[TriLUG] invisible directories...

Jon Carnes jonc at nc.rr.com
Tue Apr 22 10:24:55 EDT 2003


I'm guessing that they got in via Samba.  There was a recent exploit
that was advertised and if they didn't update their samba then it would
be easy for a script kiddie to auto-scan and implant a root kit.

One easy way of testing your machines is to do regular scans of your
exposed network with nmap.  Simply store the tests in a file and then do
a diff against each new scan.  Mail the diffs to your admin group.

Standard root kits will open some bizarre ports on your box and those
will show up immediately.  Subtler root kits have your box check into an
IRC channel on a regular basis and look for commands dropped off by
their "master".  The moral: block any and *all* ports that your server
does not use, both incoming and outgoing.  The root kit will then be
forced to drop your firewall in order to work, and then your server will
show up like a lit Christmas tree at midnight on your network scan. 

Couple that with running a compare against known good binaries every ten
minutes and you'll be fairly safe (or at least you'll know when you've
been hacked).

Good Luck - Jon Carnes

On Tue, 2003-04-22 at 01:39, Jeffery Painter wrote:
> well, it was standard rh 8.0 install. vsftp was the ftp program running, 
> samba, apache, ssh, and tomcat were the only other networked apps running.
> 
> unfortunately the box is on a clients network and I don't have control 
> over their firewall... i locked down every other service. installed the 
> usual redhat errata fixes (i grabbed them from kickstart.linux.ncsu.edu) 
> so i think i was in the clear there.
> 
> in essence, i think i did everything a reasonable admin would do... it 
> wasn't until i installed portsentry that i started noticing the box was 
> getting bombarded with port scans. and i don't know if i will ever know 
> the exact way they found their way in... i discovered a hacked ssh running 
> and several of the binaries were replaced as mentioned.. luckily all my 
> data was in tact and i've moved developement to another box until i can 
> reinstall from scratch.
> 
> someone was damned persistent is all i can say :)
> 
> thanks for the pointers everyone though. makes me glad I run a backup 
> every hour :) just call me paranoid with good reason.
> 
> 
> Jeff Painter
> painter at kiasoft.com
> 





More information about the TriLUG mailing list