Slashdot Mirror
Cracking All The Live Long Day & RH6/7 Worms
BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.
What if the guy knew it was a honeypot, and he wanted to get caught? What if he wanted you all to mount the file system images, so he could take over your computers? Maybe he'll use you all to mount a DoS attack on slashdot. Oh, the irony!
"I am a cipher, a cipher, wrapped in an enigma, smothered in secret sauce" -Jimmy James
I think Red Hat should put out a new 7.01 point release with all the security fixes included. If you're doing a fresh install today you actually have to download over 100mb of patches right after you've finished installing! While 100mb isn't anything these days it does take a little while and many newbies probably don't know about up2date etc.
It would be much easier if they provided updated ISO images (yeah I know I could make them myself, and someone else probably already has). Sine Red Hat 7.1 is still a good way of I think 7.01 would be a good idea.
Actually, a virus is not distinguished from a worm by its destructive capability, but rather by its method of propogation. A virus is a bit of code that has to be attached to an existing executable program so that it can be run and thus do its work. A worm propogates itself without requiring a "host" executable. The ananlog is to the biological world, where virii do not duplicate/reproduce except when they are in another cell.
BdosError
Complexity is Easy. Simplicity is Hard.
very valid point - so, is there a way to change that banner without the recompile? or, even just recompiling the thing to only change the banner should do this particular trick...
What does Honeypot want? Cheap forensic analysis on a cracked box?
Well if you want to try, have a read of the Nov & Dec Dr.Dobbs. It has a pair of articles about recovering deleted data and has pointers to useful tools.
Nice wagon circling -- you deserve the karma.
That having been said, a worm that targeted IIS4's FTP service and W2K's Print Server service, and had nothing to do with the usual Outlook/VBS/Desktop virus targets, would be treated to a 300 post flamefest on Slashdot, even if Microsoft had fixed the exploits months ago. Instead, we have 98 posts currently, most of them relatively demure.
I'm actually kinda surprised that "Red$at" is getting such kind treatment around here today.
That's because the advisory was issued before RH7 was released. By all accounts, the buggy wu-ftpd still shipped with RH7. It would be rather silly to issue security advisories for releases in the future, wouldn't it?
Edith Keeler Must Die
i think you misunderstood - the worm only patches the hole so that this rooted box won't be rooted by someone else anymore, thus keeping it for the original intruder... not so that the hole is just patched out of good will towards humanity...
The vulnerabilities being exploited have been documented since at least Redhat 4 days. That they have not been repaired and the packages update is as inexcusable as the assorted Microsoft vulnerabilities.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Interesting ... In June of last year, my box got cracked using the exact same exploit, even down to the port 9704.
The machine that got cracked had nothing on it, it was just a test machine I was setting up.
When it was cracked, I thought the exploit looked pretty neat until I saw the same exploit over and over again. Damn script kiddie
Just slightly off-topic, but CNET doesn't have a "Rant" link so i figured I'd do it here :P
There are times when I really despise the media, and this is one of 'em. CNET apparently doesn't understand, or at least doesn't care to share with it's readers, the difference between cracking a system and subjecting it to a DDoS attack. Yes, supposedly this new software being "tested" will keep your box from being cracked like a raw egg. But it doesn't, as CNET implies, protect said box from DDoS. Basically, the problem is that there are ignorant people writing these articles, and misinforming the public. But what can ya do?
Better to light a candle than to curse the darkness.
I think the key part was "and such".
:)
It's easy to turn a vulnerability into virus. Linux has vulnerabilities. All the vulnerabilities used to create this worm were fixed last October but people still need to install the new RPM before the fixes do any good.
Personally, I just type apt-get update && apt-get upgrade every couple days... That way all my programs stay fresh.
There have been what? 2 viruss {or how ever you wish to say it} for Linux or it's apps.. any one out there have a count of the number of MS viruss out there? I'll take those odds even if this one formatted my system rather then just closing the holes and looking for other systems with a less then atentive admin.
Question reality.
if you believe what this guy says on his summary of the worm.
here
Actually, you can disable echo in inetd, and you most likely should. Echo provides a nice DOS, one byte sent to it, uses two (send and reply) on your net connection, and you dont really need it.
/*
*Not a Sermon, Just a Thought
*/
*Not a Sermon, Just a Thought
*/
However, these are the same things that have vulnerabilities in MS-land, and usually patches have been out. How many times have bugs been found in the NT kernel? Isn't it usually IIS? That is an add-on service.
Engineering and the Ultimate
yep thats it jonny-5- has defeated the evil admins that have opened up "www.openhack.com" he has a constant dos held down on their shitty servers/internet line.. they cant handle the force of jonny-5- so openhack.com u guys can just fuck off
Actually, you don't need to re-install to get rid of it, as it doesn't actually touch any of your binaries. Just boot in "emergency" mode,
/usr/src/.poop
/etc/inetd.conf
/sbin/asp
/etc/rc.d/rc.sysinit
rm -R
comment out the "asp" stuff in
rm
change your passwords (an email was sent - not sure what the contents were)
remove the "asp" line in
The ftpd hole was fixed for you, and you also need to make sure rpc.statd is turned off.
I'd also suggest you go through your logs so you can see who gave you the worm, so you can tell them that they've been 0wn3d.
Also, _all_ of your index.html files have been replaced by a ramen advertisement.
Engineering and the Ultimate
Actually, it is destructive - it replaces _every_ index.html on your system with an advertisement for Ramen.
Engineering and the Ultimate
I think the problem is that most people confuse the "potential" for better code, with "automatic" better code. Just because I release the source code doesn't make it secure. However, you _can_ find programs that have been secured. Open-source does not remove the need for security-conscious people, it just gives them better tools. With source code, if you get 0wn3d, its your fault. With proprietary code, it's the other guys fault :)
Engineering and the Ultimate
Turning off services is much better than hosts.allow/deny.
the problem is that most of the distributions started out making an OS for Sysadmins, and they can't get it out of their system. Ever heard of a network exploit for Corel Linux? Why not? It's for users, and doesn't have _any_ services running. When someone clicks on "desktop install", that's what they should get. Then you don't have to mess with files like hosts.allow/deny, ftpusers, and stuff like that. If you want to run an FTP site, then you should know how that stuff works, but most desktop users don't even know that they are running an FTP site, and that is the distributions fault.
Engineering and the Ultimate
Wow, you must be one rich SOB. The "moderate" sum for cracking the E-Week box is $50,000.00.
Moderate to you maybe, but a nice kick in the income ass to me.
KolinH
But then Microsoft have brought this venom on themselves by their anti-competitive practices, so MS loyalists should not be surprised at the venom that is directed at them. RedHat isn't particularly popular with the /. crowd either, but then there are plenty of Linux vendors to choose from, unlike in the Windows market.
If you mod this down, be a darling and mod the parent up. And vice versa.
Yes, although MS driving competition out of the web browser and mail client markets, combined with lying about the abilities of MCSEs makes a virus far more likely to spread as the desktop is virtually the same everywhere and the servers are less secure. That isn't a problem with the OS per se, but more a problem with a lack of competition in the market.
Someone was nice enough to put warez on my ftp site (moved from DSL on a small local provider to @home, and got a real job, so I was not watching hard).
Been watching the IP's trying to connect through the firewall log, and came upon a site that was now obviously cracked, with the "RameN Crew--Hackers looooooooooooove noodles."
Sent a message to the abuse contact, but never heard back. Many of the IP's attempting to connect have been cracked.
Maybe we sould put a few more honeypots out on the big cable and DSL providers.
Are you sure they kept the holes open? Wuftpd is fixed out of the box for 7.0 and there is an update for LPRng.
The "myth" isn't so untrue. Remember, you have to have vulnerable versions of rpc.statd and wu-ftpd installed/running for this 'worm' to gain access to the machine. That's really the system admin's fault for not keeping up to date.
Linux and other *nixish OSes are fairly "virus-resistant" (no OS is "virus-proof") as long as you don't run the virus as root, apply the patches for known security issues, and basically do your job as a sysadmin...
Do you like German cars?
That AC and SealBeater both had extremely good points. A worm is totally different from a virus anyway. (I replied to the guy's post that *nix was virus-resistant being a myth, not that *nix was worm-resistant. ;))
I don't even think something like this would even require special privileges unless the machine was extremely restricted...
Do you like German cars?
This is an interesting ecological approach to the security problem though. :-)
A worm that has the sole job of wandering around and fixing the exploit wherever it finds it and using the box for a little while to find other exploitable boxes, then moving on.
Need a Python, C++, Unix, Linux develop
For several reasons, this seemingly-great "set a worm to fix a wormhole" idea is NOT useful.
For starters, consider this scenario:
1. You know your machine is vulnerable, so you check out its wu-ftpd and rpc.statd binaries and the various logfiles. Whoa, there are worm tracks here! How do you KNOW (not just suspect, KNOW) whether the "bad" worm or the "good" worm was here?
2. Assume that the "good worm" has been coded to announce and identify itself. A) Most victims won't be able to judge whether to believe it, and B) the forthcoming "bad worm variant 2" will pretend to be the "good worm" anyway, so the ID cannot be trusted in the first place. The "bad worm variant 3" will be even better at hiding its damage while pretending to be the "good worm".
The net result: Systems hit by the "good worm" will have to be cleaned up and rebuilt just like systems hit by the "bad worm", unless the sysop/user is too clueless to notice the presence of either one. Thus, the "target audience" for this hypothetical white-hat is limited to clueless users who haven't already been hit by the "bad worm". To say nothing of the lawsuits unleashed by offended sysops who had to clean systems "your" worm "attacked".
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
That may be true... *shrug*.. I keep forgetting I've got +2, I spent so long at 1... (and I'll be back there soon at this rate... :)
But oh, what a ride... burn, karma, burn.. :)
If it ain't broke, it doesn't have enough features yet.
If this were a Microsoft product, many slashdot readers would start saying "This is what you get" and "M$ sucks!"
:)
In reality, most security issues with Windows are of the same ilk: Admins that haven't a clue as to what they are doing and manage to fsck everything up and leave holes wide open.
Next time you read about some hole in Windows, or are tempted to say something smug about Windows 2000 security: Just remember this.... Nobody likes a smart ass, especially a hypocritical one
-
The IHA Forums
Natural != (nontoxic || beneficial)
Maybe make it more damaging... maybe ahve it report the hacked IP #'s via IRC, or some other medium... And also have it open up a few other holes on each system, before it goes along its merry way...
I shudder each time I think about this happening to all of the unsecured RH 6.2/7 boxes setup on all of those cable modems/DSl lines out there. (High bandwidth availability+unsercure box=Nasty Mess)
A few friends of mine run default RH setups on their DSL lines.. I might be over reacting, but I sent a few panic stricken emails out to them with links to the worms analysis, and links to download the patched RPM's.. (plus a personal rant about setting up IPCHAINS, and such..)
Call me a worrywart, but I really don't want to see this thing get out of hand...
http://thepoliticalgeek.com/blog/ Politics for Geeks.
This wu-ftpd bug was widely reported in June and observing system admins plugged it already. According to CERT's security advisory older versions of proftpd also required updating.
Perhaps you should read the article before you post such flamebait. r
I'm confused, people. Which one is it? Yes or No for hack contests?
Cue The Sun...
- WU-FTPD format bug
- rpc.statd format bug
- LPRng format bug
Crispin----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc.
Immunix: Free Hardened Linux Distribution
I've helped lots of people get to Linux actually. They do need their hands held until they can get the hang of things. It's not intuitive for most people to immediately install an operating system and come to the realization that the first thing they must do is secure it. This is a problem that seriously annoys me about Red Hat and some other Linux distros, as people should only need to learn about securing services if they want to run them. When I first learned Linux back in 96, I was running a horribly insecure system with every service running. I didn't even know how to update it. It pisses me off that Linux vendors don't accomadate new users who don't know better yet.
But what I really don't understand is why you're upset.
---
When I first decided to leave my box on 24-7, and connected to the Internet, I was naive enough to think since I had nothing important to offer, no one would bother hacking it.
/usr/bin directory then appeared to have left. I deleted all accounts and changed passwords just in case it was more than just flexing muscles. I think they just wanted to take it offline, since it was running an Eggdrop on IRC. I'm glad they did it though, and that they kept trying to break in for weeks after that (I could tell from looking at the logs.) It helped show a newbie what to do and what not to do. I would have been a lot more upset though if they deleted some of my important data.
I got hacked though through the Wu-ftp bug, which I was aware of -- but like I said, I didn't think anyone would consider my stupid box worth attacking. Fortunately, they didn't do much damage. They deleted the
Thanks for the information. Now that I know what to look for I can check out the few systems that I have installed.
I won't need the perl program as I'll fix any holes that may be open.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Yes you are, new users. sure you and most people here know all that stuff but frankly I didn't even know there /was/ such a thing as hosts.allow or a hosts.deny file untill some one started scanning my system. I wouldn't have even noticed if not for something on SlashDot talking about IPchains. I turned it on and wow.. the things I discovered. I did a full reload incase I had been cracked and reset up, I found out about the hosts.allow and deny so I tried to set it up. unless you already know what you are doing it is rather hard to find out the format the two files need to be in. lets face it alot of clueless people are getting into Linux and I was one of them. we need to put out something that covers the things people here assume every one already knows. I thought I had my system closed through the deny and allow files for a week befor I discovered that I had the wrong format and they were doing nothing. I have corected it now but thanks to this ramen problem I have discovered that I needed to do more {no I haven't been hit.. I atleast know to keep up-to-date}. How meny of you knew on your first install of Linux that you had to change the hosts.allow and the hosts.deny? how meny of you knew the format to use? how meny of you knew that you could add anonymous to ftpusers to close anonymous FTP? I know I didn't know any of this when I first started. I am learning and we need to stop bashing those that don't know and help them find out. remember even /you/ had to learn this at one time. you were not born all knowing.
Question reality.
My firewall is logging one or 2 attempts at port 111 each day, and slightly more attempts to access my non-existant FTP server ....
Has anyone managed to unsubscribe once they found your email?
I used to have a free subscription to macweek, which seems to be where they got the email address they use. They took it on themselves to take this as consent to receive eweek a couple of years later. I've emailed them demanding that they stop. I"ve sent abuse complaints upstream. Nothing seems to work.
For some reason, i doubt that frims that build their subscription numbers this way have enough of a clue to tell me anything interesting . . .
Look at the crack, it exploited wu-ftpd. Anyone dumb enough to run that program with pathetic security deserves to be cracked. Run something like ProFTPd if you need FTP, or even better, the Linux port of OpenBSD's FTPd.
Also, use a good distribution (like ROCK Linux). Or at the very least, Mandrake.
It's in rpc.statd and wu-ftp. More info at CERT
Best Slashdot Co
You forgot that if you have a real problem, you can't demand support from anyone.
You forgot that no one makes much money programming under Linux
You forgot that the reason there's been little hacking/virusing of Linux is because there are so few linux boxes out there compared to MS boxes. (this ones my favorite 8) )
Who the hell wants to base the future of their company on free software? Only morons.
I think that about sums it up.
The Game Guy
There goes the assertion/urban myth that Linux was proof against virii and such.
I would think a *horrible* vector would be one that alternated Windows/Linux targetting.
A Windows virus that targets Linux, transmutes itself, than looks for other Windows machines on the network.
Rinse, lather, and repeat.
Geek dating!
GPL Deconstructed
You never know what kinds of backdoors and trojans have been left behind when you were owned. Nor will your logs really help you, as root can change them however to cover his tracks.
Friends don't help friends install M$ junk.
LinuxSecurity.com is offering bandwith to download the images at http://honeynet.linuxsecurity.com/
A project such as this does such a good job of exposing users to the methodologies of the black hat community. This is a great project for anyone who has even been hacked or might be hacked in the future. Its an excellent idea to play with a compromised system to see what one looks like, what gets "messed with" and what needs to be fixed.
-mark
-mark
If your computer says LINUX, run...computers can't talk! [unless you have text-speech software]
if you have a real problem, you can't demand support from anyone.
Have you ever had a "real problem"? At my last job, about 1999, a whole string of win 95 machines blew up. Who's problem was it? It was our problem. What was the fix? Buy Win 98. Some support that was. I wish it was as easy as apt, downloading a patch, or even ordering a $4 CD. Oh yeah, about 1 man year's worth of work was lost between them all.
You forgot that no one makes much money programming under Linux
Life's a bitch. We can't all be like Bill Gates and fuck the world over. I'm happy enough making an honest living, how about you? I'd go into consulting if I were you. There are plenty of angry MS customers all happy to pay for your time.
Who the hell wants to base the future of their company on free software? Only morons.
Free software is the future. Get used to it or perish.
Friends don't help friends install M$ junk.
This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.
It's basically a bunch of existing tools snapped together by some brute-force driver scripts.
My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt. Fifteen minutes of fame, here I come!
It's spelled "Red Hat". Would you please care to explain why you write that name with a dollar sign?
GNU/Linux. The Freshmaker.
I know about computers.
What would I want a lady for??
And while I'm on the subject, security is *both* product *and* process. Sure, I'd be stupid not to have the latest patches and train my users. But I'd also be better off not allowing them to use MS Outlook, and IE (remember the scripting bug that allowed one to catch a virus from simply browsing the web?)
---------------------------
'No rational religion claims "supernatural" exists, that's an atheist slander.' - seen on slashdot.
/. is a commercial entity. goto slashdot.com
Since what makes Windoze a popular target for Virus and Worm hackers is its popularity. Since the popularity of Linux is growing (RH in particular as the distro most well known outside the hacker community), it was only a matter of time until someone started exploiting security flaws that plague non-experienced user/administrators.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Because it's generally easier to sell someone a security system to keep your house from being broken into, than a camera that will only tell you where they went after they left.
If this was a story about MS2000 or something, it would be full of comments about how crappy it is. Now it's a story on Linux, and all anyone can talk about is how "it really isn't that bad" and "worms happen." It "really isn't that bad" because it wasn't made to destroy anything--odds are, the next one will be.
-- Hobbits suck!
Cracking All The Live Long Day & RH6/7 Worms
;)
The title immediately conjured an image of internet worms, self-replicating, and using host machines to number crunch (in the distributed.net case, "crack"). Imagine a Seti@home or distributed.net worm.
Now *that* would be a decent worm.
"Why are these processes eating up all the CPU! Why are they talking to setiathome.ssl.berkeley.edu!"
It's 10 PM. Do you know if you're un-American?
I still don't understand why every network service isn't turned off by default. If you need it, you better know how to keep it secure. If you know how to keep it secure, chances are you know how to turn it on.
AFAIK, any normal RH Linux box needs these system services:
crond
keytable
random
syslogd
xfs (if running X)
A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).
The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.
The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
---
I think I've got a moderator following me around with an itchy finger on the "Overrated" trigger.
Take heart, brother. :)
If it ain't broke, it doesn't have enough features yet.
When are the distribution makers going to learn? wu-ftpd is riddled with bugs and security holes. Why does something like this come standard with the world's most popular Linux distribution?
(Ideally it would come with proftpd, but with it disabled out-of-the-box...)
Differences to be noted:
1. Problem is presented quickly and fully.
2. Problem can be prevented by changing text based config files.
3. Problem can be patched at no cost.
4. No cost was incured to begin with. Who wants to bash volunteers?
5. Reinstal will not subject you to liscence keys, bogus copy protection schemes, and outright adverts like, "Everything you do will be easier and more fun. Be sure to register today!"
The ranting seems to be all yours. Get thee hence, MicroTurd.
Friends don't help friends install M$ junk.
The bad news is that it only contained the fixes for rhnsd (up2date). It would be nice if RH would continue to include full-fledged Errata CDs, rather than rely upon up2date, but I have a feeling that this was a one-time thing. Kudos to RH for stepping up, though.
Ideally vendors would include pre-patched distributions when new disc manufacturing runs are ordered. The primary example I'm thinking of is Microsoft: it would have been nice for MSDN to include a Windows NT 4 SP 6 full install disc, rather than require you to install NT 4 and then service packs. (You can't even run Windows Update since NT4 includes IE2.0!)
these same types of vulnerabilities into their products time and time again. It's one thing when a vulnerability is truely ORIGINAL, but 99% of these are derivative and much older vulnerabilities that could have been detected IF someone checked for them. As a product of carelessness, sure it can happen, but for supposedly legendary "peer review" where thousands of programmers are supposed to check, it should RARELY ever happen. Yet RedHat and most other distributions never fail to release a new distribution with at least 5 remote vulnerabilities, many with the same servives--over and over. I'd at least expect RedHat to check....
Oh well, I've got to run. I believe in the POTENTIAL for Open Source to be a mechanism for secure code (at least for certain TYPES of code), but it's generally not happening today.
RedHat claims that the wu-ftp bug (RHSA-2000-039-02) only effects RH5.2 and RH6.2
-no broken link
/me raises my hand
When did $50,000 there offering for the person who can crack the system not be worth it. Truth be known, I would probably be working on it I had those kind of schools. (Sorry boys and girls, I do data analysis). What's a security cost anyway? And if your a part of a company how much do you think you would actually make from it. (Independent contractors would also be helpful.) But still, its $50K! Seems like a lot of folks stock options would be so far underwater that it would be worth it.
i was just checking through my logs, and noticed some ftp attempts from random sites... fortunately, the logs showed the following:
/usr/sbin/in.ftpd: No such file or directory
error:cannot execute
lol, that'll show em. why no ftpd? beats me, but its just as well.
my $.05
Why bother with any wu-derivative when there are perfectly good non-wu ftp servers like diku-ftpd from the *BSD neck of the woods. W. Venema even has a tcp-wrapper-ized version that disallows third-party port commands. You can get in his logdaemon package. Works great, is easy to run in a chroot tree, and does not allow anonymous users to read anonymously uploaded files. I don't know how many times 133t kiddies have tried to create hidden directories under my pub tree, only to find that the server sets perms to ---x-rx-r, and they can't cd into it. Snicker.
Edith Keeler Must Die
I got cracked via wu-ftp, and the cracker annhilated the logs in an effort to conceal his tracks.
So when I looked at the log at random one day and realized it was *much* smaller than it should have been (1 login from me and nothing else. No backups). Geez...
at least try kids...
I cut my teeth at being a sys admin
at an ISP with BSDi servers. I must
say that BSDi 3.0 would setup with
all sorts of services that you would
never user, in much the same manner
as Redhat 6.2, but it seemed to require
minimal patching and I do not recall
the deadly exploits that script kiddies
employ against Redhat. Maybe the BSD
code is just of a higher quality, maybe
there is something to security through
obscurity (as BSDi does not have the numbers
Redhat has) nor is it code freely available.
Well, enough of my ramble. I just wanted
to mentione that there is a port of BSDs
ftp daemon to linux here.
Nope! I get the magazine free, and read it sometimes. They send me their email bullitens daily (which are identical to the mags), and I cannot for the life of me unsubscribe. Same with Inter@ctive Week, The Net Economy... all ZDNet publications. Happy unsubscribing!
-- Nerds on toast in the new millenium
Hopping through CERT and eventually into Red Hat I found this. Fixes only for RH5 and RH6 (RH7 didn't exist at the time). I can't get to RH's FTP to check the status for wu-ftpd in RH7 right now, but their list of security advisories for RH7 does not mention wu-ftpd.
One moderator, so far, thinks I'm trolling.
Another moderator thinks I'm interesting.
Anyway, a virus/worm that spread in this manner, of alternating, would take advantage of a couple of common distributions.
Houses that use Linux in server environments with masses of NT boxes on the desktop. It would affect all members equally. I guess Macs and SCOs and BSDs would be discriminated against, in this case...
Geek dating!
GPL Deconstructed
In his analysis he says RH7's vulnerability comes from LPRng, not wu-ftpd. A patched version of LPRng is offered as an update by Red Hat here.
Yes, I know I'm an idiot for not patching/firewalling my system. However, I got hacked (note, though, the servers I maintain did not get hacked, even though I'm relatively certain it was tried). I love getting 0wn3d. Oh well.
Engineering and the Ultimate
Sad to admit I had a box cracked with the rpc.statd exploit. The box wasn't anything particularly special, in fact, it was outside the firewall and expected to be cracked some time. Not a honeypot but just a server we didn't care if it did get cracked. Nothing seemed to have come of it and the box has since been rebuilt but for the interested, here is the log file the crack generated as caught by Logcheck:
/bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd
rpc.statd[443]: SM_MON request for hostname containing '/': *INSERT BUNCH OF CRAPPY CHARACTERS*/bin/sh -c echo 9704 stream tcp nowait root
There were a lot of funky characters in the middle that slashdot wouldn't take.
Check out Althea for a stable IMAP email client for X. Now with SSL!
My former employer got hit with it towards the end of December. Not the quickest cracker in the box. The logs were left untouched, no clean up. He added himself as a user called "cgi" with root access, however, we had no use for cgi on the box. He became root and cleared up the /root/.bash_history file-- thinking he was being slick and wiping his trail. However, what the moron forgot to do was get rid of his own (cgi's) .bash_history file. Everything he did was listed there, complete with clearing root's history file and more.
Oh yeah, lets not forget the line on bootup saying we've got a root-kit installed.
Dammit, we couldnt even get a smart cracker. Something to make life interesting. We get a kid who got an iMac for xmus cause his parents thought is was cute and d/l'd some kits from online.
--Dave
I know it's been discussed before, but wouldn't it be useful for someone to hack the worm to run around and close up the security holes without damaging the system? It could use an exploit to gain root, rpm -U the packages, do a bandwidth-limited scan for 24 hours and then clean up after itself.
It's pretty sloppy for RH to leave security fixes for these holes out of 7.0, but anyone running a server on a high-bandwidth line should probably know enough to get security updates frequently. Nobody deserves to get hacked, but you need to expect the worse as a sys admin. Leaving the default install on a server is absolutely amateurish.
From hell's heart I fstab at /dev/hdc
I expect this'll get modded down, but...
It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.
Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.
Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?
[
I agree with the other comment. Problem is for newbies.
What i don't really understand, is why all distros ships with (x)inetd activated in runlevels 3 and 5. This is old and completely useless stuff for 95% users. It opens a lotta ports under 1024, and accumulating open ports is, in security terms, accumulating problems...
And who cares about finger, talk and so on nowadays ?
This forensics challenge isn't about "how the box was cracked" it was a honeypot with a default install of RH. The HoneyNet project themselves said they expect systems like this permanently on the net to have a half-life in weeks. To be frank I don't think anyone cares about the "how" or the "why" in this case, its a detail.
What its actually about is education for systems forensics - I started getting interested in this about six months ago reading background stuff, learning about some of the tools and polishing up incident response strategies...
what's my biggest problem? Well we haven't had a system cracked yet (I'm sure it'll happen some day so that definately isn't a challenge) - but that means we have no way to practise system analysis after an intrusion.
Fine it looks like the rpc.statd exploit - what happened next - should you check for other infected systems nearby? What toolkits does this attacker use and how can you ID them quickly? If you come to a suspect system without the snort trace what do you look for? How do you interpret the output of forensics tools (i.e. TCT)? What are the account names to watch for?
These are all questions I couldn't not answer right now - and unless someone has direct experience of forensics I doubt they can *really* answer those questions either.
I posted a message to forensics@securityfocus.com a while ago looking for small images of cracked boxes - no dice.
I thought about setting up my own default install (possibly under plex86), cracking and root kitting it and then performing an analysis (I never did get around to it in the end as I'm in the process of moving jobs and have tonnes of stuff to sort out to do with the relocation - I'd probably have come back to that in 6 months).
My point is that there is plenty of info out there on systems analysis/forensics - this is the first exercise I've seen. Knowing about tools is fine - but without direct experiance its not really that good. Do *you* really want to start learning about forensics 8 hours after your systems been penetrated?
The output of this challenge is an insight into the methodologies available to analyse a system - along with the original images so that they can be worked through. I intend to work through them in serveral ways:
1. I'll put the images on a clean system and analyse them from safety.
2. I'd like to install them on a host (re-create the cracked server) and then boot from some emergancy recovery disks - this is probably a more realistic scenario... it might also tell me which utilities I'm "really" going to miss on those distros.
In my humble opinion this is the most important thing the honeynet project has done to date - logs of kiddies on a rooted box might be interesting but they don't really tell us very much. I know they do more than this - but this is the first resource which is directly useful to sys-admins... I hope they intend to repeat the exercise with other host types (Win 95/98, Win NT, Solaris, HPUX, etc...).
This is a long term resource and I applaud it and I would recommend that any sys-admin take a look at the results when they are published.
Tom
Whilst I understand that the box getting cracked wouldn't effect *you* too much (due to the protection of your firewall), this is *exactly* the sort of attitude that allows these huge DoS attacks (a la Undernet) to happen! Cracker gets in, installs script kiddie flood software of their choice, and then finds another poorly secured box that nobody cares about.....
It's a troll I'm sure, but I might as well point out that Redhat has up2date, which is similar to the WindowsUpdate service.
I love the smell of Karma in the morning
They (whoever they are) should arrange to have the winner(s) from the Forensic Challenge report on the Open Hack Challenge. The press from that would make one hell of a prize. That's the stuff dreams...err, careers are made of.
[ This space for rent ] - Your full service media whore