[Tfug] Server Compromise

Sat Sep 29 02:00:22 MST 2007

I am sure that people fully familiar with the following

http://www.bgnett.no/~peter/pf/en/index.html
http://openbsd.org/faq/pf/index.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html#SECURITY-SYNOPSIS
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

It is probably too late for this on old server but it is the war out there  
so
it might help with future decisions.

Since, I am a research MATHEMATICIAN not a sys admin and completely  
IGNORANT about Linux
I wonder if you could educate me about the following.

1. Is there a concept of wheel group in Linux?
2. Does the Linux have a concept of kernel security level as
# sysctl kern.securelevel
which in FreeBSD has 4 levels -1,0,1,2
3. What is the partition for the default Ubuntu server?
as
/
/tmp
/var
/usr
/swap

A few idiotic suggestions from the hobbyist. I would get another hard  
drive for the old server
and install OpenBSD (please stay calm I am not a Linux hater I love Debian  
for instance)
I am not sure if OpenBSD has a Linux compatibility layer as FreeBSD but I  
would make sure that Linux code can not run on the new server.
Then I would mount the old hard drive as external file system on the  
separate partition completely isolated form the rest of my new system.
You probably only need some files. I wonder if you could scan clamov style  
(there are other software out there)files you want to move to the new hard  
drive (binaries of any kind excluded)
You could probably rescue the content of the old server without  
compromising the security of the new one.

Other things I would do if I ever have to pretend I am a sys admin.
I would run probably three cheaper machines instead of one. One local,  
another for mail server and the third one for exposed as ssh or http with  
all but necessary ports closed. I wonder if you can even use alternative  
port for ssh since I know that for mail server there are alternatives.
I would not run even a XOrg on exposed machines as it is a security risk  
(nothing). Just a core OS and specific application Apache or whatever with  
extremely limited privileges given to users. I would constantly updated  
that single application via cron as they are venerable to attack no matter  
what.

I hope you will be able to rescue that server.

On Thu, 27 Sep 2007 16:03:47 -0700, Rich <r-lists at studiosprocket.com>  
wrote:

> Check inittab for stuff respawning.
>
> I'd take it down for as long as it takes to restore a recent good /
> etc, /sbin and /usr/sbin and boot into a known kernel. Then start
> plugging holes.
> R.
>
> On Sep 27, 2007, at 2:01 pm, Chris Hill wrote:
>
>> Hi all,
>>
>> I've got a major headache today, looking to see if someone might be
>> able
>> to help. We've got a server, its been compromised with a phishing
>> scam.
>> It looks like its very possibly has been rooted. I cannot fully
>> turn off
>> the box but we are pulling all non-essential services off the public
>> net. If anyone can help me figure out how bad things are that would be
>> really cool.
>>
>> I am working on the assumption we are rooted, mainly because the user
>> has copied files as root to the box into /tmp and /var/www. I removed
>> the /var/www files and he put them back and made it so that i cannot
>> delete them( even as root ) . I'm also assuming that my ls, lsattr,
>> chmod, chown, chattr, etc. files are hacked, which is why i cannot
>> delete the /var/www files.
>>
>> If you're able to look at the box and see if you can help me delete
>> these files and figure out what's going on, that'd be great!
>>
>> Thanks
>> C
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/