LFS security problem: break-in

Paul Jensen pj at pcrentals.com
Wed Aug 16 07:50:13 PDT 2000


>> As far as I can tell, no other files were modified.  I am asking the
list
>> for any help or expertise with this problem.
> 
> Don't even think of that. I strongly suggest to get the machine off the
> net and install it from scratch. Until you have a file-integrity-checker
> like tripwire running on your system you will never now if she installed
> any kind of rootkit or similar.

sorry if i was not clear on that - i wanted help with identifying and
understanding more about the the attack, by studying the files that were
installed.  the tarball has quite a bit of info in it (hack.tgz).

i have verified all the files the server, but still plan on replacing
anyway it with a complete fresh installed system.

Thank you for a very well thought out email - i can see you are as
concerned as i am.  I already check bugtraq weekly and get ciac (cert)
advisories.  you have given me several excellent ideas.  thanks

paul jensen
lfs ftp/news/mail archive admin
www.pcrdallas.com

> > This breakin shows me how easy it is to crack a server on the internet.
> > I was running wu-ftpd-2.6.  Bugtrak came out with a warning around june 23
> > and the break-in occurred while i was away on July 9, 18:38 central
> > daylight time or 16:38 pacific time.  Entries in the system logs were
> > erased in this time period also.
> > 
> > This raises an issue: how can we protect our systems from buffer overflow
> > attacks?  Firewalls will not prevent your server from beening cracked.
> 
> Absolutely not. Getting a secure system equals to reading all
> security-announces (even from other distributions). Best way to do that
> is using Bugtraq - a security-related mailinglist on
> http://www.securityfocus.com. Did I say "a" list? It is THE list for
> black/white hats that want to stay up to date with security. (and got
> high mail-traffic-load...) Also you have to stay uptodate with your
> software - install new versions and watch for security-patches...

> > 
> > I believe these issues are more important than any other for LFS.  It
> > raises the main concern "why are we using lfs?"
> > 
> > Two possible solutions are Stack Guard (http://immunix.org) and lids
> > (Linux kernel based Instrusion Detection System).  This is available from
> > lids.org.  
> 
> It is also important to know what is going on - to think like an
> attacker - a nice ressource for this is the famous "How to improve the
> security of your site by breaking into it" - from the satan-coder (Satan
> is an older "Network-Security-Checker" (was it Dan Farmer who wrote it?)
> There are newer Vulnerability-Scanners available - Saint and Nessus e.g.
> that check your (and other) network for vulnerabilities.
> (BE WARNED - don't scan other networks - they will think you are an
> attacker)
> 
> Other great articles are the papers of Lance Spitzner at
> http://www.enteract.com/~lspitz/papers.html. He describes how an
> attacker did his job and others... He often talks of snort - a
> "Lightweight intrusion detection system" at http://www.snort.org.
> 
> I installed that software near the outgoing network-device on campus and
> noticed that we are scanned for vulnerabilities about twice a day (3 or
> more at the moment :(. I immediately track the noticed IP back to the
> attacking host and write a message to the responsible person for that
> network. Three of five answered me (since Monday) and told me that their
> systems were rooted. They shut them down or block them at the router
> (and install the system from scratch)
> 
> I really love the papers - 
> Especially the "Know your enemy"-ones and "Armoring Linux". There is
> also a "Linux-Administrators Security Guide" by Kurt Seifried
> http://www.securityportal.com/lasg/ which describes in depth how to
> secure your system.
> 
>      Balu

--
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)



More information about the lfs-dev mailing list