LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-22-2009, 11:14 AM   #16
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55

Quote:
Originally Posted by unSpawn View Post
OK. Regardless of services being free or not, what would services be worth anyway if offered by a host who has more important things to do then make sure integrity is maintained or restored? Would you feel secure using them?
Hell no, especially since he is saying he is not going to notify his customers at this point.
 
Old 09-22-2009, 02:02 PM   #17
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Rep: Reputation: 67
I wasn't defending. Although his system status does say "Offline because of bugs."
 
Old 09-22-2009, 08:32 PM   #18
ShellPwn
LQ Newbie
 
Registered: Aug 2009
Posts: 12

Original Poster
Rep: Reputation: 0
I take the security of the server very seriously, let me assure you. But there is no point in re-installing the entire OS, putting back the same services and getting compromised again.

Quote:
Hell no, especially since he is saying he is not going to notify his customers at this point.
Why wouldn't I notify my users if I didn't think it was one of them? I can't scare away the attacker for now, that would be stupid. If I didn't suspect any of them, then it would be completely fine for me to notify them as a whole. Right now, a certain few users that I trust already know about the situation.

Please stop trying to tell me 'what' I should do, but rather, how I can find out how the attacker got in. If I really took 'that stance' on security, most people wouldn't even ask for help on a forum. Am I not being reasonable here? It is solely up to me to find out my method of mitigation, there is no one-way to solve a compromise, everyone's circumstances are different, I was just asking here for some information on a strange binary file. If you haven't seen it before, that's fine, you can reserve your judgement.

"Offline because of bugs."
That's just because of some PHP issues in that web application.

Last edited by ShellPwn; 09-22-2009 at 08:34 PM.
 
Old 09-22-2009, 08:47 PM   #19
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Sorry, I thought the user in question was freeshell, do you have a dedicated server with several usernames on it? Or are all your IRC people under the freeshell account?
 
Old 09-22-2009, 08:56 PM   #20
ShellPwn
LQ Newbie
 
Registered: Aug 2009
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by abefroman View Post
Sorry, I thought the user in question was freeshell, do you have a dedicated server with several usernames on it? Or are all your IRC people under the freeshell account?
I wasn't talk to you specifically, but it's a VPS with several usernames on it.

People, try to understand where I'm coming from. I can't re-install the OS without knowing how the intruder got in. Nor would it be smart to go to a backup.
 
Old 09-22-2009, 09:15 PM   #21
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by ShellPwn View Post
I wasn't talk to you specifically, but it's a VPS with several usernames on it.

People, try to understand where I'm coming from. I can't re-install the OS without knowing how the intruder got in. Nor would it be smart to go to a backup.
Well, if he got root access there probably a problem at the OS level, or one of the OS level packages you have installed, like something is out of date.

Or he has your root password.

Not doing anything is pretty stupid, like leaving the system comprimised.

Sound like you need to clean house with who you are hosting, especially if its a free service.

And setup 1 IRC room per 1 linux user.
 
Old 09-23-2009, 09:53 AM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by ShellPwn View Post
People, try to understand where I'm coming from. I can't re-install the OS without knowing how the intruder got in. Nor would it be smart to go to a backup.
I think you in turn do not understand, I think I made it pretty clear in post #10, what and how we would like to see things reported back to be able to start to help you. Basically all we got back was some loose information plus "I have to run off now, so thanks for your help" which you would have to agree provides no starting point at all. As they say the ball is in your court...
 
Old 09-24-2009, 04:48 AM   #23
ShellPwn
LQ Newbie
 
Registered: Aug 2009
Posts: 12

Original Poster
Rep: Reputation: 0
I had to go to uni. I had no intention of being rude or seeming that way. I presented the information that you requested, OS and version along with the running services. Anyway, I've reinstalled the server with Fedora 10 (EOL in 2 or so months, but unfortunately, my provider doesn't have an OS template for Fedora 11), and hopefully I can track down the intruder this way. Obviously, I couldn't show all the server logs as some of the data is private and confidential. Feel free to mark this thread as closed.

Last edited by ShellPwn; 09-24-2009 at 04:50 AM.
 
Old 09-24-2009, 05:30 AM   #24
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by ShellPwn View Post
I had to go to uni. I had no intention of being rude or seeming that way. I presented the information that you requested, OS and version along with the running services.
OK, noted. No, you did not present all the needed information but discussion is futile now. If you want to see how it should look like and how we'd like to help, check this forum for compromise threads I replied in.


Quote:
Originally Posted by ShellPwn View Post
Anyway, I've reinstalled the server with Fedora 10 (EOL in 2 or so months, but unfortunately, my provider doesn't have an OS template for Fedora 11),
Please make certain to install all updates, enable logging, properly harden the machine and restrict access where necessary.
* If you'd like help with hardening or a second opinion on what to do I suggest you create a new thread, list the application versions installed, post the results of running a remote nmap scan and a local GNU Tiger scan and post the measures you will take.


Quote:
Originally Posted by ShellPwn View Post
and hopefully I can track down the intruder this way.
Unless you have the knowledge to play such games I'd advise against it. Better invest time in keeping the machine secure.


Quote:
Originally Posted by ShellPwn View Post
Obviously, I couldn't show all the server logs as some of the data is private and confidential.
And that's why I sometimes invite people to contact me by email. That way discussing non-disclosure issues and facilitating bulk transfers could be one of the possibilities.


Quote:
Originally Posted by ShellPwn View Post
Feel free to mark this thread as closed.
On LQ we don't. As thread creator you are allowed to mark the thread as solved, which I just did for you.
 
Old 11-21-2009, 10:05 PM   #25
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by unSpawn View Post
4. After you've answered those questions (do not install or delete anything) we'll move on to preparing backups for reference (not reuse) and investigate further using system authentication data (logrotated wtmp), IDS logs, filesystem integrity checkers, package manager (if good enough), all system, daemon and firewall logs, temp files, unusual (setuid root) files, user shell histories. When you report back include any information, hints, hunches or gut feelings you think would help. Please attach logs if possible, else please use BB code tags to preserve formatting and efficient reading. And please ask before doing things if you have any doubts.
Can you elaborate on this part? I know the guy didn't write back with the info, but if he had, what would the next steps be?

Quote:
Originally Posted by unSpawn View Post
2. As root account user list open files (\lsof -P -w -n), process (\ps ax -o ppid,pid,uid,cmd --sort=uid) and network data (\netstat -anpe) listings to a location where you do not overwrite data or pipe data through ssh.
And you can you give the command to pipe data through ssh?
lsof | ssh ???

TIA

Last edited by abefroman; 11-21-2009 at 11:50 PM.
 
Old 11-23-2009, 08:19 PM   #26
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by abefroman View Post
Can you elaborate on this part? I know the guy didn't write back with the info, but if he had, what would the next steps be?
Prepare backups for reference. Investigate. With system authentication data I mean utmp, wtmp and changes in any auth databases, filesystem integrity checkers and package managers (when used with known good off-line backups of databases) are for separating changed from inert files and dividing files with known good checksums from "bad" ones, system, daemon and firewall logs often contain recon info and per-IP history you can trace back with say Logwatch, temp files and unusual (setuid root) files and user shell history files also help build timelines. What's missing from this picture? Volatile data that doesn't survive reboots (people often think just rebooting is a good thing), data that gets deleted deliberately in an attempt to thwart detection, data that only gets injected on the fly, data that is otherwise hidden. Strangely enough we're spotting rootkit infections again, albeit sporadically. To answer your question in short: checkpoint your data (so you know what changed after you saved it), gather data and process it.


Quote:
Originally Posted by abefroman View Post
And you can you give the command to pipe data through ssh?
Both will require root account access to run commands but Netcat probably would be easier. On the receiving host do 'nc -l -n 10000 2>&1 | tee /dev/shm/netcat.tee', then on the "victim", as root, run '( \lsof -P -w -n; \ps ax -o ppid,pid,uid,cmd --sort=uid; \netstat -anpe ) | nc receiving_host_ip 10000'. Note full path prepending / usage of backslashes depends on actual path usage and available aliases you would need to avoid.
 
Old 11-23-2009, 11:18 PM   #27
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
There are numerous hosting sites that get attacked on a regular basis. 2 days before defcon this year someone hacked the hosting service that dan kaminsky and kevin mitnick were using to get to there info. The exploit used was over 6 months old.


There is certainly a need for good secure hosting!
 
Old 11-24-2009, 02:48 AM   #28
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by slimm609 View Post
There is certainly a need for good secure hosting!
Excellent point.
What causes people to choose bad hosting?
How could they recognize good hosting solutions?
 
Old 11-24-2009, 07:14 AM   #29
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by unSpawn View Post
Excellent point.
What causes people to choose bad hosting?
I think many people choose hosting based on pricing. They usually want cheap hosting. The saying, "you get what you pay for" applies, though. Those who choose bad hosting usually lack the experience in judging/researching for good hosting, too.

Quote:
Originally Posted by unSpawn View Post
How could they recognize good hosting solutions?
By researching the hosting company for negative trends. Personal and/or professional references help also.
 
Old 11-24-2009, 07:36 AM   #30
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by unixfool View Post
I think many people choose hosting based on pricing. They usually want cheap hosting. The saying, "you get what you pay for" applies, though. Those who choose bad hosting usually lack the experience in judging/researching for good hosting, too.
What do you mean, how could you go wrong with unlimited disk space, unlimited bandwidth, etc. for only $3.95/mo, with a 50% off coupon and 6 months free? LOL

Honestly I think the majority of hosting companies out there are:
1. Resellers or dedicated server leasers who really have no idea how or the time to keep up with security

2. Trying to be ultra competitive by offering gimmicks like unlimited disk space (last time I checked no harddrive manufacturer was making an unlimited space harddrive) and they usually have something in the TOS that say you can only use it for html and pictures, and no more than x% can be for photos an multimedia.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Securing Your Server With A Host-based Intrusion Detection System LXer Syndicated Linux News 0 09-20-2006 03:54 PM
intrusion? tincat2 Linux - Security 2 01-01-2005 01:56 AM
Intrusion Detection!!! egyptian Linux - Security 2 04-02-2004 11:37 AM
Intrusion Detection? matador Linux - Security 5 09-03-2003 04:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration