LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2004, 07:16 PM   #31
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69

And I will isntall tripwire, and harden my kernel (anyone know of any good tutorial for hardening redhat kernel?)
See the section of the security references thread on kernel hardening. You might also want to take a look at grsecurity. If you are going to use an RPM based distro, then you definitely should use an automatic update tool like up2date or YUM. Both will automagically keep your box updated with the most recent security patches. Remember to turn off un-necessary services, use encryption when feasible (ssh vs. telnet), and use a decent firewall. That should eliminate most of the garbage 'sploits that can be used to compromise poorly maintained systems.
 
Old 06-28-2004, 07:33 PM   #32
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
Thanks for that caveman!

Anyone who can think of stuff that I should do in addition to what caveman mentioned please tell me. I cant afford to let some Turkish script kiddies compromise my security and defaced my site with some Animated Turkish flag GIF and bad color combination and backgrounds. Hackers suck at design. Why don't we see more hackers deface sites and replacing em with nice flash templates? I will appreciate that!
 
Old 06-29-2004, 06:13 AM   #33
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
I did not know that advertising was not allowed in forums, will take that into account. Forgive my attempt at humour.
I think Tripwire is good if your experienced in Linux. But a router is a lot easier to set up and offers the same security. Plus if a cracker somehow manages to bring down the network. The router will ussually automatically detect most of your network settings, upon reinstall.
 
Old 06-29-2004, 06:14 AM   #34
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
Just to follow up. I suggest using tripwire aswell.
 
Old 06-29-2004, 03:37 PM   #35
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Fedora 8, Centos 5.1
Posts: 480

Rep: Reputation: 30
Quote:
Originally posted by cpanelskindepot
What if the /usr and /etc foders are "infected"?
If you make master copies right after a reinstallation of operating system and configuration of your services, why would you think they'd be infected. Unless you ran your box without any security at all, they should be ok.

Get a hardware firewall/router to put in between your box and the wan.
 
Old 06-29-2004, 05:23 PM   #36
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
And why is a hardware firewall better than software?
I was told the software firewall, APF, is more than enough.
 
Old 06-29-2004, 06:49 PM   #37
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
A router will make an efficient firewall for you, but as its hardware it will cost you rather than time. You can get the same results with software firewall, like TripWire, but unless you know what you are doing, you are likely to trip yourself up rather than the hacker. Hardware will cost your and software will cost you time, your choice.
 
Old 06-29-2004, 09:57 PM   #38
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
A hardware firewall is better simply because the code is running usually in rom, in an embedded system that cant be changed. A software firewall is just that software, that can be changed, altered, and otherwise crash. By the way cpanelskindepot are you going to reinstall? I tired to take the easy route once and left a compromised system run, and just shored up my firewall, Well it didnt matter, most firewalls are stateful, and will let out any packet that is sent from within the trusted part of the network. Who's to say that they dont have some server/client connection being established via a trojan. If they did its gonna cruise right on through your firewall, even if you block the ip addresses. Yeah man I would reinstall , install some kinda IDS, namely snort, install tripwire, and setup a honeypot that looks alot like the old system they hacked. I bet money they are bouncing from proxy to proxy so bad that you will never find them. Heck you may even want to try a deadzone. just use a network bridge and change protocols on them you could go from TCP/IP then to IPX/SPX and then back to TCP/IP. That would make it go slower though if its a webserver but they couldnt even get to it then.

Last edited by tekhead2; 06-29-2004 at 09:59 PM.
 
Old 06-29-2004, 10:15 PM   #39
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
I managed to get a rollback from my backup on the 14th.....thats like 10 days before I got hacked.
WHen I did, I found some traces of the hacker's activity on the server.
So that guy had been trying for sometime before he defaced my site.
BUT the script I believe he used was not present.

I bet at this point some of you wanted to see the defaced site.
WARNING : THis is not going to be pretty.

http://www.alphaillusion.com/test/Mu...%20_______.htm

If you read the lines below,it said:If you want hack this server, please go to http://www.cpanelskindepot.com/~demo/.admin.php
Dear CpanelSkindepot del it quickly

I didn't see the .admin.php in the /home/demo/ directory so I suppose the have not figured out the admin.php by that time. I am just banking on this fact.
Anyway why did they lead me to the script they used to hack my site and were kind enough to advice me to delete it instead of saying "Your server is lame, we hacked in because your security sucks!!!!"
The only thing I can think of is they actually employed another way to hack in but try to lead me to the wrong script.
I might be thinking too much about all these conspiracy theories though.

I doubt those Turkish script kiddies bothered to find proxy. It is not as if theres Bill Gates bank account password in there. Yes I sell software on my site but my licensing server is somewhere else so they get nothing out of it.

By the way what is honeypot? what is deadzone?
I have no idea what these are as I am really a Linux newbie but they sound pretty good.
I will employ any tactics to get Bozos out of my server.

Quote:
Originally posted by tekhead2
A hardware firewall is better simply because the code is running usually in rom, in an embedded system that cant be changed. A software firewall is just that software, that can be changed, altered, and otherwise crash. By the way cpanelskindepot are you going to reinstall? I tired to take the easy route once and left a compromised system run, and just shored up my firewall, Well it didnt matter, most firewalls are stateful, and will let out any packet that is sent from within the trusted part of the network. Who's to say that they dont have some server/client connection being established via a trojan. If they did its gonna cruise right on through your firewall, even if you block the ip addresses. Yeah man I would reinstall , install some kinda IDS, namely snort, install tripwire, and setup a honeypot that looks alot like the old system they hacked. I bet money they are bouncing from proxy to proxy so bad that you will never find them. Heck you may even want to try a deadzone. just use a network bridge and change protocols on them you could go from TCP/IP then to IPX/SPX and then back to TCP/IP. That would make it go slower though if its a webserver but they couldnt even get to it then.
 
Old 06-30-2004, 01:46 AM   #40
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
IMNSHO this thread has been going on too long, with too much advice. Not that I want to hold back any, but you should focus on system restoration, making sure the system is in working order and under your control, and hardening. Honeypots and such are fine, but won't do you no good as they will not enhance security.

Maybe start with these:
Did you update all software?
What services do you run?
What measures did you take to log access?
What measures did you take to shield access?
 
Old 06-30-2004, 01:53 AM   #41
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
1. Yes all updated
3. I rely on AWstats for log analysis.
4. So far I only used IPtables to block the whole of Turkey from accessing my site.

And I only need an advice on ONE THING now.

How can a hacker can compromise security and access other accounts in /home/ directory if he was ONLY given the permission to upload a phpMyshell file?
I hope by understanding this I will be able to learn from this mistake.

My server was restored from backup so I guess I am going to be OK.
And I hope others will learn from this too!

Quote:
Originally posted by unSpawn

Maybe start with these:
1.Did you update all software?
2.What services do you run?
3.What measures did you take to log access?
4.What measures did you take to shield access?
 
Old 06-30-2004, 05:57 AM   #42
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,286

Rep: Reputation: 62
What is a honeypot, chechout this site http://www.tracking-hackers.com/papers/honeypots.html
 
Old 06-30-2004, 06:01 AM   #43
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
That stuff is hurting my brain so bad....

Quote:
Originally posted by fotoguy
What is a honeypot, chechout this site http://www.tracking-hackers.com/papers/honeypots.html
 
Old 06-30-2004, 05:32 PM   #44
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
As suggested earlier. Go get yourself an decent router. Set it up and it will do most of the work that Tripwire and Honeypots can do for you. Backup your critical data, reinstall and study Tripwire and other security software, safe in the hands of the router, that will slap 90% of crackers.
 
Old 07-01-2004, 03:38 PM   #45
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
2. What services do you run?
You don't know?


What measures did you take to log access?
3. I rely on AWstats for log analysis.

No, that's webstats only AFAIK. You need to watch syslog and (Chkrootkit, Rootkit Hunter, Tiger, server, IDS, filesystem integrity) application logs for anomalies, set yourself up with a remote email account you check regularly and have something like Logwatch report to you.


What measures did you take to shield access?
4. So far I only used IPtables to block the whole of Turkey from accessing my site.

Start by running everything (except high volume services like HTTP(S)) through LOG target rules. Logging rules major. It also helps you debug rules. On a public webserver the only "established, related" outbound connections are return traffic for the services you run. Initialising (that's SYN for TCP) outbound are DNS queries (TCP and UDP) for resolving and SMTP for sending email, so they need "established,related" inbound. Note some SMTP hosts require you to allow them access to "ident" service (or at least not DROPping them). The only initialising inbound you get are ident for SMTP, (SSH for your remote management caps if necessary (don't log in as root)), and the services you run (hopefully only HTTP(S)). If you're behind a shared firewall your colo ppl might be able to assist by only allowing traffic in and out for the services you need to run.


And I only need an advice on ONE THING now.How can a hacker can compromise security and access other accounts in /home/ directory if he was ONLY given the permission to upload a phpMyshell file? I hope by understanding this I will be able to learn from this mistake.
Upload and run more likely, eh? Remote shell access for unprivileged users in general is BAD NEWS. By allowing PHP to be a GUI for shell commands it's only making it easier. PHP's safe mode would have killed PHP.*shell exec's. Don't trust users to upload, make, modify and run binaries you haven't tested yourself. Don't allow users write access to public (tmp) dirs to create setuid (root) binaries. Don't allow users to execute anything outside the $PATH. Don't trust users (period)


Please read the LQ FAQ: Security references and forget about Honeypots. It ain't helping you secure your box, no matter who mentions it for whatever compelling reason (with all due respect etc, etc).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration