[TriLUG] invisible directories...

Turnpike Man turnpike420 at yahoo.com
Tue Apr 22 11:20:14 EDT 2003


I was once hacked via proftpd pre10 something (RH 6.2 I think, about 2 + years
ago) and used to do IP half scans and others against lots of other
corporations, had to call in the Feds, etc., but fortunately I only got a lot
of phone calls and no damage reports from anyone who was hit, and unfortunately
the hacker was unable to be traced.  This is what I get for trusting someone to
setup the FTP after they assured me they would not allow anonymous access...
that won't happen again!

So besides all the scripts needed to compare binaries every 10 minutes
(something I'm still clueless of how to do)... presuming I have a good iptables
setup on my firewall, allowing only tcp ports 25, 80, and 995 NAT'd to a
internal box that has samba running on it, I would be right to say samba could
not have been exploited?  And VNC piped through ssh shouldn't be a problem
either should it?  (I only turn this on when needed anyway).  thanks!
David M.

--- Jon Carnes wrote:
> I'm guessing that they got in via Samba.  There was a recent exploit
> that was advertised and if they didn't update their samba then it would
> be easy for a script kiddie to auto-scan and implant a root kit.
> 
> One easy way of testing your machines is to do regular scans of your
> exposed network with nmap.  Simply store the tests in a file and then do
> a diff against each new scan.  Mail the diffs to your admin group.
> 
> Standard root kits will open some bizarre ports on your box and those
> will show up immediately.  Subtler root kits have your box check into an
> IRC channel on a regular basis and look for commands dropped off by
> their "master".  The moral: block any and *all* ports that your server
> does not use, both incoming and outgoing.  The root kit will then be
> forced to drop your firewall in order to work, and then your server will
> show up like a lit Christmas tree at midnight on your network scan. 
> 
> Couple that with running a compare against known good binaries every ten
> minutes and you'll be fairly safe (or at least you'll know when you've
> been hacked).
> 
> Good Luck - Jon Carnes


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com



More information about the TriLUG mailing list