[Tfug] Server Compromise

Predrag Punosevac punosevac72 at gmail.com
Sat Sep 29 12:38:13 MST 2007 

I talk to friend of mine from Apple computers.

His remarks are:

1. Old system is unusable in any shape or form except the one I outlined (with
rescuing only few source files with the OpenBSD with switching of
Linux compatibility layer if there is one) as the compiler on old
server is also corrupted. Recompiling will not help. He would
physically destroy the disk after rescuing few files. He would also
keep those files quarantined on separate partition and never trust
them again. I have no idea how many computers you have connected to
that server. All of them are unusable from the security point of view.


2. He also suggested that you get another (my suggestion was for you
to have three servers) he is suggesting the fourth one.

That machine should be physically disconnected from everything you
have in your office. Name the machine something like
secure.main.server.net and leave it as a bait for hackers. (Honey pot
trick). Make it hard for them to get into that machine so that they
are happy hacking. 100 buks home made server will do it.
Put the old hard disk in good use:-)


3. He also suggesting crippling
all features of application you are running (let say Apache server)
except the one you have to use including security features.

4. I also wonder if you could do randomization of ports (redirecting
ssh 22 randomly so that only your users can see it) as I believe that
your ports are scanned. )
I have no idea about Linux but OpenBSD uses heavily idea of randomization.

I also forgot to ask you if Linux have security log file-like FreeBSD?
That file should be checked regularly as you will see attacks coming.
I know for the fact that if somebody is scanning the ports you will be
able to get security warning about it. FreeBSD will send mail to root
account regularly. Make sure you read that mail.


Good luck to you




On 9/29/07, Predrag Punosevac <punosevac72 at gmail.com> wrote:
> I am sure that people fully familiar with the following
>
> http://www.bgnett.no/~peter/pf/en/index.html
> http://openbsd.org/faq/pf/index.html
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html#SECURITY-SYNOPSIS
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
>
> It is probably too late for this on old server but it is the war out there
> so
> it might help with future decisions.
>
> Since, I am a research MATHEMATICIAN not a sys admin and completely
> IGNORANT about Linux
> I wonder if you could educate me about the following.
>
> 1. Is there a concept of wheel group in Linux?
> 2. Does the Linux have a concept of kernel security level as
> # sysctl kern.securelevel
> which in FreeBSD has 4 levels -1,0,1,2
> 3. What is the partition for the default Ubuntu server?
> as
> /
> /tmp
> /var
> /usr
> /swap
>
> A few idiotic suggestions from the hobbyist. I would get another hard
> drive for the old server
> and install OpenBSD (please stay calm I am not a Linux hater I love Debian
> for instance)
> I am not sure if OpenBSD has a Linux compatibility layer as FreeBSD but I
> would make sure that Linux code can not run on the new server.
> Then I would mount the old hard drive as external file system on the
> separate partition completely isolated form the rest of my new system.
> You probably only need some files. I wonder if you could scan clamov style
> (there are other software out there)files you want to move to the new hard
> drive (binaries of any kind excluded)
> You could probably rescue the content of the old server without
> compromising the security of the new one.
>
>
> Other things I would do if I ever have to pretend I am a sys admin.
> I would run probably three cheaper machines instead of one. One local,
> another for mail server and the third one for exposed as ssh or http with
> all but necessary ports closed. I wonder if you can even use alternative
> port for ssh since I know that for mail server there are alternatives.
> I would not run even a XOrg on exposed machines as it is a security risk
> (nothing). Just a core OS and specific application Apache or whatever with
> extremely limited privileges given to users. I would constantly updated
> that single application via cron as they are venerable to attack no matter
> what.
>
> I hope you will be able to rescue that server.
>
>
>
>
>
>
>
> On Thu, 27 Sep 2007 16:03:47 -0700, Rich <r-lists at studiosprocket.com>
> wrote:
>
> > Check inittab for stuff respawning.
> >
> > I'd take it down for as long as it takes to restore a recent good /
> > etc, /sbin and /usr/sbin and boot into a known kernel. Then start
> > plugging holes.
> > R.
> >
> > On Sep 27, 2007, at 2:01 pm, Chris Hill wrote:
> >
> >> Hi all,
> >>
> >> I've got a major headache today, looking to see if someone might be
> >> able
> >> to help. We've got a server, its been compromised with a phishing
> >> scam.
> >> It looks like its very possibly has been rooted. I cannot fully
> >> turn off
> >> the box but we are pulling all non-essential services off the public
> >> net. If anyone can help me figure out how bad things are that would be
> >> really cool.
> >>
> >> I am working on the assumption we are rooted, mainly because the user
> >> has copied files as root to the box into /tmp and /var/www. I removed
> >> the /var/www files and he put them back and made it so that i cannot
> >> delete them( even as root ) . I'm also assuming that my ls, lsattr,
> >> chmod, chown, chattr, etc. files are hacked, which is why i cannot
> >> delete the /var/www files.
> >>
> >> If you're able to look at the box and see if you can help me delete
> >> these files and figure out what's going on, that'd be great!
> >>
> >> Thanks
> >> C
> >>
> >> _______________________________________________
> >> Tucson Free Unix Group - tfug at tfug.org
> >> Subscription Options:
> >> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >
> >
> > _______________________________________________
> > Tucson Free Unix Group - tfug at tfug.org
> > Subscription Options:
> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>
>
> --
> Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
>

More information about the tfug mailing list