Patrick,
check your logs: therin's the trail to catch the thief ;-) If user
nagios logged in it should be recorded in /var/log/auth.log. grep nagios
/var/log/auth.log. Also checked compressed auth.logs.
If someone accessed something via the web, there might be something in
the apache logs. If that someone was acting as user nagios, grep nagios
/var/log/apache2/access.log. If they might have caused an error, grep
nagios /var/log/apache2/error.log. As above check the compressed logs
too. If there's a URL you suspect had something to do with it, grep
URL_snippet /var/log/apache2/access.log.
I run a Debian server that's online 24/7 with a highly attractive URL
(that won't be mentioned here ;-) ). I always put ssh on a non standard
port, otherwise everybody and his brother are knocking on port 22.
Any chance you went without a condom and ftped into the box at some
point? Somebody could have sniffed a password long ago. Maybe.
--
Joe Golden /_\ www.Triangul.us /_\ websites with class
On 05/12/2011 06:26 PM, Jim Lawson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/12/2011 05:18 PM, Patrick Litke wrote:
1) How did they gain access? I doubt that it would be possible for them
to bruteforce that password - it was 10 characters long, upper and lower
case, numbers and symbols. So then what vulnerability did they exploit
to get in?
It does seem unlikely that they brute forced the account's password[1].
More likely they got in through a problem with your webserver
configuration. Is it possible that the "nagios" user has write
permission to some directory, which the webserver or nagios is allowed
to execute as well? That's a common method of penetration - have nagios
(or whatever webapp) write out a shellcode somewhere, and then get the
webserver to execute that shellcode as a CGI. Once you're that far, use
the shellcode to update nagios's $HOME/.ssh/authorized_keys file and
drop in your own SSH key, so you can get a regular SSH session.
2) What else do I need to do to secure a Debian install for dedicated
online time plugged into the ebil interwebs?
There is no easy answer... It sounds to me like you have a lot of web
services running (you list "full lamp stack", nagios, webmin, samba, and
others), and one of those services had a hole. Since it appears they got
into the nagios account, you should look at what that user runs. Is it
just nagios, or does Apache run as the nagios user?
Jim
[1] I have to ask, why does the nagios user have a password? It seems to
me that the password field for that account should be "*", meaning
password authentication isn't possible ... If you need to do work as
nagios, you can become root and use 'su'.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNzF6K2USjQZu2vYURAj5ZAJ43gvXVk7IXAgkomYMFD1PyBP8teACgtrrC
ybjkX3jVjaoU3NvJRUpbYi8=
=RdJn
-----END PGP SIGNATURE-----
