Hi all,

I set up a Linux box yesterday and this morning it looks like it's compromised already! (I'm a noob so I'm sure I've left a few gates open - it's only for learning purposes and it's in a DMZ so I'm not that bothered, but I'd like to tie it down!)

In the root of the box some lovely new files have appeared - they can't do much cos they're Win32 installers, but they've got there, which is worrying enough. Could be a worm perhaps?

The files are autorun.inf, install.exe, setup32.exe and update32.exe. I haven't deleted them yet in case one of my colleagues with access put them there for later use, but frankly I doubt it - it happened too early in the morning.

So, assuming it is something malicious and the box has been compromised, perhaps you guys can tell me where the hole is likely to be?

System is Fedora 3 running KDE. It's behind a D-Link wireless router with the firewall and DMZ capabilities enabled. The router's firewall is set to allow VNC, SSH, FTP, HTTP and MySQL connections through - it port forwards them to the IP of the Linux box in the DMZ.

On the Linux box the software firewall is on, also allowing all of the above as well as Samba.

Any major red lights flashing with anyone? Anyone want to grab me by the throat and shout "STUPID!!!!!" in my face?

All suggestions welcome...

Thanks,

G

I would be highly suspect of the Samba shares, though there's been some cross-platform http vulnerabilities recently and FTP would be a possibility as well if you are allowing anonymous FTP. However, Samba is a very likely source. How do you have the shares configured (what's the path, what's write-able? If any of the PC Samba clients have antivirus software, run a scan to see if it turns anything up.

In general though, take a look at the file properties (owner, file creation time), type of file (use file command to make sure they are indeed Windows executables), take a look at the system and samba logs and look for any relevent messages around that time (errors, transfers, etc).

I have anonymous FTP running, but it doesn't seem to allow people past the pub directory. Is this insecure anyway? If so, I'll turn it off - I certainly don't need it.

I've set up Samba to allow one user access to the root of the system - read/write permissions vary though, as it's NOT the root user so can't do too much damage - the only access privaleges above a normal "user" are full read/write to the Apache html folder, which is currently empty anyway.

Also, though the software firewall is configure to allow Samba through, the router's firewall is not, so it should block anyone trying to use those ports, no?

Where abouts are the Samba logs usually?

Thanks a lot for this, btw!

G

Ok - checked the files... They belong to root!

On the plus side, they are genuine MS-DOS files so they can't so any harm.

But whatever did this was "logged in" as the root user it seems.

[QUOTE]Originally posted by gharvey
I have anonymous FTP running, but it doesn't seem to allow people past the pub directory. Is this insecure anyway? If so, I'll turn it off - I certainly don't need it.
Yes. Anonymous FTP is a security nightmare, so I'd avoid it unless it's absolutely necessary.

I've set up Samba to allow one user access to the root of the system - read/write permissions vary though, as it's NOT the root user so can't do too much damage-
So a samba share does have write access to / ?

Also, though the software firewall is configure to allow Samba through, the router's firewall is not, so it should block anyone trying to use those ports, no?
If the router is actually firewalling and properly configured then it should filter that traffic, but I was thinking more along the lines of an infected Windows client writing to the samba shares locally.

Where abouts are the Samba logs usually?
Usually /var/log/samba for Fedora systems.

Thanks! ...

FTP: I'll kill that now then.

Samba: I'm not sure if it has write access to / - actually I don't think it does, but I can't check until I get home later. As for the Windows clients, there are two (small home network) both are behind the router firewall and the outside the DMZ the Linux box is sitting in. They are both running WinXP Home SP2 with Windows firewall active and anti-virus up to date (Norton). There is no port forwarding to either machine at all so the router should keep them completely hidden from the outside world... SHOULD!

The only machines I can't vouch for are my two colleague's machines, but they don't have Samba access anyway. I just tried to access my Samba share from here (on the off chance it let me in) and I'm relieved to say that it won't!

Logs are being opened now - VNC taking its good old time!

G

Looking at the Samba logs - there are loads of log files - it seems to create a file per new IP/Mac address and log any activity for that address. I seem to have about 30 files! I would expect to see about 3, tops! All sorts of IP addresses.

The most common entries appear to be something like this:
Is this bad? I'm guessing it is... since these IPs shouldn't have access to Samba PERIOD!

[edit] Realised I'd done something really dumb - I initially posted the file info from Emacs mistakenly thinking it was the contents of the file! [/edit]

G

If those IPs are unknown, that might be a concern. If I remember correctly, the default Samba config only logs critical messages, so a simple transfer may not be logged. But I would start by doing an ls -al in the samba log dir and see what logs have dates that overlap with the creation of those files on the linux box. A brief google search of those file names appears to associate them with the Agobot/Gaobot worm, which has a nasty habit of disbling Antivirus software and rewriting the hosts file to redirect traffic (like to update.microsoft.com or Symantec.com) to localhost, which can prevent AV signature updates. So I would take a closer look at the samba clients. Probably the most effective technique would be to download a cd-based linux distro that has AV like clamav and boot each of the clients with the linux cd-rom and then update the virus defs and run a scan of the windows drives.

JUST SAW YOUR EDIT:
Looks like a client scanning for C$ share, which is a standard windows file share (note that agobot scans for open file shares e$ d$ c$ admin$ print$). Also note that agobot does a rudimentary dictionary attack with a list of usernames and passwords).

Ok. Thanks for all your help! Both Windows machines are getting a thorough going over at the first available opportunity!

http://securityresponse.symantec.com...or.gaobot.html

In the mean time, I've taken the following steps:

1. Killed anonymous FTP
2. Set Samba to only allow my laptop to access it on the local IP address
3. Switched Samba from Share auth to User auth as recommended in an article I found - point 1e:
http://asia.cnet.com/builder/archite...9199519,00.htm
4. Disabled Guest access to Samba shares

One final question. What's the best anti-virus program for Linux at the moment. Would you recommend clamav?

Thanks,

G

There are several available: clamav, fprot, kaspersky lab, plus others. I've never done (or seen) a side-by-side comparison of all of them, so I can't really recommend any one in particular. Though I have used kaspersky labs and clamav and was pleased with both.