My Redhat 9.0 was just hacked to death - help
This is a discussion on My Redhat 9.0 was just hacked to death - help within the Linux Security forums, part of the System Security and Security Related category; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.security Jim ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-18-2004
|
|||
|
|||
Re: My Redhat 9.0 was just hacked to death - help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.security Jim Richardson <warlock@eskimo.com> suggested: > On Mon, 16 Aug 2004 05:49:12 -0000, > Michael Heiming <michael+USENET@www.heiming.de> wrote: >> NotDashEscaped: You need GnuPG to verify this message >> In comp.os.linux.security Jim Richardson <warlock@eskimo.com> suggested: >>> On Sat, 14 Aug 2004 15:22:27 -0000, >>> Michael Heiming <michael+USENET@www.heiming.de> wrote: >>>> In comp.os.linux.security Stephan Goeldi <expires.1.9.04@usable.ch> suggested: >>>>>> RH 9.0 is already outdated. [..] >>>> There are no more official patches from RH for those versions >>>> since 31.12.2003, RH 9 support ended April? 2004. So unless you >>>> did somehow manage to get or make your own new patches, they are >>>> definitely outdated and you need to plan on upgrading. [..] > I run a legacy box, with RH7.3/FL. The kernel is home rolled, all else, > is nicely patched thanks. What's the problem? Fine, if you update everything on your own and that works for you. There's no problem as already stated above. -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBIoV7AkPEju3Se5QRAp3yAJ4ztT2f3cwJM+IlgbhiDj 7tQpfbJACcDwAP NMFvjlnT6S+y9NBzr8Zf2L4= =MZrU -----END PGP SIGNATURE----- 
|
|
08-18-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
Thanks all for your valuable time that you put in to respond to my
question. I did some more research and found out how the break-in was carried out. First of all, this is a system that was meant to be behind a firewall, but was placed on the public network to test a new service with which was having problems with NAT. Nearly all unwanted services were disabled. SSH was enabled for remote access but was not restricted to a select number of IP addresses. They used password cracking software, broke the password and got in. The weakness in the system was the password. It was an easy one to crack with simplest cracker you can get. Lessons re-learned is make your passwords longer than 8 characters of alpha, numbers and if possible use the ALT + NUM ASCII characters (like ALT + 251 which prints √ ). Will that really work? Ultimately, they used Tornkit to get back in (http://www.f-secure.com/v-descs/torn.shtml) and they did get back a few times within 4 hours and I am not sure what they wanted to do. I also managed to narrow down the attacker to 3 IP addresses and I think within days we'll be able to identify the individual(s) who live outside the American continent. I though I share this experience with you. Best wishes. Michael Heiming <michael+USENET@www.heiming.de> wrote in message news:<ofu5v1-8br.ln1@news.heiming.de>... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > In comp.os.linux.security Jim Richardson <warlock@eskimo.com> suggested: > > On Sat, 14 Aug 2004 15:22:27 -0000, > > Michael Heiming <michael+USENET@www.heiming.de> wrote: > >> In comp.os.linux.security Stephan Goeldi <expires.1.9.04@usable.ch> suggested: > >>>> RH 9.0 is already outdated. > > >>> Oh so you are going to set up a new distribution on productive servers all > >>> 6 months or so, because a new red hat version arrives? > >> > >> You did read the OP? "My new Redhat 9.0", sounds as if he just > >> installed an outdated distro, which I wouldn't suggest. > >> > >> I'd recommend some enterprise version or some clone on a > >> production server, with a usual lifetime of 5 years. > >> > >>> Come on. I even have Red Hat 7.3 and 8.0 servers, and they are definitely > >>> NOT outdated if you update the software. > >> > >> There are no more official patches from RH for those versions > >> since 31.12.2003, RH 9 support ended April? 2004. So unless you > >> did somehow manage to get or make your own new patches, they are > >> definitely outdated and you need to plan on upgrading. > > > > <http://www.fedoralegacy.org/> > > Now, you did look at the date of the latest updates for older RH > distro or did you just posted this URL others already pointed > out. > > -- > Michael Heiming (GPG-Key ID: 0xEDD27B94) > mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFBIErXAkPEju3Se5QRAjynAKDFWqHELlW0EJd9B450Ja pZpiHnbwCdFtiw > h+nIZZg7X18fXfaVy1ujL3k= > =0mpg > -----END PGP SIGNATURE-----
|
|
08-18-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
>First of all, this is a system that was meant to be behind a firewall,
>but was placed on the public network to test a new service with which >was having problems with NAT. Nearly all unwanted services were >disabled. SSH was enabled for remote access but was not restricted to >a select number of IP addresses. > >They used password cracking software, broke the password and got in. > >The weakness in the system was the password. It was an easy one to >crack with simplest cracker you can get. I missed a couple of steps. How did they get your passwd file so that they could run traditional cracking software? Or did the guess an account/password pair, like test/test or guest/guest? Why was your ssh setup allowing passwords? (as compared to requiring that you have the public key on your server and verify that the user calling in knows the private half of the pair) -- The suespammers.org mail server is located in California. So are all my other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited commercial e-mail to my suespammers.org address or any of my other addresses. These are my opinions, not necessarily my employer's. I hate spam.
|
|
08-18-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
Seena wrote:
> Greetings, > > My new Redhat 9.0 box running Server stuff was hacked last night. I > want to share with you that state of the system as I found it this > morning, and hope that you can give me some ideas as to how it may > have happened. > > The system was not protected by a firewall, well it should have been > but that was my short coming. > > Until 10pm last night was not compromised as I signed out of it. This > morning it did not take SSH connections. I had to go physically to the > system to check it out. > > In the console it was running GRUB. It would not boot as no kernel was > found to load. > > I managed to get to the hard drive using the rescue disk. All > partitions on the hard drive are gone, some new ones seams to have > been created. In the /var directory only states directory exists and > the rest are gone. > > Strange enough, the box was still responding to PING. Now what did > they do, how and who are the questions. I can not find any log files > except for some useless ones which belong to applications. > > Any ideas please? > > Thanks I think most hackers who rooted a linux box would exploit it (use it as a proxy etc), not kill it. Maybe that was the case and destroyed the install in hopes to erase his tracks. I've run a pretty unsecure Red Hat 8 server for over a year and havn't been hacked -- to my knowledge :-). eshk better check!
|
Linear Mode
