LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-17-2006, 12:20 AM   #1
Bodyweb
LQ Newbie
 
Registered: Feb 2005
Distribution: Suse 10.1
Posts: 20

Rep: Reputation: 0
Exclamation Suse 10.1 Haked in 10 hours ?!?


How is that possible ?

I've been haked last week so I decided to install everything again from the scratch.

I copied just the web (php files) and the mail server, all the rest was brand new and updated, 10 hours and they got me again !!!! ?
 
Old 07-17-2006, 12:36 AM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
It sounds like whatever was vulnerable before was still vulnerable. Nobody will be able to answer how it was possible without some information on what went wrong though. Can you post the info that showed you that you'd been hacked?
 
Old 07-17-2006, 01:16 AM   #3
Gato Azul
Member
 
Registered: Sep 2003
Location: /dev/null
Distribution: CentOS, Ubuntu
Posts: 128

Rep: Reputation: 16
I think that it's possible that your php files or mail server files were replaced or modified to give backdoor access to whoever's cracking into your system since those were just copied over from the old compromised system. Do you have any backups of the pre-compromised files that you can compare to the current ones to see if they've been modified? Also, what services are you running and what ports do you have open in your firewall?

When you reinstall, if you're running any extra services that you don't need, shut them off. Verify that the services that you do need are locked down as tight as possible while still providing the needed functionality. Also, you should install a program like aide and keep the database that it generates on a USB drive or floppy that's not connected to the system (so that the cracker can't modify that too). It might help you see which files have been modified if your system is broken into again. Something's obiously being left open for the attacker to exploit -- the question is whether it's a need for a tighter security policy on your system or an undiscovered exploit in one of SUSE's packages.
 
Old 07-17-2006, 09:53 AM   #4
Bodyweb
LQ Newbie
 
Registered: Feb 2005
Distribution: Suse 10.1
Posts: 20

Original Poster
Rep: Reputation: 0
What is running right now is web service, mail server and SSH+VNC to control the server.
Firewall open only on these ports.

The server is now badly compromised, root password changed, all files modified, but in the new server I'm not able to have mail working, I'm setting mailserver = /opt/local/kerio/sendmail -t -i in the PHP.ini but no mail is working

My plan was to install a brand new installed OS and then try to close access to this guy and do it again every time he was able to get inside.
 
Old 07-17-2006, 10:55 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
What is running right now is web service, mail server and SSH+VNC to control the server.
Firewall open only on these ports.

Of which you only need ssh, the rest should be disabled.


The server is now badly compromised, root password changed, all files modified, but in the new server I'm not able to have mail working, I'm setting mailserver = /opt/local/kerio/sendmail -t -i in the PHP.ini but no mail is working
With all due respect, but email is not your priority. Power off the box if it's local or let the colo people make a backup, reinstall the O.S. and have firewall rules set on hand-off so only your management IP (range) has access to it.


My plan was to install a brand new installed OS and then try to close access to this guy and do it again every time he was able to get inside.
Please read the other recent thread "Help! rootkit attempt on my box?" and hook into it here: http://www.linuxquestions.org/questi...33#post2337533. Read the three links, post your plan, discuss it and *then* proceed.
 
Old 07-17-2006, 11:58 AM   #6
Bodyweb
LQ Newbie
 
Registered: Feb 2005
Distribution: Suse 10.1
Posts: 20

Original Poster
Rep: Reputation: 0
Thx very much

Yep, I got your point, I'll do this this evening, but believe me, emails it's VERY important for me, I'm living with that, I've an ecommerce that I can't stop.

Anyway, I contacted the guy, I'm trying to be friendly, weird, isn't it, he told me that every Linux got its own vulnerabilites and our machine has this easy way to gain access : http://phpadsnew.com/two/nucleus/index.php?itemid=45

This night I'll try to install the new server but I absolutely need my email working.
 
Old 07-17-2006, 01:12 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Yep, I got your point, I'll do this this evening, but believe me, emails it's VERY important for me, I'm living with that, I've an ecommerce that I can't stop.
Then a fail-over box should come in handy, or if it's a really high specced box, maybe virtualisation. If you already have another box you could also use that as a mailserver by changing the MX records?


Anyway, I contacted the guy, I'm trying to be friendly, weird, isn't it, he told me that every Linux got its own vulnerabilites and our machine has this easy way to gain access : http://phpadsnew.com/two/nucleus/index.php?itemid=45
Another XML-RPC victim. So you haven't kept the box up to date.


This night I'll try to install the new server but I absolutely need my email working.
I somehow get the idea you're moving really fast with not enough reading, but OK, it's your money...

Last edited by unSpawn; 07-17-2006 at 01:13 PM. Reason: //Have keybd, can't type.
 
Old 07-17-2006, 01:26 PM   #8
Bodyweb
LQ Newbie
 
Registered: Feb 2005
Distribution: Suse 10.1
Posts: 20

Original Poster
Rep: Reputation: 0
You are right 100% in each point, I must be here (LQ.org) more often, and it will be like that !
 
Old 07-17-2006, 06:11 PM   #9
Bodyweb
LQ Newbie
 
Registered: Feb 2005
Distribution: Suse 10.1
Posts: 20

Original Poster
Rep: Reputation: 0
Ok, I'm installing a new system, the old one is completely gone, not more able to run

On the new one is there a way to fix host just to allow local connections for remote control ?
Like ssh just from local network, vnc only from local network.
 
Old 07-17-2006, 07:59 PM   #10
Super7
Member
 
Registered: Mar 2006
Location: Oakville
Distribution: Mandrake
Posts: 37

Rep: Reputation: 15
Quote:
Originally Posted by Bodyweb
Ok, I'm installing a new system, the old one is completely gone, not more able to run

On the new one is there a way to fix host just to allow local connections for remote control ?
Like ssh just from local network, vnc only from local network.

yep, I would say there are a couple ways. What I have been looking at to keep mynetwork nice and safe is packet shaping. There is also hosts.allow, hosts.deny. You can configure shorewall to only allow local networks to connect to your box via selected ports as well.

I wouldn't take advice from me though I also recently got rootkit'd as well :P
 
Old 07-17-2006, 08:14 PM   #11
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
Quote:
Originally Posted by Bodyweb
On the new one is there a way to fix host just to allow local connections for remote control ?
Like ssh just from local network, vnc only from local network.
Yes - ssh can be configured to listen on particular addresses/ports. Have a look at man sshd_config and search for ListenAddress for more info. Suse uses xinetd doesn't it? If so, you can run VNC from it and specify which interfaces to bind to - have a look at man xinetd.conf and search for interfaces (I think).

Also, have a look at man iptables or use google to find out how to restrict connections into the box. If you have a specific configuration in mind, there are plenty of people here who can help set it up with you.

I haven't finished reading through all of them yet myself, but take regular short walks through http://www.linuxquestions.org/questi...ad.php?t=45261. There's plenty of useful information in there.
 
Old 07-17-2006, 08:20 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
On the new one is there a way to fix host just to allow local connections for remote control ?
Like ssh just from local network, vnc only from local network.

Something like
Code:
#!/bin/sh
IPT=/sbin/iptables
LAN="10.1.1.0/24"

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -N INPUT-LAN
$IPT -A INPUT -s $LAN -j INPUT-LAN
$IPT -A INPUT-LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT-LAN -p icmp --icmp-type any -j ACCEPT
$IPT -A INPUT-LAN -p udp -j ACCEPT
$IPT -A INPUT-LAN -m state --state NEW -m tcp -p tcp -m multiport --dports 22,5900 -j ACCEPT
$IPT -A INPUT -s ! $LAN -j LOG --log-level info --log-prefix "LOG_in "
$IPT -A INPUT -j DROP

$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -d $LAN -j ACCEPT 
$IPT -A OUTPUT -d ! $LAN -j LOG --log-level info --log-prefix "LOG_out "
$IPT -A OUTPUT -j DROP

exit 0
* Note you have to check your iptables binary location (which, slocate) and your LAN range. This is a temporary example and should not be mistaken for a complete ruleset. Also note you don't really have to have TCP/5900 open for VNC as you can tunnel about anything over ssh: "/usr/bin/ssh -L -L5900:10.1.1.2:5900 -q -N -2 -4 10.1.1.2" and connect your vncviewer to localhost.

/etc/hosts.deny:
Code:
ALL: ALL
/etc/hosts.allow:
Code:
sshd: 127.0.0.1, 10.1.1.
vncserver: 127.0.0.1, 10.1.1.
I'm not sure about the name of the "vncserver" entry: replace with the name of the running VNC daemon.
 
Old 07-17-2006, 08:37 PM   #13
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
You can have ssh allowed only on the local interface using the firewall setup.
Also edit your ssh configuration files to disallow root logins. Always log in as a regular user and su to root, or better yet, use sudo. Using sudo will log the commands you performed which may help with trouble shooting in the future.

If a small number of users are authorized to log in using ssh, then add those users to "AllowUsers"
Quote:
from: http://www.faqs.org/docs/securing/chap15sec122.html

Edit the sshd_config file, vi /etc/ssh/sshd_config and add/or change, if necessary, the following parameters:

# This is ssh server systemwide configuration file.

Port 22
ListenAddress 192.168.1.1
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers admin
This is an excerpt from a Red Hat oriented guide on the web. I highlighted the two points that I mentioned. There is a book on Securing Linux Servers that B&N sells that focuses on Red Hat and SuSE.

SuSE provides Aide (intrusion detection) and AppArmor (protects system files and applications from being altered). Also make a habit of reading the root system mail. It will provide a report if certain files are altered, or if permission settings have changed.

One advantage that you have is that you don't need or want a lot of the services and applications that a workstation user would have. The less installed the better. No X windows, no gcc, no kde, no gnome, etc. As a result, your server will have a fewer files. This makes it possible to do things like produce a catalog of files/md5 hashes for the system directories, before going online. It would be work keeping such a list current after each security upgrade, however it might save you from a clean install in the future, due to incorrectly thinking that you are compromised when you aren't. If a rootkit scanner gives a false positive for example, going offline and booting up to a cdrom live disk which can verify that your system files haven't been altered may be quicker than re-installing. Also, a list of exactly which files were altered might help you diagnose where you need to plug a hole. ( You can use the rpm command to verify file integrity, however a hacker might have altered your rpm database. )

Actually, AppArmor performs the same thing as I am suggesting, if configured. You could instead produce a daily table of filename, size, dates, and permissions of your system files. You could use the find command to easily produce such a text database, and then compare it with a reference you initially produced and burned to cdrom. Such a catalog produced by the find command would be quicker than calculating md5sums for a large number of files. However for the /bin directory, it might be worth is. A root kit, or hacker might replace the "ps" command to hide their own processes; or the "ls" command to hide files in certain directories.

Also read through your own php or mysql code. If this is a LAMP server, and you use MySQL, be sure to read through the manual.pdf MySQL manual. There is a section on securing MySQL after installation. Also, it lists things to avoid in your web scripts, such as wrapping user entries inside single quotes, before it is sent to the mysql server. ( This is probably old hat for you. ) It is usually a good idea to have another person read through any code you write. To paraphrase Linus' Law: ``Given enough eyeballs, all bugs are shallow.'' ( Eric Raymond, The Cathedral and the Bazaar )

Besides the reading you have ahead of you, I would suggest keeping a notebook of everything that you do on the server. This might help you track and formalize security, backup and recovery procedures.

Good Luck.
 
Old 07-17-2006, 11:30 PM   #14
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
You can certainly secure a linux-based server sufficiently to face the internet, but if you find yourself short on time and long on need, then you can also put a home-appliance grade NAT firewall/router between your Linux server and the 'net. This moves the computer "one step" back from the internet and gives a LOT of security.

I have a Windows 2000 Pro server that I use in my ASP operation (have no choice, has to be a Windows server, for now anyway). I won't stick a Windows system on the 'net directly; it just isn't safe. So, I have this box sitting with a small router between it and the net, and only the ports I need are forwarded to the Win2K box.

I have a control utility that lets me remotely control my server app on the Win2K box, and my server app can do things like start/stop ftp servers and SSH servers on that box. So, I forward the SSH port on the router and leave the SSHD (cygwin) turned off on the server. When I need to work on the server, I use my control tool to have my server app start SSH and if necessary VNC, then I establish an SSH session (and if VNC, I tunnel it through SSH) to maintain the box.

Even though it is Windows, it hasn't been cracked. You could do something similar with a Linux server, which would have you up quickly while you figured out the issues associated with genuinely securing your server.
 
Old 07-18-2006, 03:01 AM   #15
Bodyweb
LQ Newbie
 
Registered: Feb 2005
Distribution: Suse 10.1
Posts: 20

Original Poster
Rep: Reputation: 0
Thank you for your time, I appreciate it and I need it

I've been awake all night to install and configure a new server, this one have the SSH and VNC service closed, the server is close to my desk, tomorrow I'll open the services with access only from a machine in the network.
When I'll want to connect to the web server I'll connect before to nearest server.

Now what they can do is just use Apache and PHP to gain access.

Btw, the MySql is on another machine, I did it for a better performance, but it seems usefull also for security reasons.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCPINFORM every few hours! essdeeay Linux - Networking 2 07-15-2006 10:43 PM
Crashes after about 24 hours Keithj Debian 2 09-15-2005 06:31 AM
does transcode usually take 6 hours? bennyp Linux - Software 1 05-11-2003 03:38 PM
clock changes hours by it self jct842 General 2 09-04-2002 11:26 PM
how many hours does it take ? sapilas Linux - Distributions 2 06-08-2002 11:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration