Re: [cobalt-users] RaQ4 hacked?

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Drew T. Nichols" <dtnichols@xxxxxxxxx> wrote:
> Steve, et al:
> I have applied patches religiously

Patches typically come out after exploits are known to the hacker community.
It's possible you were hacked before applying a patch that eliminated an
exploit.  And if there's a patch out be paranoid b/c the moment patches and
notices are made public every hacker knows what to look for.

> , disabled BIND
> (though I believed it was up to date)

It's a good idea to disable all services you don't need.

> and have made
> sure not to telnet/SSH from other unix boxes, provided
> they were comprimised and watching outgoing sessions.

Disable telnet.  Disable telnet.  Disable telnet.  It sends passwords in
plain text and SSH sends all traffic encrypted and is the only way to go.  I
prefer not to give anyone shell access, but depending on what your box is
being used for you may have to.  Make sure your local machine is secure (use
a router or firewall), especially if you're connected via DSL or cable modem
since these connections are often vulnerable to exploits, especially if
they're Windoze boxes.

> Essentailly, I've done everything I knew to prevent
> this from happening.  The hackers are now running port
> scans to the world, making my life oh so easy.

Do you enforce strong passwords?  If not, start doing it.  This means either
creating users/passwords yourself using strong passwords, creating your own
front-end for creating users/passwords that checks the password prior to
creation to make sure it's strong or running a program like John the Ripper
against /etc/shadow to crack passwords so you can replace weak passwords.
If you do grant users shell access make sure you know what they're doing.
And don't install programs unless you know what they do, have checked to see
if they have exploits and are prepared to periodically check for security
notices.  Don't change permissions or ownership on files or directories
unless you understand the consequences.  If you do something silly like make
/etc/shadow world-readable then any local user can copy it to another
machine and attempt to crack the passwords in it.  You get the picture.

It's time to disconnect your server from the internet, restore from the OS
restore CD and reload your sites, user files and config files from backup.
Then make sure you install and configure (configuring the right way based on
your specific needs can be a lot of work) programs like logcheck,
portsentry, ipchains, tripwire, etc. in order to check for suspicious
activity and take appropriate action.

> I
> suspect they may have come in via POP since it was
> suddenly disabled in /etc/inetd.conf.

Interesting.  You should check for exploits on the version of qpopper that
you're running.

I recommend doing a lot of reading on server security.  Though it's easy to
get a RaQ up and running, real server administration is quite involved.  And
security is not easy.  If it was, large corporate and government websites
(and servers) wouldn't be hacked all of the time.  A few good places to
start are http://www.sans.org/, http://www.cert.org/ and
http://www.securityfocus.com/.  There are *many* ways to improve the
security of your server - too many for me to put in an email.  And there are
plenty of things to look out for...if you're keyboard looks different
perhaps it's been replaced by one that monitors keystrokes (seriously, there
are such keyboards - was thinking of buying some).  I recommend you read the
following article since it gives a good account of the discovery of a rooted
server, how it was rooted and the steps the sysadmin took to discover the
rootkit and exploit.  Plus it was written by a sysadmin at my alma mater.
:-)  http://www2.linuxjournal.com/articles/culture/0022.html  Unfortunately,
the majority of the people on this list won't have the sysadmin skills to do
what the author did.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/