Help with the hackers....

 
SOLVED
Go to solution
Shannon Petry
Honored Contributor

Help with the hackers....

I am having a world of trouble with RH linux and hackers.
It started about 3 weeks ago. I got hacked into. The system was immediately wiped, disk formatted, etc...
Well on Sunday, I was hacked again. Last time, I had NFS running, and found out the hard way there rpc.statd has many problems in linux. Also, I was allowing ICMP through my router. Since the first hack,
I have removed ICMP from router, removed all NFS, all NIS, etc....The only thing running was LPD, FTPD, HTTPD and telnetd. this is RH7. I also found at least weekly all patches for security and see what it got me?

Anyway, I am so used to SunOS and HP-UX being secure that I am really stumped as to how the dirtbags are getting in?????

Input from pros is greatly appreciated!

Regards,
Shannon
Microsoft. When do you want a virus today?
13 REPLIES 13
Mike McKinlay
Honored Contributor

Re: Help with the hackers....

Check out "The Newbies Area" hacking webpage at

http://www.thenewbiesarea.f2s.com/texts.html

Another location suggested EEPROM on a network card could be hacked to provide continued access even after a formatted drive and reinstalled OS ... if possible, yuck!
"Hope springs eternal."
Mike McKinlay
Honored Contributor

Re: Help with the hackers....

Shannon Petry
Honored Contributor

Re: Help with the hackers....

Unfortunaltly, this infor is pretty basic. As mentioned, I have looked at the rpc.statd program, and disabled it.

I also tested statdx against RH7 and could not get the root shell. I also tested some of the exploits I found for my version of wu-ftpd. Again, none of them work...

This is why I need some more advanced explenation of how the butt-plugs are getting in...


Shannon
Microsoft. When do you want a virus today?
AJ Hettema
Occasional Advisor

Re: Help with the hackers....

As far as I know all the big distro's have problems with security. They are not POSIX compliant and don't keep up with the FHS. That't the main reason. There's also the problem they try to make Linux open for users who don't know anything of UNIX operating systems. Try www.linuxfromscratch.org. This is a page which let you set up youre own Linuxbox, and in the end you'll know what youre box is doing and what software is running on it. It's also POSIX and FHS compliant.
Believe me! The secret of reaping the greatest fruitfullness and the greatest enjoyment of life is to live dangerously.
Mike McKinlay
Honored Contributor

Re: Help with the hackers....

Is there really a need to allow LPD and TELNETD ports open to the Internet? You don't mention SMTP ... what about that service?

If you're running a fairly simple website, you should only have 21, 80, and 443 (if you're using SSL) inbound open. Leaving telnet open to the Internet is just begging for people to try to force their way in.

I note the 6.x RedHat had a management plug-in called Pirahna that had a backdoor password implemented if you "install all" of the product. Would have thought that had been resolved with the 7.x release, but you never know.
"Hope springs eternal."

Re: Help with the hackers....


1. disable all services you dont need on :
/etc/rc.d/rc3.d , /etc/rc.d/rc5.d
/etc/inetd.conf

2. deny access to services you dont need from internet :
/etc/hosts.allow /etc/hosts.deny

3. see :
/etc/hosts.equiv /root/.rhosts

4. use ipchains to close all ports you dont need. Open only ports and protocols you REALY NEED.
Bill_6
Advisor

Re: Help with the hackers....

One of the quickest ways to secure the box would be to use Bastille on it, http://bastille-linux.sourceforge.net/ it's specifically designed to harden Red Hat installs.

The best way to help prevent problems is to find them first yourself, a few ways to do that are:

nmap http://www.insecure.org/nmap/
dsniff http://www.monkey.org/~dugsong/dsniff/
tcpdump http://ee.lbl.gov/

Unfortunatelly intrusion detection is as much an art as it is a science so there's really no quick way to learn it, regardless of what sales reps may tell you :-)

btw, their called crackers not hackers, there IS a difference.

HTH
There's nothing fdisk can't fix
Steve Whitaker
New Member

Re: Help with the hackers....

A couple of clues may give you the reason for the hacks. The first thing I would check is roots .bash_history. This will show you what the hacker is doing, and will separate the experienced cracker from a script kiddie.

Also, make sure Anonymous FTP is turned off and/or the latest update for wu-ftpd is installed. For greater protection, you may want to invest in ProFTPD.

Install SSH and turn off telnet in inetd.conf...many telnet hacks out there.

Kill any r-anything BSD services. If you are on the Internet, you do not want these programs running.

Unfortunately, cheap bandwidth has made finding and cracking computers easier for kids who want to impress their friends by setting up IRC floods and DDoS attacks. make sure you run NMAP on the machine and only have httpd and ssh running to the outside. Anything else, you will need to procede with caution.

Good luck!

Steve
Albert E. Whale, CISSP
Honored Contributor

Re: Help with the hackers....

Shanon,

Just got hacked as well .... remove wuftp-2.6.0 from your server - this is the method of attack.

Hope that helps.
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com