Linux security: A warning (1 Viewer)

[Ryan Wright]

I recall not too long ago, a few members here were setting up Linux for the first time. Well, I've got a little advice: Do yourself a favor and don't rely on the default configuration for any length of time.

As some of you know, I lost the system drive in my server a few weeks ago and had to reinstall everything. I put in a stock Red Hat setup, added a few services I needed, and left it at that. I figured I'd have plenty of time to lock things down later. Afterall, it's not as if I run a major server with tons of traffic.

Well, I screwed up. The server hasn't even been online for 3 weeks and I was hacked Friday morning around 4:00 am. Some little shit exploited FTP (which I should have closed down, as I never use). He attempted to lock me out of my own server by shutting down local ttys (so I cannot login from the console), shutting down sshd, and restricting access to everything else to the new accounts he had created for himself. He also installed software to capture my password the next time I logged in and save it to a file, so he could presumably come back and get it.

Lucky for me, he was just another script kiddie and didn't exactly know what he was doing. He didn't cover any of his tracks (I traced him right back to his server; unfortunately, he is a customer of an ISP in another country and none of them speak English, and besides, I can't go after them legally, so I'm pretty much SOL). He (or someone) had been monitoring my server for about a week.

He did manage to make off with some of my files. I don't know which ones or how many, but he established an FTP connection to an account on geocities while he was hacked into my server, presumably to send files to himself. With my 1Mbps connection, he could pretty much take whatever he wanted. Thankfully, anything of importance is behind Windows 2000 domain security and he was unable to touch it.

The bad news is, I've got to reformat my hard drive and reinstall everything from scratch. I'm putting up a stronger firewall on a separate machine now, so this can't happen again.

Anyway, I just wanted to share my misfortune, and warn the rest of you. If you've installed Linux from scratch and haven't done much else with it, beware. Especially if you've got a dedicated, high speed connection.

 

[Joseph S]

unfortunately, he is a customer of an ISP in another country and none of them speak English, and besides, I can't go after them legally, so I'm pretty much SOL).

Yeah, I get the same folks showing up in my OS X ftp log. (Usually from Czech or Netherlands) The funny thing is I actually had a guest account with a "guest" password for a day and they still couldn't guess it. Hope you didn't lose anything of value.
Feel free to ping this guy.
Dec 4 15:59:32 localhost ftpd[6098]: connection from a118111.upc-a.chello.nl
Dec 4 15:59:34 localhost ftpd[6098]: ANONYMOUS FTP LOGIN REFUSED FROM a118111.upc-a.chello.nl

 

[Ryan Wright]

Hope you didn't lose anything of value.

Nope. Just my time to rebuild the server, and I had to change my passwords as I'm sure he took my passwd and is likely working to crack the encryption now. He didn't delete anything. Not that there was anything to delete - I've got backups, and all my important stuff is out of reach.

 

[Darren Davis]

were you using any security progs to monitor people scanning you, etc.? That stinks, though. I know you shouldn't retaliate b/c that's just stooping to his level but...bah, make his life hell. I think he deserves it!

 

[DaveF]

I just can't fathom these pointless, petty acts of vandalism. No offense Ryan, but you're just some random joe-schmoe with a nice little homesite. Why in the world would some punk want to hack your server; much less why would that be "cool" given you're nobody to them?
Now, perhaps you actually do have super-secret stealth technology documents at home; in that case I can see why
These kids need a serious butt-kicking. It's the sort of thing that makes normally sensible people want to go and hack them, steal their credit cards, and generally say, "How do ya like them apples!"
Ok, too much sugar in my hot chocolate. Back to the lab for me.

 

[Kevin P]

Dec 4 15:59:32 localhost ftpd[6098]: connection from a118111.upc-a.chello.nl
Dec 4 15:59:34 localhost ftpd[6098]: ANONYMOUS FTP LOGIN REFUSED FROM a118111.upc-a.chello.nl

On 11/22, I got an ftp attempt from the same domain (but a different IP) on my Linux box. In my case though, the firewall kept them out. I have ftp but it's only open to, uh like 1 IP. I'd like to see them find it.
KJP

 

[Bill Catherall]

Thanks for the heads up Ryan. I'm one of the ones who recently installed Linux. I usually use Win98 though (I've got it set up for dual boot). But when I do run Linux I'm using the default built-in firewall. I've disabled every port. It's set up just to let me surf the web right now. I set it that way just after installing it. Should that be safe enough?

 

[Rob_J]

I was running a Linux server for a while... no troubles at all. I used a default install and did not worry about closing down too many ports (just the ones I knew I would never use). Then, one day out of the blue, things stopped working. My computer gradually died by means of missing and corrupted files and the like. I had not touched the machine in months and it just stopped working. When I finally was able to look at the logs, someone hacked me from ftpd. It was too much work to fix everything that was messed up, so I had to reinstall. There were no problems with the disk either, so that ruled out a hardware failure. I must agree, these attacks are really annoying!

 

[Ryan Wright]

No offense Ryan, but you're just some random joe-schmoe with a nice little homesite.

No offense taken. That's why I didn't bother to lock anything down. I was in a hurry, figured I'd get to it later, and besides, who is going to want access to my server? It's a stinkin' AMD K6 with a few GB of drive space on the end of what's supposed to be a 1Mbps link (but really only gets about half that). And, as I said, there's nothing of value there. The only thing available without authenticating to my domain is the email I haven't yet downloaded, and the source files for my web site. But, the little pricks found me.

Bill: If you've disabled everything in /etc/services, you should be pretty well set and have nothing to worry about. I, too, had a firewall running with a strong ruleset, but unfortunately that only protects the machines within my network. I'm setting up an old laptop (that I painted red, just for kicks) as a firewall and moving my web, mail, dns, & other services behind it. That still won't help me if there is an exploit for one of those services, but if I screw up somewhere along the line, for the most part I only have to worry about the firewall being nailed - no biggie.

 

[Kevin P]

I had a little scare this morning with my Linux box. It is connected to a switcher so I can access all my machines through one keyboard/mouse/monitor, and this morning I figured I'd log in and check on some things before leaving for work. So I switched over to the Linux box and tried to log in, and nothing. The screen was blank--it was getting a signal, but no text. The keyboard wasn't responding. At first I thought the machine was frozen, but I did see the hard drive light flicker. I was thinking, "dang, I've been hacked." I fired up my Windows machine and was able to Telnet into the Linux box successfully, and I shut it down, powered it off, and powered it back on--at this point I was thinking a video problem. The POST reported a keyboard error. I looked behind the switch box, and oops! The keyboard cable had come loose. I plugged it back in and was up and running again.
In this case I wasn't hacked, I just had a little "DUH" moment.
KJP

 

[Samuel Des]

I was really sorry to hear about your troubles! Why do people do this crap? What is the point? I'm sure there are some computer whiz points or something involved, but man, what a waste of time.
I read these stories here, and I sometimes worry about surfing at home. I used to think that those firewall programs for guys like me were pointless. But maybe not.
But I'm glad to hear you're back up and running!

 

[Ryan Wright]

I used to think that those firewall programs for guys like me were pointless.

Anyone that has high speed or dedicated Internet access (cable modem, DSL, etc) MUST have a firewall. You can buy a hardware firewall/router for $100 almost anywhere. Plug it in and you're good to go.

Or, you can download firewall software. For a regular dialup (analog modem) user, it's not nearly as necessary, but can still give you a little peace of mind.