[Techtalk] Server was broken into ... what good tools are there to probe vulnerabilities?

Raven, corporate courtesan raven at oneeyedcrow.net
Wed Nov 21 14:35:58 EST 2001 

Heya --

Quoth jennyw (Wed, Nov 21, 2001 at 09:42:50AM -0800):
> Thanks for all the suggestions, Raven! I tried downloading nmap ... there
> are more things than I'd want opened up, but I suspect that this is just the
> stuff that the hosting company decided to leave open.

	If you're not in control of that, you're going to have a hard
time keeping the system secure.  You need to be able to close ports,
etc.  The rpc services in particular are on by default under many
distros, and are relatively easily hacked if not set up well.  There are
exploits for the ntp daemon (time synching).  There was a recent thread
on Bugtraq about the BSD telnet daemon (almost all modern Unix telnets
are based off it, including Linux ones) having a huge hole in it.  If
the sysadmin who does control what ports the system is listening on
isn't really on the ball, you can get hacked.

	When nmapping a system, always do it from another external
system.  That way (as long as your external system is trusted) you know
you're getting the real output.  Nmap has some other useful options you
may want to check out as well as the basic portscan -- read the man page
for details.  OS fingerprinting, etc -- exactly the sorts of things that
hackers do when determining how to attack your system.
 
> It was actually kind of weird that the hackers got into the site and added
> html files to two sites without actually defacing either.  Makes me think
> they didn't quite finish the job.

	Many hackers, once they get into a system, want to stay under
the radar of the sysadmin and keep the system.  It's not unknown for
them to fix other security holes, just so they can keep "their" system.
Not all hackers are into defacement.

	(Also, the obligatory but useless hacker/cracker/script-kiddie
distinction.  Reference the Jargon File.  Right.)
 
> Of course, you're probably right, I should try to check everything.
> Unfortunately, this is a virtual server provided by a hosting company that
> is none too responsive when it comes to support calls.

	Then there's probably not a lot you can do, other than move or
start hosting your boxes yourself.

> I may ask
> them to reset the system since it really is just configured as a Web server.

	If they don't fix whatever hole the bad guys used to get into
your system, that won't do any good.  The bad guys will just use that
same exploit again.  They need to fix their security and find and plug
their hole.

> I'm still curious as to how the hackers got into my system. There was one
> user with a weak password (I had set it up for testing and then forgot to
> delete it -- bad Jen!), so it's possible that they got in that way.  But how
> does one gain root access once one logins with a non-root account?
 
	Buffer overflows in any program that runs as root but takes user
input... badly coded webforms that do the same... things where you can
give it a username like 

[29 rows of XXXXXXXXXXXXXXXXXXXXXXXXXX]
rm -rf /

are bad.  Check the Bugtraq archives for specific examples.  Or google
search for "local root exploits".  (Given the new terrorism laws we have
in the US, I'm not going to get into "how to hack".)  But there are lots
of script kiddies out there using prefabricated kits that try all sorts
of exploits until they find one that works.  And then once they have a
root prompt, it's relatively easy to install a rootkit or trojan a
daemon or add some new users with priviliges so that they can get back
in whenever they want.

	For a good overview of Linux security, check out a book called,
"Hacking Linux Exposed".  It's very thorough and helpful to the
security-conscious sysadmin.

Cheers,
Raven
 
"I'm eating stealth cheese that may or may not be immortal?"
  -- Danielle, on pizza and perpetuity

More information about the Techtalk mailing list