huh, wu-ftpd, why use that when you can "apt-get install proftpd" :)
/Oscar, www.bhood.nu James Bourke wrote: >Hi all, > >I've always been pretty careful about security but I made a mistake >this weekend and I wanted to share it with everyone here. > >Over the weekend I configured a new server for my game hosting >company. I went through the same basic process I always go through >before installing the machine in the colocation facility. I lock >everything down with very restrictive firewall settings and I disable >everything that isn't absolutely necesary for running halflife mods. > >After testing the machine out for a day or two I got a bit lazy and >decided to open up wu-ftp so I could use a regular ftp program to >upload files. > >I had the port open for a few hours when someone hacked into the >system using a wu-ftp vulnerability. They installed their own >rootkit, overwriting the contents of about 60 files in the /bin >directory. They created several "group 0" accounts and installed a >few processes of their own. > >I was very lucky to catch this person. On any other day he could >have gotten in entirely unnoticed, installed his software, and left >my system in a state where he would be invisible to further >inspection. > >I'll have to do a reinstall now. I've cleaned up all results of his >break-in as best I can but it wouldn't be fair to my customers to >risk their information. Reinstalling is really the only choice in >this situation. > >Here is my advice, geared for linux users: > >1. DO NOT RUN: ftp, irc, bind, pop, or any other unnecessary service >on a gaming machine. Run sshd on the gaming server and put the other >processes on another machine. >2. Run chkrootkit periodically to detect the presence of known >rootkits. >3. Use ipchains or iptables to block everything you do not >absolutely need. >4. Configure all users except yourself to run in a chrooted jail, if >you aren't doing so already. Incidentally, I did this and it is part >of what helped me catch him, as he had to edit /etc/ftpaccess to give >himself priveleges on the accounts he created. The hacker forgot to >change /etc/ftpaccess back to the original. If he had, I may never >have noticed any problems at all. >5. Install AIDE, a free program that makes it easy to know when >someone has been on your system. >6. DO NOT RUN ANY HALFLIFE PROCESSES THAT ALERT THE WORLD ABOUT YOUR >SERVERS UNTIL THE ABOVE STEPS ARE TAKEN. I believe that the hacker >found out about my vulnerability by watching a program like gamespy >for new servers. He happened to catch me while wu-ftp was running. >This guy, and people like him, are probably looking at these server >lists every day for new machines they can use. >7. Do not use the same root password on multiple machines. I have >different passwords on my machines which is a real blessing at a time >like this. I don't have to worry that some trojan program has >captured my password and will enable a hacker to get onto my other >machines. >8. Remember that a hacker doesn't necessarily want to take your >system down. In my case I have a dual AMD 1800+ machine with 1.2 Gig >of memory and 200 Gig of HD space. This is an ideal server for >halflife, but is also a great server for dealing in illegal child >porn, bootleg videos, MP3s, etc. Hackers want to use your machine so >they install rootkits that make it very hard to detect them. Next >time I build a machine I'll use smaller drives so it won't be as >tempting. >9. Is your server acting funny? Does ps work in a way you don't >expect? Having trouble logging in sometimes? Has your machine >become slow, is it using more bandwidth than you expect? Does your >disk hover near capacity but you can't find the files that are >causing the problem? Chances are you have been hacked. >10. If you think you have been compromised, don't trust ps, last, >who, .bash_history, ls, etc to tell you anything. Hackers leave >their own versions of these files so that you can't see what they are >doing. In my case the hacker used a version of ps that hid 3 >processes from me. > >*IMPORTANT* >If you are running wu-ftp and a halflife server I hate to break it to >you but you should just assume you are compromised. It took just a >few hours for my machine. Get paranoid but don't panic. The first >thing you should do is install chkrootkit. Its free and easy to use >and it will give you a good indication of whether you've been hit. > >I'd like to work with some other admins to create a security guide >for game servers. If you are interested reply to this thread or >email me at [EMAIL PROTECTED] > >Jim > >__________________________________________________ >Do You Yahoo!? >Yahoo! Health - Feel better, live better >http://health.yahoo.com >_______________________________________________ >To unsubscribe, edit your list preferences, or view the list archives, please visit: >http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
