RE: [cobalt-users] Howto trace hack

[Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>]

Well, I was talking Linux servers in general, these kind of hacks happen on 
all types of installs.., we've had them happen on Plesk (a lot), HSphere, 
Directadmin and Raq's3/4's..

The firewall doesn't protect against this kind of hack, what it DOES 
protect against, is the result of what they're trying to accomplish.., they 
tend to open up an IRC, FTP or remote bash shell, to get access or create a 
warez server.. (hacks like this seem to have only 2 purposes, either 
creating a DDoS machine, or create a warez source on a big connection, once 
they're in with a remote shell.., you're generally screwed and are most 
likely to get a rootkit in notime.. (since we all know Cobalts aren't the 
most secure machines on the net ;)

Few tips to secure the thing a little better:
Make sure /tmp is on a seperate partition, set the options in /etc/fstab to 
rw,noexec,nosuid for /tmp (replace the defaults rule), then do a mount -o 
remount /tmp

A lot of hacks are tried from the /tmp, since it's a 0777 ruleset, thus 
being world readable and writable.., this prevents files in /tmp from being 
executed (evil scripts) or changed to another owner..

Scout for other 777 directories, or apache/nobody writable directories.., 
these need to be secured if possible to allow only reading..


Make compilers (cc, gcc, bcc, etc) accissible to root and/or admin only.., 
set them to chmod 700, same goes for wget, fetch (if available) and lynx..

This should keep the first line of novice hackers out and make them give up 
when they see it's a bit more secured machine then normal..

A quick check to see if there's witty processes running that should NOT be 
running, is to do a ps aux | grep apache | grep -v httpd
(considering the apache user runs the httpd process), and see if anything 
pops up that should not pop up.., if you see a process running like named 
or crond, as user apache, that's a bad thing.., ususally is a script named 
like that, trying to be masked by the hacker.. (or rather cracker, not 
going into that now ;)

Hope this helps a bit :-)


At 10:13 22-3-2004, you wrote:
> > We tend to see this exploit regularly.., not only in that gallery module,
> > also in poorly programmed PHP scripts by customers..
> > This type of hack is the one that is 99% of the (attempted) hacks on our
> > servers..
>
> > It ususally ends there.., due them trying to set up an irc or ftp server,
> > which in turn is blocked by the firewall..
>
> Hi Jeroen,
>
> We've asked Gerald to install his Security package on this server like he
> did on our other servers. Thanks Gerald for the quick service ;-).
> This server was still in the progress of getting all vhosts copied to from a
> raq4 so we hadn't come to that security part yet.
> But it's another lesson to not postpone such an important part on future
> server adds.
>
> Now my question, is the included firewall blocking things like that from now
> by default or is there anything to configure ?
> I don't mean the gallery exploit itself but the install of unwanted software
> at unwanted places ...
>
> Thanks for the help list!
> John
>
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users



Met vriendelijke groet,

Jeroen Wunnink,
EasyHosting B.V. Systeembeheerder
systeembeheer@xxxxxxxxxxxxxx

telefoon:+31 (035) 6285455              Postbus 1332
fax: +31 (035) 6838242                  1200 BH Hilversum

http://www.easyhosting.nl
http://www.easycolo.nl