At about 11:30 (three hours ago, now) I started noticing serious
activity on the DSL 'modem'. I wasn't doing anything and neither were
the boys.

I toggled over to the Linux machine, and system load was sky-high, in
programs called pscan-bind, pscan-ftpd &c. I was trying to figure out
what was going on, when the system hung. (I'd tried to get a properties
box on my Gnome sysload panel applet, to see what the unusual color on
the graph was.)

When I restarted, I couldn't run `ps` as a user. (Lucky me, it was an
inept hacker - or the system crashed at just the right time.) It had
somehow been redirected to some program cutely named "adore". I got rid
of `adore` and couple other similar files, and downloaded procps*.tpm
from redhat and got my system back to normal. I think. I just found a
"/sbin/klogd/" with a 4-1, 23:30 timestamp, and when I scan for
SUID/SGID files, there are an awful lot of them.

There's still a new directory that was installed at /usr/lib/lib that
contains the pscan-* routines, a scan.pl script, and a bunch of other
files that seem to indicate this is some script kiddy toy named "wu26".

I changed my root passwd, of course, but I don't know how much good that
will do - how did this thing get in in the first place?

I have /etc/host.deny set to ALL: ALL, which I guess gave me a false
sense of security. I thought I had a pretty restrictive ipchains config,
but perhaps not:

# 1) Flush the rule tables.

/sbin/ipchains -F input
/sbin/ipchains -F forward
/sbin/ipchains -F output

# 2) Set the MASQ timings and allow packets in for DHCP configuration.

/sbin/ipchains -M -S 7200 10 60
#/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp

# 3) Deny all forwarding packets except those from local network.
#    Masquerade those.

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
#/sbin/ipchains -A forward -i ppp0 -j MASQ

# 4) Load forwarding modules for special services.

/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio

# 5) (Experimental) Jazz JackRabbit 2 networking setup

/sbin/ipchains -A forward -p tcp -s 0/0 10052:10054 -j MASQ
/sbin/ipchains -A forward -p udp -s 0/0 10052 -j MASQ

--

http://www.midnightbeach.com    - Me, my work, my writing, and
http://www.midnightbeach.com/hs - my homeschool resource pages

: Jon Shemitz <j...@midnightbeach.com> wrote:

Pointless - if the hacker was any good.

If you run any outside service - ANY outside service - on that machine
then this is a problem. And this problem cannot be "fixed" by ipchains.

Currently en vogue are bind hacks, with a couple of root exploits
running out there. From what you describe, it sounds as if a script
kiddie attacked you with something pre-cooked.

"adore" hints at the fact that someone will have installed a Linux
kernel module;

  http://www.securityfocus.com/tools/1490

might entertain you, depending on your current mental state.  

Immediate action:

* Unplug the machine from the public network
* Unplug the machine from the internal network
* Yank out the power cord

* Relax.
* Sleep.
* Have a cup of tea or coffee.

* Boot up the system from a rescue or repair disk
* Make sure that none - exactly *none* - of the binaries that
  are currently on the attacked machine get executed

* Copy all non-binary data to a floppy disk or a known good
  and definitely not "infected" medium

* Wipe hard disk of attacked machine clean

* Reinstall.

* Make sure that you don't expose any services to
  the outside world unless you *really* have to.
* Make sure you have installed all security updates
  for any outside service on your system.
* Make sure that you have subscribed to your distribution
  vendor's security announcement mailing list.

* Optionally, subscribe to a security incidents / exploits
  mailing list, for instance the one(s) at
     http://www.securityfocus.com/

--
Kylix is there!
  http://www.borland.com/kylix/
Are you ready for Kylix?
  http://community.borland.com/article/0,1410,26998,00.html

Oops, bad link on that last message.  The correct link is
http://www.coyotelinux.com

I had a very similar experience when I first got my cable modem.  In
fact the cable provider cut me off due to attacks being launched from my
machine againsta other machines on the internet.
The solution to my problem was to install Coyote Linux
(http://www.coyotelinux) on an old 486 machine as a firewall.
Ever since then I have not had any problems that I haven't been able to
cope with.
Coyote Linux is a floppy disk Linux distribution.  I have no hard drive
to hack into on the coyote machine so if I get hacked, I can just
reboot, and all is wiped clean.  Coyote, doesn't have things like telnet
or ftp installed so there is less ways for a cracker to get to it and
since there are very few utilities installed on the system there is not
much for them to do once they get there.
I STRONGLY recomend installing some sort of firewall on your network
rather than directly connecting ANY computer directly to the Internet.
Good luck to you.

: James Van't Slot <ja...@vantslot.net> wrote:

James, I am running SuSE 7.0 (with a couple of updates here and there)
on my gateway. I can guarantee you that I won't have any problems with
SuSE 7.0 - simply because I expose nothing to the outside world.

*ANY* version of Linux / FreeBSD / OpenBSD / NetBSD will do fine - iff
you don't expose any services to the outside world (and assuming that
you don't have a kernel bug somewhere in the TCP/IP stack).

Coyote Linux is dead, BTW: "Coyote Wizard project discontinued -
2001-02-16 00:34:21"; a nice-ish gateway solution might be Smoothwall -
http://www.smoothwall.org/ - you'll have to deal with a project "macho",
though, not with a project leader.

The firewall doesn't matter *that* much. ipchains is an acceptable
packet level filter. The only other thing you could do is use
application level proxies and no, absolutely no, NAT anywhere.

But if you really have to run external services then even a firewall
doesn't help - you are put at the mercy of the services you are running,
and the infrastructure you have set up (e.g. packet forwarding from the
gateway to the DMZ, with services not running on the gateway, but on a
distinct machine, particularly hardened and locked down).

--
Kylix is there!
  http://www.borland.com/kylix/
Are you ready for Kylix?
  http://community.borland.com/article/0,1410,26998,00.html

This is too bad. Coyote linux was nice little thing. I've
installed a while ago in a 486. it was very easy to setup
a firewall.

--
Rosimildo da Silva            rdasi...@connectel.com
ConnectTel, Inc.              Austin, TX -- USA      
Phone : 512-338-1111          Fax : 512-918-0449    
Company Page:  http://www.connecttel.com            
Home Page:     http://members.nbci.com/rosimildo/

On Mon, 02 Apr 2001 02:22:04 -0700, Jon Shemitz

Makes you feel sort of sick, doesn't it?  My sympathy's.

I have a few suggestions to go along with the others in this thread:

1.  Disable all the services you don't need.  For most people, disable
everything (httpd, ftpd, telnet, etc, etc) except ssh.

2.  Figure out how to apply security updates for your distribution and
do so regularly.  This is one reason I love debian so much:

apt-get update
apt-get upgrade

run from cron every day and I don't have to worry about things like
the BIND problem.  I would think the other distributions have
something similar.

3.  Install 'tripwire'.  I had been cracked for about a month before I
realize it.  With tripwire, at least you know you've been cracked
almost immediately and can take some action.

Good luck!

For those interested parties, both NetGear and LinkSys produce a four-port
10/100 hub with firewall for high-speed-access users, at a cost of roughly
$130.  I'm sure there are other vendors, and you may find a better price
somewhere.

Later -

  T

You might want to try one of the new DSL/Cable Switches that are being sold
(LinkSys, D-Link, NetGear, etc) that have built-in Firewalls($150-$250). You
also might want to find better firewalls($250+) that do "Stateful Packet
Inspection" for higher security.

I've also noticed that the beta versions of RedHat(7 Beta) and Mandrake(8.0
Beta 3) support automatic configuration of built-in software firewalls for
your system.

Cheers,
Patrick Carroll
Iocomp Software
http://www.iocomp.com

news:3AC844BC.C7AF1ABC@midnightbeach.com...

Stefan,
What I was refing to is the Coyote Linux floppy distribution.  What you  
refered to as dead, is a windows based disk creation wizard that has
been discontinued.  You can still get the linux source and binaries with
a shell based configuration system.  I never used the windows based
wizard anyway.  So don't get the idea that Coyote Linux is dead.  It
isn't. ;-)

As for the rest of your post I agree, it's not a "cure-all" I still need
tight security on all my internal machines.  I do need to expose some
things to the outside world and adding an extra security layer was
helpful to me.  Just my experience.

: "Patrick Carroll \(Iocomp\)" <PatrickCarr...@iocomp.com> wrote:

I really hate to spoil everybody's party here. I have bad news for you.
All that firewalling - it's pointless as long as you have outside
services running.

All you need in order for an "exploit" to work is a publicly addressable
service. If that service runs with "root" rights, ooooooops. Busted! If
that (remote) service does not run with "root" rights, but still is
exploitable - and if you have locally root exploitable stuff on that
machine - ooooooops, busted!

The *only* thing you can do is

* Run as few outside services as human possible.
* Make sure that you are protected against every single know
  exploit against these services.

--
Kylix is there!
  http://www.borland.com/kylix/
Are you ready for Kylix?
  http://community.borland.com/article/0,1410,26998,00.html

<< snip >>

You know.. My boss at one time tried to get me to install all the fancy
Cisco routers, firewall software, Built-In Firewalling switches, etc.. He
thought that by adding layers it would protect us.

I tried to explain that it won't matter how many firewalls you go through,
if you have a way to get through any of them (Webserver, etc) then they are
pretty much pointless.

He didn't listen, I got fired for not following his orders. Go figure.
(Turns out he crawled back 2 weeks later and doubled my salary, but that's
another story...)

-Luke

: James Van't Slot <ja...@vantslot.net> wrote:

Since Coyote Linux has disappeared, there have been a few crucial
security updates to Linux.

If there is one thing that you *don't* want to run, then it is a
distribution that run outside services insecurely.

Like Coyote Linux - inevitably - will do, by virtue of it being dead.
--
Kylix is there!
  http://www.borland.com/kylix/
Are you ready for Kylix?
  http://community.borland.com/article/0,1410,26998,00.html

Stefan Hoffmeister <Borland.Newsgro...@econos.com> a crit dans le message :
78jhcto7ohsi2d1fbckpkmusp8vkuuo...@4ax.com...

[...]
Maybe you would like to correct/reduce scope for that statement: [...] is a
publicly addressable service *implemented by code for which an exploit
exists*.

Just because a publicly addressable service exists does not mean it has a
vulnerability. You can try to bang on the "open" door on our network
(address upon demand), and I pretty much doubt you will enter anywhere but
where I have granted access. And still we have all sorts of inbound access
coming (and wannabe hackers all day long getting recorded, BTW). And, no,
there's no Centri, PIX, or like box involved.

: "Frdric G. MARAND" <f...@osinet.fr> wrote:

Not really.

The point is that any publicly addressable service potentially exposes
your systems to security problem.  The fact that for any given service
there is no known exploit *today* does not have any bearing on the
future.

If you installed, say, RedHat 6.2 a year ago and merely ran BIND on that
machine as a public service (providing DNS for your domain, for
instance) chances are that by now you are / have been owned. Back a year
ago, a pristine and correctly configured RedHat 6.2 could have been
considered "safe". Now it is not.

"Vulnerability to exploits" is a dynamic problem - and unless you have
really *trivial* code, it is extremely difficult, if not impossible, to
verify that your service is not vulnerable.

All you can do is setting up a proper network infrastructure, pick
appropriate software to run the external service, and keep on top of all
security updates - *managing the risk*.

[BTW, I am not interested in discussing the merits of OpenBSD over Linux
(or whatever pet OSs you have) in this context - same problem, different
scale.]

True.

--
Kylix is there!
  http://www.borland.com/kylix/
Are you ready for Kylix?
  http://community.borland.com/article/0,1410,26998,00.html