[TriLUG] invisible directories...

Ryan Leathers ryan.leathers at globalknowledge.com
Tue Apr 22 11:52:28 EDT 2003 

Agreed,

Samba is the likely approach given your description.  I also lean toward
Jon's thinking that this was the work of a script kiddie.  Any hacker
with skills wouldn't do the things described, namely; bombarding the
compromised target with port scans and changing multiple binaries. 
Instead, the skilled hacker would keep the footprint of change small and
the suspicious traffic scarce.  Once access is gained the plan is to
escalate privs then expand influence to other systems.  Waving a big
flag (as in this case) is sooooo script kiddie.

Out of curiosity I took a look at RH9 default vsftp configs to see if
using defaults alone presented any weaknesses - nothing alarming to me.
  
On Tue, 2003-04-22 at 10:24, Jon Carnes wrote:
> I'm guessing that they got in via Samba.  There was a recent exploit
> that was advertised and if they didn't update their samba then it would
> be easy for a script kiddie to auto-scan and implant a root kit.
> 
> One easy way of testing your machines is to do regular scans of your
> exposed network with nmap.  Simply store the tests in a file and then do
> a diff against each new scan.  Mail the diffs to your admin group.
> 
> Standard root kits will open some bizarre ports on your box and those
> will show up immediately.  Subtler root kits have your box check into an
> IRC channel on a regular basis and look for commands dropped off by
> their "master".  The moral: block any and *all* ports that your server
> does not use, both incoming and outgoing.  The root kit will then be
> forced to drop your firewall in order to work, and then your server will
> show up like a lit Christmas tree at midnight on your network scan. 
> 
> Couple that with running a compare against known good binaries every ten
> minutes and you'll be fairly safe (or at least you'll know when you've
> been hacked).
> 
> Good Luck - Jon Carnes
> 
> On Tue, 2003-04-22 at 01:39, Jeffery Painter wrote:
> > well, it was standard rh 8.0 install. vsftp was the ftp program running, 
> > samba, apache, ssh, and tomcat were the only other networked apps running.
> > 
> > unfortunately the box is on a clients network and I don't have control 
> > over their firewall... i locked down every other service. installed the 
> > usual redhat errata fixes (i grabbed them from kickstart.linux.ncsu.edu) 
> > so i think i was in the clear there.
> > 
> > in essence, i think i did everything a reasonable admin would do... it 
> > wasn't until i installed portsentry that i started noticing the box was 
> > getting bombarded with port scans. and i don't know if i will ever know 
> > the exact way they found their way in... i discovered a hacked ssh running 
> > and several of the binaries were replaced as mentioned.. luckily all my 
> > data was in tact and i've moved developement to another box until i can 
> > reinstall from scratch.
> > 
> > someone was damned persistent is all i can say :)
> > 
> > thanks for the pointers everyone though. makes me glad I run a backup 
> > every hour :) just call me paranoid with good reason.
> > 
> > 
> > Jeff Painter
> > painter at kiasoft.com
> > 
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/faq/TriLUG-faq.html

More information about the TriLUG mailing list