-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/12/2011 05:18 PM, Patrick Litke wrote:
1) How did they gain access? I doubt that it would be possible for them
to bruteforce that password - it was 10 characters long, upper and lower
case, numbers and symbols. So then what vulnerability did they exploit
to get in?
It does seem unlikely that they brute forced the account's password[1].
More likely they got in through a problem with your webserver
configuration. Is it possible that the "nagios" user has write permission
to some directory, which the webserver or nagios is allowed to execute as
well? That's a common method of penetration - have nagios (or whatever
webapp) write out a shellcode somewhere, and then get the webserver to
execute that shellcode as a CGI. Once you're that far, use the shellcode
to update nagios's $HOME/.ssh/authorized_keys file and drop in your own
SSH key, so you can get a regular SSH session.
2) What else do I need to do to secure a Debian install for dedicated
online time plugged into the ebil interwebs?
There is no easy answer... It sounds to me like you have a lot of web
services running (you list "full lamp stack", nagios, webmin, samba, and
others), and one of those services had a hole. Since it appears they got
into the nagios account, you should look at what that user runs. Is it
just nagios, or does Apache run as the nagios user?
Jim
[1] I have to ask, why does the nagios user have a password? It seems to
me that the password field for that account should be "*", meaning
password authentication isn't possible ... If you need to do work as
nagios, you can become root and use 'su'.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNzF6K2USjQZu2vYURAj5ZAJ43gvXVk7IXAgkomYMFD1PyBP8teACgtrrC
ybjkX3jVjaoU3NvJRUpbYi8=
=RdJn
-----END PGP SIGNATURE-----
