cracker attack

Support for security such as Firewalls and securing linux
Post Reply
phobos
Posts: 3
Joined: 2006/08/23 12:33:21

cracker attack

Post by phobos » 2006/08/23 14:07:19

Hi, this friday I experienced a crecker attack to my server. I'm running CentOS 4.3 + several applications compiled by myself. The attacker uploaded following files to my server:

/bin/ls
/bin/ps
/bin/netstat
/sbin/ttyload
/sbin/ifconfig
/sbin/ttymon
/usr/bin/slocate
/usr/bin/find
/usr/bin/pstree
/usr/bin/md5sum
/usr/bin/dir
/usr/bin/top
/usr/sbin/lsof

The files was owned by UID 122 and GID 114 - but I don't have such user in /etc/passwd.

Moreover the attacker have uploaded a file called voxcards.scr to one of my web-pages. The file is a trojan horse Trojan-Spy.Win32.Banker.bph. So I think, that this was, what he wanted to do...

I don't have a clue, how is it possible to do such thing.

Have anybody experienced anything similar? Or anybody know, how the attacker could do, what he have done?

Regards
Tony

jdonz
Posts: 32
Joined: 2006/03/05 20:35:34
Location: Phoenix

cracker attack

Post by jdonz » 2006/08/23 18:33:14

Are you running an FTP server on your box? I frequently see server become compromised due to insecure FTP server setups. One of the most common is an FTP account with permissions to write directly to the web root directory. I would highly recommend flattening and reinstalling. I don't suppose you have tripwire running do you?

garskoci
Posts: 93
Joined: 2006/07/08 14:50:57
Location: Houston, TX

Re: cracker attack

Post by garskoci » 2006/08/24 01:52:10

Have you looked in your messages file for any messages that were logged by pam? Or even using the last command? Maybe you can tell what ID he/she used to gain access.

phobos
Posts: 3
Joined: 2006/08/23 12:33:21

Re: cracker attack

Post by phobos » 2006/08/24 16:58:15

Of course, I have a FTP server - more precisely ProFTPd. Why is it a bad ideal to have write permition to web root? I thik, that user must have this permition - becouse otherwise he is not able to change his presentation and the FTP access is useless...

BTW, what is tripwire?

Regards
Tony

phobos
Posts: 3
Joined: 2006/08/23 12:33:21

Re: cracker attack

Post by phobos » 2006/08/24 17:18:13

Of course, I have watched /var/log/messages - but I haven't found anything useful.

Now I tryed the "last" command - and - I think that he have found a bug in FTP server. But what can I do now? I really don't want to stop using ProFTPd and there isn't any update this time...

Is there any place, where I can learn nown bugs of ProFTPd?

Regards
Tony

garskoci
Posts: 93
Joined: 2006/07/08 14:50:57
Location: Houston, TX

Re: cracker attack

Post by garskoci » 2006/08/25 04:38:22

'm pretty sure that with ProFTP you can jail the user to a specific directory. It's more or less a chroot. if haven't done that, you probably should. Are there gaps in the messages log? your hacker might have cleaned it up or changed the user ID in the log.

ProFTPD bug system: http://bugs.proftpd.org/

jdonz
Posts: 32
Joined: 2006/03/05 20:35:34
Location: Phoenix

Re: cracker attack

Post by jdonz » 2006/08/25 20:40:52

It is more of a hassle to use a chroot environment, but it is much more secure than using straight write access to your http document root. Basically, a chroot FTP environment locks the user in one directory, rather that allowing them to browse through the filesystem. I've found that it is easier to create a chrooted home directory outside of the document root to upload to, then once the files are uploaded you can log in through ssh and move the files where they need to go.

Tripwire is software that alerts you to any changes made on the system. The site can probably explain it better than I can: http://www.tripwire.com/products/enterprise/index.cfm. There are a couple of free, open source, versions of similar software, although I can't remember the names off the top of my head.

penguin_powered
Posts: 18
Joined: 2006/08/30 01:48:27
Location: Houston, TX

Re: cracker attack

Post by penguin_powered » 2006/09/08 16:24:16

Do you recommend Tripwire, or have you find another program that you prefer over Tripwire?

garskoci
Posts: 93
Joined: 2006/07/08 14:50:57
Location: Houston, TX

Re: cracker attack

Post by garskoci » 2006/09/08 20:44:22

I know that you're not asking me, but I would set up your server to "jail" the account. Do not let them do anything else but upload files, or download if needed. No directory listings, no changing directories etc. That's how our environment is set up and we have been successful.

Post Reply

Return to “CentOS 4 - Security Support”