[TriLUG] invisible directories...

Corey Mutter mutterc at nc.rr.com
Tue Apr 22 13:07:59 EDT 2003 

On Tue, Apr 22, 2003 at 01:39:51AM -0400, Jeffery Painter wrote:
> well, it was standard rh 8.0 install. vsftp was the ftp program running, 
> samba, apache, ssh, and tomcat were the only other networked apps running.
> 
> unfortunately the box is on a clients network and I don't have control 
> over their firewall... i locked down every other service. installed the 
> usual redhat errata fixes (i grabbed them from kickstart.linux.ncsu.edu) 
> so i think i was in the clear there.
> 
> in essence, i think i did everything a reasonable admin would do... it 
> wasn't until i installed portsentry that i started noticing the box was 
> getting bombarded with port scans. and i don't know if i will ever know 
> the exact way they found their way in... i discovered a hacked ssh running 
> and several of the binaries were replaced as mentioned.. luckily all my 
> data was in tact and i've moved developement to another box until i can 
> reinstall from scratch.
> 
> someone was damned persistent is all i can say :)
> 
> thanks for the pointers everyone though. makes me glad I run a backup 
> every hour :) just call me paranoid with good reason.
> 
> 
> Jeff Painter
> painter at kiasoft.com
> 

You do need to take off and nuke the disk from orbit - it's the only way
to be sure. Sounds like you've got that in-progress already, good.

The other standard advice (for after the reinstall) is to get rid of every
network service you can.

Also, if you have services that you want to serve internally but not 
externally, run iptables on that machine and block access to everything
from the outside (except for services you want to be visible externally).
You need another firewall at the network perimeter doing this (if you can
get it), but It Doesn't Hurt to do it again on the machine. If you have
a firewall blocking this stuff at the network perimeter, and a hit occurs
on your iptables rule, then the box knows there's been a penetration of the
firewall and can send up flares...

I would, generally, start with exposing nothing to the Internet, then
add as necessary. If you want to provide services like ftp to a select 
group of people, consider having them VPN in and access the services 
internally (VPNs are pretty paranoid). 

In my experience Tripwire is a pretty good file-based IDS. It's statically
linked, checksums itself, all databases and policy files (that tell it what
to scan) are cryptographically signed. You can specify different paranoia
levels for different files (from "is it present?" to "check the mtime, ctime,
size, four different checksums, permissions, ...") with fine-grained control.

Corey

[snip]

More information about the TriLUG mailing list