LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2004, 01:04 PM   #1
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Rep: Reputation: 30
FTP exploit?


I am running RH9, with proftp.

I left a dir open to the public to be written from by some of the users on my fourm. Somebody has created alot of dir and temp files and such. I have delated them and remove the public writing. Could they have done some type of exploit and go into my system?

I see no logins from /var/log/secure

Could they be spoofing this?

Should I run a chkrootkit? If so how? I have never done one. I have downloaded the chroot kit from chroot.org but I haven't untared it yet.

Last edited by phatboyz; 10-15-2004 at 08:39 AM.
 
Old 10-14-2004, 10:31 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Um, are you sure your not thinking of chkrootkit? Chroot is for keeping users in a directory, but if you think you've been compromised, you need to use something like chkrootkit. Download that and run it. While you're at it, you might want to use rkhunter as well. However you may have to face the fact that if your system has been compromised and you hadn't set up a way to detect it, you may not be able to really figure out if you've been compromised or not. Be sure to visit Unspawn's sticky thread at the top of the forum. He has a number of links on what to do if you think you've been compromised.

You also might look in the xferlog and see what is there, though if your system is compromised this may not be trustworthy. The same thing goes for /var/log/secure. Also have a look at the open ports you have with netstat or nmap, though again, if you've been compromised, these may not be reliable.

Finally, if you are going to allow users to upload files, you are absolutely want to run something like Aide or Tripwire to monitor your file integrity. Be sure to keep a copy of the database these create somewhere off your machine.
 
Old 10-15-2004, 01:50 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
A couple of things to add along with Hangdog42's good points:

Support for Redhat 9 has been discontinued and unless you are somehow manually updating, then there are a number of security vulnerabilities on your system. You might want to consider upgrading to a version of linux that is supported.

You can use the rpm -Va command to verify the integrity of the system packages to make sure that not have been altered/replaced.
 
Old 10-15-2004, 09:03 AM   #4
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Original Poster
Rep: Reputation: 30
Thanks, I ran chkrootkit last night and nothing was found. I check all my /var/log/secure -.1,.2,3 to see if someone had gotin over the last couple of days. So far everything looks good. My RH9 has all the updates the RH ever made for it. It may not be the newest version, but I dont think that there should be too many more holes in it. I have been checking out other versions of linux over the past months, I thought about fedora b/c I like the RPMS. Though I have found out that they don't always work so I have been compileing the tar files.

I run the following services on my machine and if you have a better OS that you think would be better let me know. I dont have to have a GUI, its rather nice though.

Samba,squid,sendmail (not configured),proftp,apache,

My system is a dual Intel P3 (667's i think)256ram and 80gig(7200)
Thats about it.

Why would some one create a bunch of temp files on my ftp server though. It looked like they were someones logs from sometype of scan. I should have took a screen print while I was deleting them. I have closed the anonomys writing so I guess this should stop. I think it was just a kid trying to run some scrips.

Here is a brief explnation of how I have things hooked up.

DSL Modem (disabled all services)--smothwall router (PPOE) on internal ip range of 9.17.19.95 then I have a netgear hub that my Xbox is hooked to and out of the hub also is a linksys wireless router that I have configured to use a static ip that it gets from the smoothe and out of the linksys (11.24.19.82) all my servers are on this address range. I have the smoothie forward ports to the linksys which inturn forwards them to the servers.

Just for kicks on the first network segment what if I put a old 486 running knoppix so if someone is browsing my network they will find this computer and stop there. They wouldn't know that there is another network segment right? Well if they hacked the smoothie and got the routes then they might find the other network. My passwords should be diffcult for someone to guess as it has both letters and nubmers and the letter are upper and lower case. I don't think that a password generator would guess it.

I have other family users that there dirs are on the server and not the windows boxes that they use. The passwords for those accounts are the same as their Sir name, but they are chrooted to their personal directory where I don't allow things to be exicuted.

After all this rambeling did I get anywhere?
 
Old 10-18-2004, 01:12 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If the files are actually in /tmp or in some other directory that isn't writeable through ftp, then that suggests that they at least had user level access. If they simply dumped a bunch of files into the ftp dirs anonymously, then they may not have had any kind of direct access to the system. Allowing anonymous writes via ftp is a horrendously bad idea and you should really find some alternative method.

If the system has only been updated through the end of Redhat support, then there will likely have been a number of ways to exploit the system and gain root access. You should absolutely check the output of last -i for any abnormal logins and check /etc/passwd for any new users or users other than root with a UID of 0. Also check the system for any suid/sgid root files:

find / -perm 4000 -print
find / -perm 2000 -print

Also, check all the system logs for abnormal error messages (application errors, panics, seg faults, etc)
 
Old 10-18-2004, 01:56 PM   #6
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Original Poster
Rep: Reputation: 30
Thanks I'll start working on this.

Actually the files were in /home/ftp/tmp

I have it jailed to /home/ftp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Pentesting with an exploit RIB-EYE Linux - Security 1 10-27-2005 05:24 PM
What exploit is this? Boss Hoss Linux - Security 6 06-11-2004 07:16 PM
EXPLOIT programmin darkseed2g3 Linux - Security 7 10-19-2003 10:31 AM
|more exploit Benamoz Linux - General 3 09-03-2003 05:59 AM
Serv-u v4.0 exploit??? pk21 Linux - Security 2 07-24-2002 05:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration