>> One plan I think is rather valuable is to simply run the server and watch it
>> very carefully.
That would make it a honey pot in production. I would advise more active measures (if you have access/control/contact over the network/firewalls).
Ron
________________________________
From: kclug-bounces(a)kclug.org on behalf of Jonathan Hutchins
Sent: Fri 2/25/2005 5:19 PM
To: kclug(a)kclug.org
Subject: Re: Server Saga
On Friday 25 February 2005 03:56 pm, Brian Densmore wrote:
> since you apparently had already been hacked prior to the
> reinstall (evidenced by the rm -rf /), I would wager that
> your reload from the image you have here is already rooted.
Nope. Checked that. The image was several weeks old, and while an exploit
may have been planted, then used at a later date, I think this is unlikely.
Any traces of the actual cause of the file disappearence was lost with the
restore. (Personally, I am a bit suspicious that the primary client may have
screwed something up.)
Having made a full restore and run for most of a week, hardware failure
dosen't look likely, and the S.M.A.R.T. utils I subsequently installed don't
indicate it.
> Of course it could also be that the cracker is watching the
> system and actively rooting it, so that when you re-installed
> whatever method was previously used to crack the system was
> used again in short order.
That is a distinct possibility - not exactly short order, but we may be on his
list of easy marks. Then again, while there is a certain amusement to be had
it simply destroying a system, it's not the way most people spend a lot of
their time. I suppose one of the clients on the server could have annoyed
someone sufficiently to motivate a repeated attack.
> So, in either case I think a little research is in order to determine
> how to keep this particular bad guy out.
Um, yes. I believe that's implied in my earlier query. In particular, there
is the kernel update, and I will be looking for further ways to tighten CGI
security, as well as looking for other clues.
One plan I think is rather valuable is to simply run the server and watch it
very carefully.
_______________________________________________
Kclug mailing list
Kclug(a)kclug.org
http://kclug.org/mailman/listinfo/kclug
See details below... FYI: the Return-path: seems to be randomized and
set for various high profile domains (Google/ibm...)
==============
From - Sat Feb 26 23:10:17 2005
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <wdmayujifg(a)google.com>
Envelope-to: hanasaki(a)hanaden.com
Delivery-date: Sat, 26 Feb 2005 23:10:15 -0600
Received: from user-12hci8q.cable.mindspring.com ([69.22.73.26]
helo=google.com)
by cognition.home.hanaden.com with smtp (Exim 4.44)
id 1D5Ggj-0007Wk-9A
for hanasaki(a)hanaden.com; Sat, 26 Feb 2005 23:10:14 -0600
From: WAMU Bank <alert(a)wamu.com <yqtnsqvhvk(a)ebay.com>
To: hanasaki <hanasaki(a)hanaden.com>
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: WAMU Bank <alert(a)wamu.com <yqtnsqvhvk(a)ebay.com>
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
X-SA-Exim-Connect-IP: 69.22.73.26
X-SA-Exim-Mail-From: wdmayujifg(a)google.com
Subject: Important Security Issue: Bank Account Alert (details inside)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
cognition.home.hanaden.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=6.7 tests=ALL_TRUSTED,FAKEDWORD_ZERO,
MIME_BASE64_TEXT,MISSING_DATE,MISSING_MIMEOLE,PRIORITY_NO_NAME,
RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL autolearn=no
version=3.0.2
X-SA-Exim-Version: 4.2 (built Tue, 25 Jan 2005 19:36:50 +0100)
X-SA-Exim-Scanned: Yes (on cognition.home.hanaden.com)
--qzsoft_directmail_seperator
Content-Type: text/plain;
charset="DEFAULT"
Content-Transfer-Encoding: base64
SW1wb3J0YW50IFNlY3VyaXR5IElzc3VlIAoKRGVhciBXYW11IE1lbWJlciwgCgpXZSByZWNlbnRs
eSBkZXRlcm1pbmVkIHRoYXQgYSBkaWZmZXJlbnQgY29tcHV0ZXIgaGFzIGxvZ2dlZCBpbnRvIHlv
dXIgT25saW5lIEJhbmtpbmcgCmFjY291bnQsIGFuZCBtdWx0aXBsZSBwYXNzd29yZCBmYWlsdXJl
cyB3ZXJlIHByZXNlbnQgYmVmb3JlIHRoZSBsb2dvbnMuIAoKCldlIG5vdyBuZWVkIHlvdSB0byBy
ZS1jb25maXJtIHlvdXIgYWNjb3VudCBpbmZvcm1hdGlvbiB0byB1cy4gSWYgdGhpcyBpcyBub3Qg
Y29tcGxldGVkIAp3aXRoaW4gMjRoICwgd2Ugd2lsbCBiZSBmb3JjZWQgdG8gc3VzcGVuZCB5b3Vy
IGFjY291bnQgYXMgaXQgbWF5IGhhdmUgYmVlbiBjb21ycG9taXNlZC4gCgpXZSB0aGFuayB5b3Ug
Zm9yIHlvdXIgY29vcGVyYXRpb24gaW4gdGhpcyBtYXR0ZXIuIAoKaHR0cDovL21lbWJlcnMuYW9s
LmNvbS93YW11YmFua2FsZXJ0L3ZpZXdub3cuaHRtbAoKVGhhbmsgeW91IGZvciB5b3VyIHByb210
IGF0dGVudGlvbiB0byB0aGlzIG1hdHRlci4gUGxlYXNlIHVuZGVyc3RhbmQgdGhhdCB0aGlzIGlz
IGEgc2VjdXJpdHkgCm1lYXN1cmUgbWVhbnQgdG8gaGVscCBwcm90ZWN0IHlvdSBhbmQgeW91ciBh
Y2NvdW50LiAKCldlIGFwb2xvZ2l6ZSBmb3IgYW55IGluY29udmVuaWVuY2UuIAoKSWYgeW91IGNo
b29zZSB0byBpZ25vcmUgb3VyIHJlcXVlc3QgeW91IGxlYXZlIHVzIG5vIGNob2ljZSBidXQgdG8g
dGVtcG9yYXJpbHkgc3VzcGVuZCB5b3VyIAphY2NvdW50LiAKClRoYW5rIHlvdSBmb3IgdXNpbmcg
V0FNVSEgVGhlIFdBTVUgVGVhbSAg
--qzsoft_directmail_seperator--
==========
Important Security Issue
Dear Wamu Member,
We recently determined that a different computer has logged into your
Online Banking
account, and multiple password failures were present before the logons.
We now need you to re-confirm your account information to us. If this is
not completed
within 24h , we will be forced to suspend your account as it may have
been comrpomised.
We thank you for your cooperation in this matter.
http://members.aol.com/wamubankalert/viewnow.html
Thank you for your promt attention to this matter. Please understand
that this is a security
measure meant to help protect you and your account.
We apologize for any inconvenience.
If you choose to ignore our request you leave us no choice but to
temporarily suspend your
account.
Thank you for using WAMU! The WAMU Team
First, I don't know much about the business relationship, so this is all speculation. But I do see opportunity for $$, justified (pardon my politics) by fear, uncertainty and doubt about security. After all, they were hacked, files missing, and down for over a day. Who knows what else, forensics was not performed, only recovery.
You said you manage the site. I presume you get paid. They didn't pay you enough to keep current with software versions. Their bad. But that is tempered by the understanding they had when they entrusted the site to you, do you 'own' the security? Did you give them assurances? Or was it overlooked and now a problem.
If you have time (if you don't, subcontract it), figure out what needs to be done to update the box to current standards, including the web pages/apps (if you do those, or even if not) and send them a total estimate. They will 'negotiate', but mostly they need to understand: _this_must_be_done_ to prevent recurrence. They will pay if the website draws business to them (read: $$$$). Temper this suggestion by how important is it to them.
I see money in your future with a serious reason for doing so [security]. Please include a monthly fee to stay current on software/apps (15-20% maintenance). You will take care of them better if they pay as a monthly customer, your relationship will be more important both ways.
If you are doing it for a co-worker/friend/family or such, then I wouldn't be so harsh. But for arms length business arrangements, I'd say cha-ching. And it would be money well spent (on both sides).
Ron
________________________________
From: kclug-bounces(a)kclug.org on behalf of Jonathan Hutchins
Sent: Fri 2/25/2005 5:42 PM
To: kclug(a)kclug.org
Subject: Re: Server Saga
On Friday 25 February 2005 05:22 pm, Geoffrion, Ron P [ITS] wrote:
>> One plan I think is rather valuable is to simply run the server and
>> watch it very carefully.
> That would make it a honey pot in production. I would advise more active
> measures (if you have access/control/contact over the
> network/firewalls).
I'm open to suggestions; I certainly didn't imply that was the _only_ thing
I'd be doing. I do need to maintain the server in production; I do not
control the firewalls but they are well managed.
_______________________________________________
Kclug mailing list
Kclug(a)kclug.org
http://kclug.org/mailman/listinfo/kclug
Well, I'm no expert, but...
since you apparently had already been hacked prior to the
reinstall (evidenced by the rm -rf /), I would wager that
your reload from the image you have here is already rooted.
Of course it could also be that the cracker is watching the
system and actively rooting it, so that when you re-installed
whatever method was previously used to crack the system was
used again in short order. So, in either case I think a little
research is in order to determine how to keep this particular bad
guy out.
> -----Original Message-----
> From: Jonathan Hutchins
>
> ... I reformatted the filesystem and restored an image
> I had here via
> rsync. By the next morning when someone was available to put
> it back on-line
> the restore had completed.
>
> We got the system up and running again, and I restored
> configuration changes
> while the client restored HTML. By lunchtime everything was
> back in good
> shape.
>
>
> I haven't done much with it since, but as I was getting ready
> to reboot after
> a kernel update this morning, I did a 'ps ax' and saw somethng called
> "rootedoor" running.
> (http://vil.mcafeesecurity.com/vil/content/v_128116.htm
> for info on rootedoor.) I went ahead with the reboot and it
> vanished, leaving
> no aparant trace. I immediately started checking for suspicious and
> modified files.
>
Did you finally restore from backup or something? I didn't hear how you got it back up. You said it was in AZ or someplace far away. Just curious what got you to the point you could talk to the machine. These kind of stories are like trashy novels for geeks.
Brian Kelsay
>>> Jonathan Hutchins <> 02/25/05 01:50PM >>>
I found a trojan running on my server today - rootedoor
(http://vil.mcafeesecurity.com/vil/content/v_128116.htm).
Couldn't find much information about it on the web. If you know anything
specific about it (not general speculation on rootkits, trojans, etc.), I
would appreciate you sharing it with the list.
I detected it running as one of the last two processes listed by 'ps ax' just
before a reboot to install a new kernel; the reboot seems to have eliminated
all traces of it from the system.
I found a number of missing or corrupt Perl modules on the system, but that
may not be related, it's an old system and I've had some Perl issues before.
This _is_ the system that suddenly lost all it's files Sunday night, so it
could have been hacked before.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi All,
~ The server seems to be running fine now. The only thing left to fix
is the Feb archives. The HTML seems to be borked, but all of the
archives are still there. We should have that back soon. Please, let
us know if there's something on the site that's not working.
Chris
- --
I digitally sign my emails. If you see an attachment with .asc, then
that means your email client doesn't support PGP digital signatures.
http://www.gnupg.org/(en)/documentation/faqs.html#q1.1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCHMA5E5xXU3JS1mQRAlvLAKCKm3DmnycVJPpCxJD2cbzU3JA9SwCgqc2K
aItRO7W3TvVi+gsYJZKqZYA=
=Yj5s
-----END PGP SIGNATURE-----
Just noticed that Yahoo uses QMail from this failure notice. I sent something to a bogus address so I can put real addresses in BCC only. With the number of users they have, qmail must be pretty tough.
Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
Brian Kelsay
1
0
test
by Charles, Joshua Micah (UMKC-Student)
22 Feb '05
That is exactly what I was thinking after this thread started yesterday. Although I'm not a programmer I am getting into some scripting. I use Wise scripting at work for some things and it is pretty customized to the way you build an .msi, but I suppose like any scripting language it could be used for more than it was originally designed. Anyway, I'm using WiseScript to build an installer for a program called Rational Development Studio and Rational has Perl 5.6.1 as a component that Websphere developers can use.
Point being that, as far as I know, Perl works the same on a Winders box as it does on a *nix box. There is that trouble with file paths having the "/" going the wrong direction on Winders, but I'm sure there is a decent workaround in Perl. If I could just read Perl I might understand, but Perl looks to me like some secret code.
So, please someone turn Mono/.Net into something positive that is truly multi-platform, multi-language, etc. Don't just give the whole thing lip service and compromise on functionality and principals. That is why I will wait and see before I install either Mono or .Net, unless I absolutely have to.
Brian Kelsay
>>> "Brian Densmore" <> 02/16/05 04:56PM >>>
One more thing. I am all for using mono to embrace .Net
and c#. I believe we should take this opportunity to
"embrace and extend" .net and c#. We should add features to
..net and to c# to make it better, faster and more useful for
the world at large. We should make these features available via
GPL. What better way to take away Microsoft market share than by
using their own tactics against them. Plus if we add features
we can be sure they really do work in cross-browser/platforms,
and they are the features that we really want and are useful.