard the argument that:
> "Their machine gets hacked, now they are on your machine.  Always make 
> a user sign in with a strong password."
>
> Just out of curiosity:  Is the main gateway router dying the same day 
> these files were changed just a coincidence?
> I don't remember hearing before of a hacked server bringing down the 
> gateway router.
>
> Thoughts?  Advice?
>
> Gordon Golding
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20100716/5e34436a/attachment.html>

More information about the LUG mailing list