[Techtalk] Server was broken into ... what good tools are there to probe vulnerabilities?

jennyw jennyw at dangerousideas.com
Wed Nov 21 10:42:50 EST 2001 

Thanks for all the suggestions, Raven! I tried downloading nmap ... there
are more things than I'd want opened up, but I suspect that this is just the
stuff that the hosting company decided to leave open.

It was actually kind of weird that the hackers got into the site and added
html files to two sites without actually defacing either.  Makes me think
they didn't quite finish the job.

Of course, you're probably right, I should try to check everything.
Unfortunately, this is a virtual server provided by a hosting company that
is none too responsive when it comes to support calls. They haven't
contacted me since I sent them an e-mail about this Sunday night. I may ask
them to reset the system since it really is just configured as a Web server.
Knowing them, they'll want to charge me a setup fee ... Ugh. I hate
Infinology. Unfortunately they were the only hosting company I could find
that I could host a DNS server and unlimited virtual domains at without
having to pay >$100/month. If anyone knows of alternatives, I'd love to hear
about them!

I'm still curious as to how the hackers got into my system. There was one
user with a weak password (I had set it up for testing and then forgot to
delete it -- bad Jen!), so it's possible that they got in that way.  But how
does one gain root access once one logins with a non-root account?

Thanks!

Jen


----- Original Message -----
From: Raven, corporate courtesan <raven at oneeyedcrow.net>
To: <techtalk at linuxchix.org>
Sent: Wednesday, November 21, 2001 8:23 AM
Subject: Re: [Techtalk] Server was broken into ... what good tools are there
to probe vulnerabilities?


> Heya --
>
> Quoth Jen Wu (Tue, Nov 20, 2001 at 12:42:28AM -0800):
> > I just discovered my server had been broken into. This happened a couple
of
> > weeks ago, actually ...
>
> Ugh.  Been there; I'm so sorry.
>
> > I only discovered it now that I've been going over
> > Web logs. I found requests for some files that I was sure I didn't put
on my
> > system (mafia.html and bedul.html). I looked around for other files, but
> > these appear to be the only ones. Both are owned by root and set to read
> > only. I assume this means they got root access?
>
> Yeah.  But in any break-in, until you know the exact extent of
> the damage, assume you've been rooted and act accordingly.
>
> > The system is a virtual dedicated server at Infinology. They claim their
> > servers are secure, but I've found they're kind of a hokey operation and
I'm
> > not sure I trust them (I'm strongly considering just dumping them and
moving
> > everything to a box at home). It's also possible that something I
installed
> > has an exploit (PostNuke .64 would be the most likely candidate), but
this
> > is unlikely since they're all Web apps and the Web server is definitely
not
> > running as root.
>
> I am assuming that you have root on this server?  Real root, not
> a jailed root as I know a lot of hosting places will give their
> customers.  It will be a lot harder to check things out if you don't.
>
> > Can people suggest tools I can use to probe vulnerabilities of my
system?
>
> Well, the first thing you need to do is (if possible) take a
> bit-by-bit image of your system for forensic analysis, and run nmap or
> some other portscanning program against your own system to see what
> ports it's listening on.  Often hacked boxes will have a few unexpected
> ports open.  Then reinstall from original source media and restore your
> backups of data.  Don't trust any binaries -- they may have been
> trojaned.  Also, chkrootkit (available at http://www.chkrootkit.org) is
> good to tell whether your system shows signs of having a rootkit
> installed on it, and which one.  It's not 100% accurate, but it is
> helpful.
>
> You can use The Coroner's Toolkit for forensic analysis of your
> image to try and figure out what happened and how to prevent it
> happening again.  It's a great suite of tools, available at
> http://www.porcupine.org/forensics/tct.html
>
> To try and secure your system after it's reinstalled, here are
> some basic recommendations.
>
> 1) Nmap your system and close any ports and shut off any services
> that aren't necessary.
>
> 2) Download Tripwire (http://www.tripwire.org/downloads/index.php)
> or some equivalent program to take an image of your system before it
> goes online, so that you can track which files are modified at any given
> point.  *Store the Tripwire database offline in a secure location.* Then
> reboot your system to see what changes, so you know what to expect from
> a normal reboot (and thus, what may not be worth freaking out over).
>
> 3) Subscribe to Bugtraq (among the mailing lists at
> http://www.securityfocus.com/) and make sure you are assiduous about
> patching any program you run that has a known vulnerability.
>
> 4) Disable any service that you run that has plain-text passwords
> (telnet, FTP, things like that) if possible.  If not possible, run them
> in a chrooted environment, Kerberized,  or make sure they have different
> passwords than your actual shell accounts, so that hackers can't get a
> user account just by sniffing.  Once they have a user account, it's
> usually only a matter of time before they get root.
>
> 5) Make sure that all your networked services (anything that's
> listening on a port) are patched to the latest version.  These are the
> real danger as far as remote exploits.
>
> 6) Enforce good passwords on your users, and educate them about
> security.
>
> 7) Set up a firewall, and external logging to another box.  That
> way, if your system is compromised, you'll have a copy of the logs that
> you can be reasonably sure haven't been edited.  Setting up an IDS would
> be nice, too, but not as necessary.
>
> I'm sure that there are things that I've forgotten, but that's a
> start, anyways.
>
> Cheers,
> Raven
>
> "I'm eating stealth cheese that may or may not be immortal?"
>   -- Danielle, on pizza and perpetuity
>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://www.linuxchix.org/mailman/listinfo/techtalk
>
>
>

More information about the Techtalk mailing list