Hacked systems and the law
Jonathan Hutchins
hutchins at tarcanfel.org
Tue Apr 22 15:47:48 CDT 2003
Quoting Bradley Miller <bradmiller at dslonramp.com>:
> My fear is it was a telnet session or perhaps a sniff of traffic at my new
> server's location. RAQ4 boxes are shipped with ... a GUI to get
> into the system.
My bet would be on the GUI, possibly a known back door or admin password. The
GUI _should_ be running over SSL, if not it's probably the weakness. Telnet
servers are hackable, but mostly as you said by sniffing.
Sniffing an entire ISP would be quite a project though - lots of data to find
a new system at the time the admin's logging in. One would suspect an inside
job if it were a sniff attack. You might also go prowling the newsgroups for
the specific combination of packages that were installed. And sort through
your logs to see if you can figure out precicely what was done through what
interface.
> What am I doing to fix it? Simple -- both of these machines are going
> away in a matter of a week or so ...
You should make sure that you have telnet disabled; telnet should of course
not allow root to log in, nor should SSH, which must run v.2 not v.1, and you
should make sure that if the GUI is still active it only runs over SSL. If
you haven't found and secured the vulnerability, you'll be hacked again (if
you haven't already).
I've been trying to recall where I saw this excellent article on recovery -
sysadmin, Linux Mag, or Linux Journal in the past year. You need some basic
tools on secure media, you need checksums on critical programs (login, ls,
bash).
Tripwire's a great idea - scans critical files for changes in checksum, which
gives you notification that you've been hacked as well as a roadmap to recover
what was changed. It is, however, a real PITA to set up - you have to weed
through the default configuration eliminating all the stuff your server
doesn't have or that you know can change daily without a problem.
RH6.2 is a valid and securable platform. The GUI RAQ4 supplies may not be,
but you should be able to (and should immediately) secure the boxes as they
are.
This is an example of something security professionals try to hammer home
again and again: assuming that a default installation is secure without
investigating the specific settings is foolish, whether the installation is
linux, Microsoft, or any other OS. Unless you have someone's name on the line
saying "this system is secure from intrusion", you should assume you have an
open system and take positive action to secure it.
I figure any system I didn't secure myself is essentially a honeypot.
---------------------------------------------------
This mail sent through tarcanfel's horde/imp system
More information about the Kclug
mailing list