Many of you may already know about this, as I should have,
but those of you who didn't may appreciate this post. If
you're running an NFS server (especially if you're running
Red Hat 5.1) you'll want to pay attention.
I got hacked last night. I was on IRC, and a guy messaged me
and showed me my username and password at my ISP, which he'd
gotten from my ppp config files. He also quoted to me from my
/var/log/messages file, showed my some of the entries in my
/etc/passwd file (which I confirmed were correct) and placed
an empty file in my home directory which was named "hello" and
owned by root.
He was able to get in by exploiting a hole in my NFS server.
I installed this server from the rpm that shipped with Red Hat
5.1, and rpc.mountd that is in that is vulnerable to buffer
overflows. He was able to get rpc.mountd to execute commands
as root for him. He could have done anything he wanted, but I
was lucky. They guy was a true hacker, not a cracker, and as
such all he did (to my knowledge) was find the hole, prove to
me that he'd found it, and then told me what it was so that I
could fix it.
This was my fault, folks. There is a CERT advisory on this
package which I should have known about, but didn't. There is
also an update to the package at Red Hat's errata site that
fixes this bug. If you're using RH 5.1 and you're unsure what
to do, do this:
First, check to see if you're running an NFS server. Do
"ps aux | grep rpc". If you see that "rpc.mountd" and
"rpc.nfsd" are running, you've got an NFS server and if
you installed it from the 5.1 CD, you're vulnerable to this.
Next, decide if you need to be running an NFS server. If you
don't, then kill off the "rpc.mountd" and "rpc.nfsd" processes
and run "rpm -e nfs-server" to uninstall the server. If you do
need to run NFS, go get the updated package and upgrade immediately.
Don't forget to kill and restart those processes after the upgrade,
or it will do you no good.
If you've never been hacked, and wonder what to do in the event:
Here's what I did in this case. First, as soon as I knew I was
being hacked (which I wouldn't have known if the hacker hadn't
told me...I should have had something keeping an eye on that sort
of thing, if possible) I became root and did "touch /etc/nologin".
If there is a file in /etc called nologin (which the above command
creates), Linux will not allow anyone to log in to the box at all,
not even locally. I didn't know if this guy had a password to my
system, and I wasn't taking any chances so the first step was to block
all logins. Once he told me how he'd gotten in, I immediately killed
off the process he'd exploited. Next, I disabled my eth0 interface to
block him from accessing anything behind the system he was already in.
I only have one other box, but I still wanted to keep him out of there.
Then I ran "tcpdump -i ppp0 | tee dump" to start logging all packets on
interface ppp0, which was my link to the Internet. At this point, he
was pretty much done anyways. I will spend probably all of this weekend
performing the last step, which is to completely wipe my hard drives
clean and reinstall everything from scratch. This would be a lot easier
if I had a tape backup, but I don't (another thing that's my fault and
only my fault). The reason for this is that I don't know how long this
guy had access to my box and I don't know what he may have done that he
didn't tell me about. He could have left behind a trojan, or opened up
a door so that when I'm connected to the Internet he can use my system
as a bouncing point from which to hack other systems, or anything else
I'm not even thinking of. My only option is to scratch it all and
reload.
For all of you who knew all of this, I'm surprised you're still
reading. :-) If anyone has anything to add to what I should have done
or could have done or should have been doing or should not have been
doing, please feel free to add to this so that others can learn from
it. I'm not all that smooth with security, or with handling what to
do when you're being hacked, so it'll be helpful to those who don't
know to see input from people who know more than me.
For the newer people, I hope this helps you avoid these things (at
least in one way) and gave you a bit of education as far as handling it
if it does happen to you. Learn from my mistakes.
---
Bill Kocik
Information Systems
Medar, Inc.
E-mail: [EMAIL PROTECTED]
Web: http://www.medar.com
