LFS security problem: break-in

Thomas 'Balu' Walter tw at itreff.de
Wed Aug 16 07:33:50 PDT 2000


+-Paul Jensen-(pj at pcrentals.com)-[16.08.00 14:38]:
> While i was on vacation, the lfs1 server was broken into and and the
> intruder became root.  I discovered it the day I came back.
> 
> I believe it was by way of the ftp deamon.  I have posted the intruder's
> files in a tarball in the /security directory (hack.tgz).  the log shows
> that the cracker could not install the softwate correctly and gives
> references to another server's ip address.  I have sent email to the
> server's owner, but have not gotten any response.
> 
> As far as I can tell, no other files were modified.  I am asking the list
> for any help or expertise with this problem.

Don't even think of that. I strongly suggest to get the machine off the
net and install it from scratch. Until you have a file-integrity-checker
like tripwire running on your system you will never now if she installed
any kind of rootkit or similar.

There is a doc about recovering you system at CERT:
http://www.cert.org/nav/recovering.html

> This breakin shows me how easy it is to crack a server on the internet.
> I was running wu-ftpd-2.6.  Bugtrak came out with a warning around june 23
> and the break-in occurred while i was away on July 9, 18:38 central
> daylight time or 16:38 pacific time.  Entries in the system logs were
> erased in this time period also.
> 
> This raises an issue: how can we protect our systems from buffer overflow
> attacks?  Firewalls will not prevent your server from beening cracked.

Absolutely not. Getting a secure system equals to reading all
security-announces (even from other distributions). Best way to do that
is using Bugtraq - a security-related mailinglist on
http://www.securityfocus.com. Did I say "a" list? It is THE list for
black/white hats that want to stay up to date with security. (and got
high mail-traffic-load...) Also you have to stay uptodate with your
software - install new versions and watch for security-patches...
> 
> I believe these issues are more important than any other for LFS.  It
> raises the main concern "why are we using lfs?"
> 
> Two possible solutions are Stack Guard (http://immunix.org) and lids
> (Linux kernel based Instrusion Detection System).  This is available from
> lids.org.  

It is also important to know what is going on - to think like an
attacker - a nice ressource for this is the famous "How to improve the
security of your site by breaking into it" - from the satan-coder (Satan
is an older "Network-Security-Checker" (was it Dan Farmer who wrote it?)
There are newer Vulnerability-Scanners available - Saint and Nessus e.g.
that check your (and other) network for vulnerabilities.
(BE WARNED - don't scan other networks - they will think you are an
attacker)

Other great articles are the papers of Lance Spitzner at
http://www.enteract.com/~lspitz/papers.html. He describes how an
attacker did his job and others... He often talks of snort - a
"Lightweight intrusion detection system" at http://www.snort.org.

I installed that software near the outgoing network-device on campus and
noticed that we are scanned for vulnerabilities about twice a day (3 or
more at the moment :(. I immediately track the noticed IP back to the
attacking host and write a message to the responsible person for that
network. Three of five answered me (since Monday) and told me that their
systems were rooted. They shut them down or block them at the router
(and install the system from scratch)

I really love the papers - 
Especially the "Know your enemy"-ones and "Armoring Linux". There is
also a "Linux-Administrators Security Guide" by Kurt Seifried
http://www.securityportal.com/lasg/ which describes in depth how to
secure your system.

     Balu
--
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)



More information about the lfs-dev mailing list