Re: [ossig] Linux Security

[kengheng <kengheng@xxxxxxxx>]

Hello Yeak,

Tuesday, February 24, 2004, 4:49:43 PM, you wrote:

YNS> Hi all,

YNS> I would like to share my recent experience about Linux Security issues.

YNS> 1. There are a number of Linux server had been hacked down and planted
YNS> backdoor. The hacker came in by core dump Apache first, then gain shell
YNS> access as "apache" user. Then they try to root exploit to gain full
YNS> access.

YNS> If root exploitable, they will plant backdoor and changed many files in
YNS> the OS. Most obvious file are /etc/rc.d/rc.sysinit, and tried to run
YNS> their program (hacked SSH that allow login without password) disguished
YNS> as "ntpd", "smbd -D", ".pt" and so on. They will break your "netstat",
YNS> "ps", "lsof", "ls" and most of the basic utilities for monitoring the
YNS> services. I think all this come with a package called "toor" or some
YNS> form of "toolkits" downloadable from underground sites.

YNS> Else, run their app as apache user, most probably SSH port forwarding
YNS> to bypass the firewall and open up a persistent connection to 
YNS> elsewhere. This way they can come back again next time if needed to
YNS> continue root exploit. Or remotely execute their program using your
YNS> server to do their works.

YNS> 2. I happened to only support Red Hat Linux products. I have no idea
YNS> about other distributions. The affected versions are 7.3, 8.0, and 9.

YNS> 3. To prevent that, the only solution I found so far is to keep 
YNS> updating the OS to the latest patches. However, as you know Red Hat has
YNS> discontinued 7.3 and 8.0 updates, there won't be any new updates to
YNS> address future Apache loopholes. Red Hat Linux 9 will not getting any
YNS> more updates after 2004. Upgrades? Red Hat recommend change to Red Hat
YNS> Enterprise Linux. Otherwise we have to compile our own program from
YNS> sources (get from RHEL sources and study how it is made, and compile
YNS> yours).

YNS> 4. Number of servers being hacked? To my knowledge, I have fixed around
YNS> 10 of them, including my own servers. Two server I could not fix 
YNS> because they do not use Red Hat compiled Apache. They compiled their
YNS> own Apache with tomcat, mysql, microsft sql, and many other tools. But
YNS> the Apache version is at the level that has the bug.

YNS> 5. It is quite easy to check if a site has the loophole... Just check
YNS> the Apache header to determine the version and send the probe. Collect
YNS> all results and launch another robot to automated the work...

YNS> 6. Considering only 1% of 31 million Apache in the world, there is at
YNS> least 300,000 server under hacker's control.

YNS> I would like know if there is anybody else having this problem?

YNS> How to check if your server is compromised?
YNS> 1. ls -al /tmp  <-- check if suspicious file own by "apache" user
YNS> 2. ls -al /var/tmp  <-- same as above
YNS> 3. rpm -Vf `which lsof`  <-- verify if your files has been modified...
YNS> 4. rpm -Vf `which ps`
YNS> 5. rpm -Vf `which netstat`
YNS> 6. rpm -Va   <-- watch for output and determine if those files are
YNS> supposed to be okay...
YNS> 7. rpm -Vf /sbin/* /bin/*

YNS> and so on...

YNS> Thanks.

A few prevention:
1) ids, eg: snort
   -- capture those activities

2) fw
   -- disallow unwanted port to be opened

3) try running nessus or any security tool to check for your own server
   vulnerabilities and treats before others get to it.

and so... there are many others ways too, eg: security policy and
etc...

-- 
Best regards,
kengheng
SQL DotCOM
http://www.mysql.cc
mailto:kengheng@mysql.cc


---------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message