-

Jump to content



Sign up for a free account!

Signing up for an account is fast and free. As a member you can join in the conversation, enter contests and you won't get the popup ads that guests get. Click here to create your free account.

Photo

Linux security: A warning


This topic has been archived. This means that you cannot reply to this topic.
11 replies to this topic

#1 of 12 Ryan Wright

Ryan Wright

    Screenwriter

  • 1,877 posts
  • Join Date: Jul 30 2000

Posted December 08 2001 - 07:31 AM

I recall not too long ago, a few members here were setting up Linux for the first time. Well, I've got a little advice: Do yourself a favor and don't rely on the default configuration for any length of time.

As some of you know, I lost the system drive in my server a few weeks ago and had to reinstall everything. I put in a stock Red Hat setup, added a few services I needed, and left it at that. I figured I'd have plenty of time to lock things down later. Afterall, it's not as if I run a major server with tons of traffic.

Well, I screwed up. The server hasn't even been online for 3 weeks and I was hacked Friday morning around 4:00 am. Some little shit exploited FTP (which I should have closed down, as I never use). He attempted to lock me out of my own server by shutting down local ttys (so I cannot login from the console), shutting down sshd, and restricting access to everything else to the new accounts he had created for himself. He also installed software to capture my password the next time I logged in and save it to a file, so he could presumably come back and get it.

Lucky for me, he was just another script kiddie and didn't exactly know what he was doing. He didn't cover any of his tracks (I traced him right back to his server; unfortunately, he is a customer of an ISP in another country and none of them speak English, and besides, I can't go after them legally, so I'm pretty much SOL). He (or someone) had been monitoring my server for about a week.

He did manage to make off with some of my files. I don't know which ones or how many, but he established an FTP connection to an account on geocities while he was hacked into my server, presumably to send files to himself. With my 1Mbps connection, he could pretty much take whatever he wanted. Thankfully, anything of importance is behind Windows 2000 domain security and he was unable to touch it.

The bad news is, I've got to reformat my hard drive and reinstall everything from scratch. I'm putting up a stronger firewall on a separate machine now, so this can't happen again.

Anyway, I just wanted to share my misfortune, and warn the rest of you. If you've installed Linux from scratch and haven't done much else with it, beware. Especially if you've got a dedicated, high speed connection.

#2 of 12 Joseph S

Joseph S

    Screenwriter

  • 2,865 posts
  • Join Date: Dec 23 1999

Posted December 08 2001 - 08:09 AM

Quote:
unfortunately, he is a customer of an ISP in another country and none of them speak English, and besides, I can't go after them legally, so I'm pretty much SOL).

Yeah, I get the same folks showing up in my OS X ftp log. (Usually from Czech or Netherlands) The funny thing is I actually had a guest account with a "guest" password for a day and they still couldn't guess it. Hope you didn't lose anything of value.

Feel free to ping this guy. Posted Image
Dec 4 15:59:32 localhost ftpd[6098]: connection from a118111.upc-a.chello.nl
Dec 4 15:59:34 localhost ftpd[6098]: ANONYMOUS FTP LOGIN REFUSED FROM a118111.upc-a.chello.nl

#3 of 12 Ryan Wright

Ryan Wright

    Screenwriter

  • 1,877 posts
  • Join Date: Jul 30 2000

Posted December 08 2001 - 08:52 AM

Quote:
Hope you didn't lose anything of value.
Nope. Just my time to rebuild the server, and I had to change my passwords as I'm sure he took my passwd and is likely working to crack the encryption now. He didn't delete anything. Not that there was anything to delete - I've got backups, and all my important stuff is out of reach.

#4 of 12 Darren Davis

Darren Davis

    Stunt Coordinator

  • 248 posts
  • Join Date: Oct 09 2001

Posted December 08 2001 - 09:02 AM

were you using any security progs to monitor people scanning you, etc.? That stinks, though. I know you shouldn't retaliate b/c that's just stooping to his level but...bah, make his life hell. I think he deserves it!

#5 of 12 DaveF

DaveF

    Executive Producer

  • 13,302 posts
  • Join Date: Mar 04 2001
  • Real Name:David Fischer
  • LocationOne Loudoun, Ashburn, VA

Posted December 08 2001 - 09:05 AM

I just can't fathom these pointless, petty acts of vandalism. No offense Ryan, but you're just some random joe-schmoe with a nice little homesite. Why in the world would some punk want to hack your server; much less why would that be "cool" given you're nobody to them?

Now, perhaps you actually do have super-secret stealth technology documents at home; in that case I can see why Posted Image

These kids need a serious butt-kicking. It's the sort of thing that makes normally sensible people want to go and hack them, steal their credit cards, and generally say, "How do ya like them apples!"

Ok, too much sugar in my hot chocolate. Back to the lab for me. Posted Image

#6 of 12 Kevin P

Kevin P

    Screenwriter

  • 1,444 posts
  • Join Date: Jan 18 1999

Posted December 08 2001 - 09:18 AM

Quote:
Dec 4 15:59:32 localhost ftpd[6098]: connection from a118111.upc-a.chello.nl
Dec 4 15:59:34 localhost ftpd[6098]: ANONYMOUS FTP LOGIN REFUSED FROM a118111.upc-a.chello.nl
On 11/22, I got an ftp attempt from the same domain (but a different IP) on my Linux box. In my case though, the firewall kept them out. I have ftp but it's only open to, uh like 1 IP. Posted Image I'd like to see them find it. Posted Image

KJP

#7 of 12 Bill Catherall

Bill Catherall

    Screenwriter

  • 1,565 posts
  • Join Date: Aug 01 1997

Posted December 08 2001 - 11:50 AM

Thanks for the heads up Ryan. I'm one of the ones who recently installed Linux. I usually use Win98 though (I've got it set up for dual boot). But when I do run Linux I'm using the default built-in firewall. I've disabled every port. It's set up just to let me surf the web right now. I set it that way just after installing it. Should that be safe enough?
~Bill

#8 of 12 Rob_J

Rob_J

    Stunt Coordinator

  • 136 posts
  • Join Date: Aug 04 2001

Posted December 08 2001 - 01:03 PM

I was running a Linux server for a while... no troubles at all. I used a default install and did not worry about closing down too many ports (just the ones I knew I would never use). Then, one day out of the blue, things stopped working. My computer gradually died by means of missing and corrupted files and the like. I had not touched the machine in months and it just stopped working. When I finally was able to look at the logs, someone hacked me from ftpd. It was too much work to fix everything that was messed up, so I had to reinstall. There were no problems with the disk either, so that ruled out a hardware failure. I must agree, these attacks are really annoying! Posted Image
"Keep looking shocked and move slowly towards the cake..." --Homer

#9 of 12 Ryan Wright

Ryan Wright

    Screenwriter

  • 1,877 posts
  • Join Date: Jul 30 2000

Posted December 10 2001 - 04:12 PM

Quote:
No offense Ryan, but you're just some random joe-schmoe with a nice little homesite.

No offense taken. That's why I didn't bother to lock anything down. I was in a hurry, figured I'd get to it later, and besides, who is going to want access to my server? It's a stinkin' AMD K6 with a few GB of drive space on the end of what's supposed to be a 1Mbps link (but really only gets about half that). And, as I said, there's nothing of value there. The only thing available without authenticating to my domain is the email I haven't yet downloaded, and the source files for my web site. But, the little pricks found me.

Bill: If you've disabled everything in /etc/services, you should be pretty well set and have nothing to worry about. I, too, had a firewall running with a strong ruleset, but unfortunately that only protects the machines within my network. I'm setting up an old laptop (that I painted red, just for kicks) as a firewall and moving my web, mail, dns, & other services behind it. That still won't help me if there is an exploit for one of those services, but if I screw up somewhere along the line, for the most part I only have to worry about the firewall being nailed - no biggie.

#10 of 12 Kevin P

Kevin P

    Screenwriter

  • 1,444 posts
  • Join Date: Jan 18 1999

Posted December 11 2001 - 12:41 AM

I had a little scare this morning with my Linux box. It is connected to a switcher so I can access all my machines through one keyboard/mouse/monitor, and this morning I figured I'd log in and check on some things before leaving for work. So I switched over to the Linux box and tried to log in, and nothing. The screen was blank--it was getting a signal, but no text. The keyboard wasn't responding. At first I thought the machine was frozen, but I did see the hard drive light flicker. I was thinking, "dang, I've been hacked." I fired up my Windows machine and was able to Telnet into the Linux box successfully, and I shut it down, powered it off, and powered it back on--at this point I was thinking a video problem. The POST reported a keyboard error. I looked behind the switch box, and oops! The keyboard cable had come loose. I plugged it back in and was up and running again.

In this case I wasn't hacked, I just had a little "DUH" moment. Posted Image

KJP

#11 of 12 Samuel Des

Samuel Des

    Supporting Actor

  • 801 posts
  • Join Date: Feb 07 2001

Posted December 11 2001 - 01:41 AM

I was really sorry to hear about your troubles! Why do people do this crap? What is the point? I'm sure there are some computer whiz points or something involved, but man, what a waste of time.

I read these stories here, and I sometimes worry about surfing at home. I used to think that those firewall programs for guys like me were pointless. But maybe not.

But I'm glad to hear you're back up and running! Posted Image
I am made out of water. You wouldn't know it, because I have it bound in. My friends are made out of water, too. All of them. The problem for us is that not only do we have to walk around without being absorbed by the ground but we also have to earn our livings.

#12 of 12 Ryan Wright

Ryan Wright

    Screenwriter

  • 1,877 posts
  • Join Date: Jul 30 2000

Posted December 11 2001 - 03:40 AM

Quote:
I used to think that those firewall programs for guys like me were pointless.

Anyone that has high speed or dedicated Internet access (cable modem, DSL, etc) MUST have a firewall. You can buy a hardware firewall/router for $100 almost anywhere. Plug it in and you're good to go.

Or, you can download firewall software. For a regular dialup (analog modem) user, it's not nearly as necessary, but can still give you a little peace of mind.


Back to Archived Threads 2001-2004



Forum Nav Content I Follow