[lug] Hacked Debian server - was Problematic Debian server
Bear Giles
bgiles at coyotesong.com
Fri Jul 16 10:00:47 MDT 2010
Another thing to consider is rssh (restricted shell allowing scp, sftp,
cvs, svn, rsync and rdist). Few non-admin users require more than that
on remote systems.
(It should go without saying that it would be better to use an encrypted
svn: connection instead of doing svn via a ssh shell, but that may not
always be possible.)
Bear
On 07/16/2010 09:08 AM, George Sexton wrote:
>
> Here are my tips for hardening:
>
> Disable Root Login on SSH
>
> If you don't need widespread SSH login for accounts, create a group
> and only allow that group to login via SSH.
>
> Run SSH on a non-standard port. That cuts probing down immensely.
>
> Create firewall rules that limit SSH probes. If you search the
> archives for this list, you'll find a discussion. This can limit the
> number of tries per bad guy to 3-4.
>
> Configure automatic updates. For updates that won't install
> automatically, install them on a weekly basis. OpenSUSE does this. I
> don't know about other distros.
>
> Check PHP web applications and ensure updates are applied. Subscribe
> to appropriate newsletters.
>
> Monitor server logs on a daily basis. Use something like logwatch to
> mail them to you. This won't stop things, but it will help you find
> out faster.
>
> The machine was probably hacked via a vulnerability in PHP. One way
> I've seen this done is to grab /etc/shadow and then look up the
> passwords in a hashed dictionary. Once they had that, they just logged
> in. Just because what they did after the machine was compromised
> doesn't look like before doesn't mean it wasn't PHP. You can sometimes
> see what they did by looking at ~/.bash_history.
>
> FWIW, here's a message thread from when I had a machine hacked using
> Webmin. The thread contains info on what I found from looking at the
> machine.
>
> http://archive.lug.boulder.co.us/Week-of-Mon-20070903/035231.html
>
> I'm not aware that keys are considered less secure than passwords.
> Actually the opposite from my understanding.
>
> George Sexton
>
> MH Software, Inc.
>
> 303 438-9585
>
> www.mhsoftware.com
>
> *From:* lug-bounces at lug.boulder.co.us
> [mailto:lug-bounces at lug.boulder.co.us] *On Behalf Of *Gordon Golding
> *Sent:* Thursday, July 15, 2010 1:42 PM
> *To:* lug at lug.boulder.co.us
> *Subject:* [lug] Hacked Debian server - was Problematic Debian server
>
> Gateway PC (Vista dual boot with last October Debian install) was
> stalling during reboot with a Nautilus error, the GUI wouldn't come up.
>
> On july 12 - the main gateway router needed to be reset - a very rare
> occurrence.
> Also, many files in bin and sbin were replaced with a 543237 byte
> executable.
>
> So - for many "user" commands, like cat, ifconfig, route.. and ones
> run at startup, like mount, fsck...
> there were 3 files:
>
> cat - 543237 bytes with old date
> cat with name cat + string "wti6mjpJg3PyaTsCzq0s" july 12
> cat with name cat + string "didn't write this one down" july 12
>
> When you run cat (or anything), it runs normally, returns to command
> lne. Then after a pause, there is a message"tried to access /dev/mem
> between 2bf000->2c1000
>
> /root/.ssh was changed on july 12, also things like ssl libraries.
> Lots of things were changed, maybe by an automatic update, but don't
> think that matters at this point.
>
> Actually isn't my machine - I use Fedora and haven't used Debian.
> I'm trying to do what I can to help out, they aren't heavy linux people.
> Biggest worry is- we get it back up, and someone just hacks it the
> same way.
>
> At this point, I'm thinking: Just bring it back up fresh, but Need
> advice on securing it - or any other good advice ;-)
>
> This machine was installed last October by someone not around any
> more, so no idea how it was set up.
>
> It runs:
> Samba
> Subversion
> Apache2 - also running PHP
> Pet peeve of mine - 1.5 years ago, lost several servers, very
> secure Fedora and RedHat and a Mac, and others - programmer opened
> up PHP includes and let hackers inside.
> ssh
> The router is only open to those ports.
> Machine is being reinstalled on fresh disk drive (keeping old drive
> for user data). Will get all newest updates.
>
> What to do after this? When I saw a hack elsewhere through PHP, it
> looked totally different - this looks like a stumbled root kit.
> Seen anything like this?
>
> I used to use the CIS procedures as a guide for hardening Fedora,
> before they fell behind the rapid releases. What's a good resource
> for Debian hardening?
>
> Specific question:
> This machine is accessed by users in Germany. The hacked machine was
> trying to talk back to Germany.
> This machine used keys for easy user access.
> I've heard the argument that:
> "Their machine gets hacked, now they are on your machine. Always make
> a user sign in with a strong password."
>
> Just out of curiosity: Is the main gateway router dying the same day
> these files were changed just a coincidence?
> I don't remember hearing before of a hacked server bringing down the
> gateway router.
>
> Thoughts? Advice?
>
> Gordon Golding
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20100716/5e34436a/attachment.html>
More information about the LUG
mailing list