[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........



What Jim mentioned here is the first step. 

The second is find out HOW they got in.  Was it an out of date version of 
SSH?   Was SSH running as root (probably...)?  SSH can be set to turn at 
another user, which is much, much wiser.  It is even better to run inside a 
CHROOT jail (I believe I saw a tutorial on this somewhere on the web). 

It is NOT safe to just go and reinstall everything you had, as it will be 
compromised again and again and again. 

Other things that might help you: 

SNORT - www.snort.org - Lightweight Network Intrusion Detection.  I'm gonna put 
this on a separate box on my network and just let it watch.  This way, if a 
machine is compromised, we can know what happened and maybe even who did it. 

Tripwire - http://www.tripwire.org - I think someone else mentioned this, but 
here is the copy/paste from their FAQ: Tripwire is a tool that checks to see 
what has changed on your system. The program monitors key attributes of files 
that should not change, including binary signature, size, expected change of 
size, etc 

ipchains/iptables - If you are only using SSH from inside your network, why let 
it out for the public to attempt to access?  Use iptables to block any traffic 
not from your network destined to ssh on that machine.   

If this isn't a possibilty (need lots of ssh access from home/other places), I 
had the idea of an "ssh bastion."  This would be the one open ssh point to the 
outside world.  Nothing else running on it.  Fortify it to extremes and then 
from/to all your other servers, allow ssh only from the ssh bastion.   

Or if you enjoy having fun and learning new stuff, perhaps an out of band 
management solution (dial up modem in). 

Now I'm babbling. 

- James 

Quoting jam McQuil com: 

> Michael, 
> 
> Cleaning up after a break-in is very difficult.  They've 
> probably replaced many of the utilities that you are using 
> to look around.  Things like ps, netstat, ls, ifconfig, 
> lsmod and many more are probably NOT the original versions. 
> They replace them, to hide processes that may be running. 
> Those processes are probably logging your keystrokes 
> or sniffing your network and finding passwords. 
> 
> Time to buy another hard disk, and reload Linux on it. 
> 
> Then, take the disk that has the comprimized OS on it, and 
> mount that as an additional filesystem, so you can go looking 
> around and learn what they've done. 
> 
> Make sure you stay current with patches on the new disk, to 
> prevent another break-in. 
> 
> 
> Jim McQuillan 
> jam Ltsp org 
> 
> On Tue, 9 Apr 2002, Michael Cortes wrote: 
> 
> > It would appear that someone used SSH to get into my system.  I decided to 
> 
> > install sshd and stop telnet'ing because of the security risk, as soon as I 
> do 
> > it, someone got in. 
> > 
> > Anyhow, here is what I suspect so far: 
> > 
> > 1. when they got in, they created the user "cgi" 
> > 2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's 
> > .bash_profile.  This casused root to not save the history so I couldn't see 
> 
> > what was run as root. 
> > 3. logging is not happening.  I have checked my log files and the last 
> entries 
> > are about the time I first detected the break in. 
> > 
> > So my questions are: 
> > 
> > Did I do right by deleting the cgi user?  Was this user necessary? 
> > How do I turn on logging back on?  I have no idea where to look. 
> > What is a good/quick way to tell which users have no password set? 
> > 
> > Thank you, 
> > 
> > 
> > 
> > 
> > Michael Cortes 
> > Fort LeBoeuf School District 
> > 34 East 9th Street 
> > PO Box 810 
> > Waterford PA 16411-0810 
> > 814.796.4795 
> > Fax1 814.796.3358 
> > Fax2 978-389-1258 
> > 
> > 
> > 
> > _______________________________________________ 
> > K12OSN mailing list 
> > K12OSN redhat com 
> > https://listman.redhat.com/mailman/listinfo/k12osn 
> > For more info see <http://www.k12os.org> 
> > 
> 
> -- 
> 
> 
> 
> _______________________________________________ 
> K12OSN mailing list 
> K12OSN redhat com 
> https://listman.redhat.com/mailman/listinfo/k12osn 
> For more info see <http://www.k12os.org> 
> 


- James 






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]