LFS security problem: break-in

Paul Jensen pj at pcrentals.com
Wed Aug 16 05:18:45 PDT 2000


While i was on vacation, the lfs1 server was broken into and and the
intruder became root.  I discovered it the day I came back.

I believe it was by way of the ftp deamon.  I have posted the intruder's
files in a tarball in the /security directory (hack.tgz).  the log shows
that the cracker could not install the softwate correctly and gives
references to another server's ip address.  I have sent email to the
server's owner, but have not gotten any response.

As far as I can tell, no other files were modified.  I am asking the list
for any help or expertise with this problem.

This breakin shows me how easy it is to crack a server on the internet.
I was running wu-ftpd-2.6.  Bugtrak came out with a warning around june 23
and the break-in occurred while i was away on July 9, 18:38 central
daylight time or 16:38 pacific time.  Entries in the system logs were
erased in this time period also.

This raises an issue: how can we protect our systems from buffer overflow
attacks?  Firewalls will not prevent your server from beening cracked.

I believe these issues are more important than any other for LFS.  It
raises the main concern "why are we using lfs?"

Two possible solutions are Stack Guard (http://immunix.org) and lids
(Linux kernel based Instrusion Detection System).  This is available from
lids.org.  

I realize Gerard is probably too busy to incorporate this in his book, so
i will collect hints and problems concerning using these with lfs.

paul jensen
ftp/news/mail archive adm
www.pcrdallas.com


--
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)



More information about the lfs-dev mailing list