[TriLUG] Have I been compromised?

[Andrew Perrin]

Much of what Ed Hill said, I echo; my debian machine has been on the net
for a year or so with, as far as I can tell, no security violations. (I
know, the OP was about RedHat, but why not expand the
discussion?)  However, I don't agree with the idea that only systems with
valuable information ought to be considered targets. A story to back up my
claim:

A few years ago I worked for a small department at the University of
California, Berkeley, as a system administrator (Solaris, Linux, NT). We
managed the network in the department's building, but we also had to
manage a few labs of NT computers elsewhere on campus. What we eventually
did was to put an old Sparc box in each of these labs to act essentially
as an SMB router; it ran only samba and default solaris stuff, and
collected browse lists for the labs and routed server requests to our main
samba server. It was a very neat, clean solution, since it meant we rarely
had to get up and go to these remote labs.

Unfortunately, someone cracked these machines (using the sadmind
vulnerability) and gained root access to them. In themselves, these
machines were useless. But they were used by the intruders for two things:
1.) to sniff plaintext passwords on the subnet; and
2.) to launch DoS attacks elsewhere.

We definitely heard about it when this started. Moral of the story: a
vanilla machine on a capable network is a target, regardless of its
contents or use.

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu