Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-14-2004, 01:04 PM
|
#1
|
Member
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358
Rep:
|
FTP exploit?
I am running RH9, with proftp.
I left a dir open to the public to be written from by some of the users on my fourm. Somebody has created alot of dir and temp files and such. I have delated them and remove the public writing. Could they have done some type of exploit and go into my system?
I see no logins from /var/log/secure
Could they be spoofing this?
Should I run a chkrootkit? If so how? I have never done one. I have downloaded the chroot kit from chroot.org but I haven't untared it yet.
Last edited by phatboyz; 10-15-2004 at 08:39 AM.
|
|
|
10-14-2004, 10:31 PM
|
#2
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Um, are you sure your not thinking of chkrootkit? Chroot is for keeping users in a directory, but if you think you've been compromised, you need to use something like chkrootkit. Download that and run it. While you're at it, you might want to use rkhunter as well. However you may have to face the fact that if your system has been compromised and you hadn't set up a way to detect it, you may not be able to really figure out if you've been compromised or not. Be sure to visit Unspawn's sticky thread at the top of the forum. He has a number of links on what to do if you think you've been compromised.
You also might look in the xferlog and see what is there, though if your system is compromised this may not be trustworthy. The same thing goes for /var/log/secure. Also have a look at the open ports you have with netstat or nmap, though again, if you've been compromised, these may not be reliable.
Finally, if you are going to allow users to upload files, you are absolutely want to run something like Aide or Tripwire to monitor your file integrity. Be sure to keep a copy of the database these create somewhere off your machine.
|
|
|
10-15-2004, 01:50 AM
|
#3
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
A couple of things to add along with Hangdog42's good points:
Support for Redhat 9 has been discontinued and unless you are somehow manually updating, then there are a number of security vulnerabilities on your system. You might want to consider upgrading to a version of linux that is supported.
You can use the rpm -Va command to verify the integrity of the system packages to make sure that not have been altered/replaced.
|
|
|
10-15-2004, 09:03 AM
|
#4
|
Member
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358
Original Poster
Rep:
|
Thanks, I ran chkrootkit last night and nothing was found. I check all my /var/log/secure -.1,.2,3 to see if someone had gotin over the last couple of days. So far everything looks good. My RH9 has all the updates the RH ever made for it. It may not be the newest version, but I dont think that there should be too many more holes in it. I have been checking out other versions of linux over the past months, I thought about fedora b/c I like the RPMS. Though I have found out that they don't always work so I have been compileing the tar files.
I run the following services on my machine and if you have a better OS that you think would be better let me know. I dont have to have a GUI, its rather nice though.
Samba,squid,sendmail (not configured),proftp,apache,
My system is a dual Intel P3 (667's i think)256ram and 80gig(7200)
Thats about it.
Why would some one create a bunch of temp files on my ftp server though. It looked like they were someones logs from sometype of scan. I should have took a screen print while I was deleting them. I have closed the anonomys writing so I guess this should stop. I think it was just a kid trying to run some scrips.
Here is a brief explnation of how I have things hooked up.
DSL Modem (disabled all services)--smothwall router (PPOE) on internal ip range of 9.17.19.95 then I have a netgear hub that my Xbox is hooked to and out of the hub also is a linksys wireless router that I have configured to use a static ip that it gets from the smoothe and out of the linksys (11.24.19.82) all my servers are on this address range. I have the smoothie forward ports to the linksys which inturn forwards them to the servers.
Just for kicks on the first network segment what if I put a old 486 running knoppix so if someone is browsing my network they will find this computer and stop there. They wouldn't know that there is another network segment right? Well if they hacked the smoothie and got the routes then they might find the other network. My passwords should be diffcult for someone to guess as it has both letters and nubmers and the letter are upper and lower case. I don't think that a password generator would guess it.
I have other family users that there dirs are on the server and not the windows boxes that they use. The passwords for those accounts are the same as their Sir name, but they are chrooted to their personal directory where I don't allow things to be exicuted.
After all this rambeling did I get anywhere?
|
|
|
10-18-2004, 01:12 AM
|
#5
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
If the files are actually in /tmp or in some other directory that isn't writeable through ftp, then that suggests that they at least had user level access. If they simply dumped a bunch of files into the ftp dirs anonymously, then they may not have had any kind of direct access to the system. Allowing anonymous writes via ftp is a horrendously bad idea and you should really find some alternative method.
If the system has only been updated through the end of Redhat support, then there will likely have been a number of ways to exploit the system and gain root access. You should absolutely check the output of last -i for any abnormal logins and check /etc/passwd for any new users or users other than root with a UID of 0. Also check the system for any suid/sgid root files:
find / -perm 4000 -print
find / -perm 2000 -print
Also, check all the system logs for abnormal error messages (application errors, panics, seg faults, etc)
|
|
|
10-18-2004, 01:56 PM
|
#6
|
Member
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358
Original Poster
Rep:
|
Thanks I'll start working on this.
Actually the files were in /home/ftp/tmp
I have it jailed to /home/ftp
|
|
|
All times are GMT -5. The time now is 12:55 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|