[Techtalk] Server was broken into ... what good tools are there to probe vulnerabilities?

Raven, corporate courtesan raven at oneeyedcrow.net
Wed Nov 21 12:23:58 EST 2001 

Heya --

Quoth Jen Wu (Tue, Nov 20, 2001 at 12:42:28AM -0800):
> I just discovered my server had been broken into. This happened a couple of
> weeks ago, actually ...

	Ugh.  Been there; I'm so sorry.

> I only discovered it now that I've been going over
> Web logs. I found requests for some files that I was sure I didn't put on my
> system (mafia.html and bedul.html). I looked around for other files, but
> these appear to be the only ones. Both are owned by root and set to read
> only. I assume this means they got root access?

	Yeah.  But in any break-in, until you know the exact extent of
the damage, assume you've been rooted and act accordingly.
 
> The system is a virtual dedicated server at Infinology. They claim their
> servers are secure, but I've found they're kind of a hokey operation and I'm
> not sure I trust them (I'm strongly considering just dumping them and moving
> everything to a box at home). It's also possible that something I installed
> has an exploit (PostNuke .64 would be the most likely candidate), but this
> is unlikely since they're all Web apps and the Web server is definitely not
> running as root.

	I am assuming that you have root on this server?  Real root, not
a jailed root as I know a lot of hosting places will give their
customers.  It will be a lot harder to check things out if you don't.  

> Can people suggest tools I can use to probe vulnerabilities of my system?
 
	Well, the first thing you need to do is (if possible) take a
bit-by-bit image of your system for forensic analysis, and run nmap or
some other portscanning program against your own system to see what
ports it's listening on.  Often hacked boxes will have a few unexpected
ports open.  Then reinstall from original source media and restore your
backups of data.  Don't trust any binaries -- they may have been
trojaned.  Also, chkrootkit (available at http://www.chkrootkit.org) is
good to tell whether your system shows signs of having a rootkit
installed on it, and which one.  It's not 100% accurate, but it is
helpful.

	You can use The Coroner's Toolkit for forensic analysis of your
image to try and figure out what happened and how to prevent it
happening again.  It's a great suite of tools, available at
http://www.porcupine.org/forensics/tct.html

	To try and secure your system after it's reinstalled, here are
some basic recommendations.

1)	Nmap your system and close any ports and shut off any services
that aren't necessary.  

2)	Download Tripwire (http://www.tripwire.org/downloads/index.php)
or some equivalent program to take an image of your system before it
goes online, so that you can track which files are modified at any given
point.  *Store the Tripwire database offline in a secure location.* Then
reboot your system to see what changes, so you know what to expect from
a normal reboot (and thus, what may not be worth freaking out over).  

3)	Subscribe to Bugtraq (among the mailing lists at
http://www.securityfocus.com/) and make sure you are assiduous about
patching any program you run that has a known vulnerability.  

4)	Disable any service that you run that has plain-text passwords
(telnet, FTP, things like that) if possible.  If not possible, run them
in a chrooted environment, Kerberized,  or make sure they have different
passwords than your actual shell accounts, so that hackers can't get a
user account just by sniffing.  Once they have a user account, it's
usually only a matter of time before they get root.

5)	Make sure that all your networked services (anything that's
listening on a port) are patched to the latest version.  These are the
real danger as far as remote exploits.  

6)	Enforce good passwords on your users, and educate them about
security.

7)	Set up a firewall, and external logging to another box.  That
way, if your system is compromised, you'll have a copy of the logs that
you can be reasonably sure haven't been edited.  Setting up an IDS would
be nice, too, but not as necessary.

	I'm sure that there are things that I've forgotten, but that's a
start, anyways.

Cheers,
Raven

"I'm eating stealth cheese that may or may not be immortal?"
  -- Danielle, on pizza and perpetuity

More information about the Techtalk mailing list