Slashdot Mirror
Forensics On a Cracked Linux Server
This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.
A Cracked Linux Server? Ha! He should live so long!
Why Slashdot would such obvious anti-Linux FUD is beyond me. Maybe the M$ advertising dollars are turning their heads.
The bottom line is that a LINUX SERVER CAN'T BE CRACKED.
Maybe this admin got his login info phished by Nigerian scammers, I don't know. The guy probably is wondering why his Ebay account has a bunch of negative feedback and his MySpace is all jacked up and hasn't put 2 and 2 together with that time he responsed to that clever email asking for the triple whammy of MySpace/Ebay/root on your servers so that you could clear the money transfer.
That or he didn't have his updates turned on and had an outdated BIND. And its not like BIND means Linux is unsecure.
Even not that the idea that Linux is crackable is laughable and not worht front page at digg let alone slashdot. You don;t see Technorait or Bruce Perens' site posting garbage like this ever so why slashdot editors can't see thru it i dont kno.
Where did the word forensics come from? This is the completely wrong approach if working forensically. Can slashdot please use not use sensational titles! "Analysis of a cracked box" maybe more appropriate.
* An exploit unknown to the public.
* A user accessing this server from an already compromised host. The attacker could then sniff the the password. It's a very good question, because if the guy was keeping his server up-to-date, then these two are the most likely scenarios.
On tools...it's important to note that in forensics on a Linux box, your friends are ethereal (for watching packets on open connections), netstat (to see what's listening), and strace (shows you what UNIX API calls a running process makes, which gives you very good idea about what's going on.)
Other tools: nmap may be useful for seeing what's going on with 62.101.251.166 and 83.18.74.235. The service detection options, in particular. Always do this on a sandboxed host. Something running in a VM might be useful in this regard.
Anyway, nice article. This is almost exactly how I proceeded when one of my own servers was hacked a few years ago.
My blog
I though even script kiddies knew unset HISTFILE... hmm...
Looks as if there was another way to crash his server...
sPh
Forensics has to be useful in court. This is not - it's tainted evidence. Now if they took the original disk out, copied it with DD or similar to a file and mounted it as loopback and worked on that, then that's a first start to a forensic analysis.
What was his setup? How did they access? And who had access?
Karma Whoring for Fun and Profit.
I have rkhunter on all of my machines, sends a nice email letting me know of any changes in system files.
Looks like the server is down for some forensic analysis following a break-in as well. Too bad. Wonder how they are going to do the analysis on the server without TFA?
http://www.sans.org/reading_room/whitepapers/honor s/1491.php?portal=ca149743c753474b2eff202cff878a48
Ill bet his root password was "password"... oh, wait, "password1" is the new norm now..
Time to put my tinfoil hat back on.
Have gnu, will travel.
You`re SURE that he wasn`t running Windows?
We had a cracked linux server at work one time and I took it upon myself to find out who did it. Long story short: some server monkey decided it would be a fun idea to ride his bike around inside the data center and smashed into one of the racks.
The server seems to be having ... problems with the load (maybe it got cracked again?), here's Google's cache:
: blog.gnist.org/article.php%3Fstory%3DHollidayCrack ing+http://blog.gnist.org/article.php%3Fstory%3DHo llidayCracking&hl=en&ct=clnk&cd=1&gl=us&client=fir efox-a
http://64.233.183.104/search?q=cache:TyrHbOqUhLgJ
Quality, performance, value; you get only two, and you don't always get to pick.
Bruce Schneier posted this a few days back. Consensus is that it's not that good an analysis, but that the attacker was even worse. Some discussion also of whether it is better to take the machine offline immediately (and risk alerting the attacker that he has been rumbled) or to begin your analysis with the machine still live and operational. I for one side with the 'shut that thing down NOW' faction.
Real Daleks don't climb stairs - they level the building.
Oh, I see, it's a clever DOS attack:
1. Infect Linux server of some guy with a blog.
2. Guy blogs about how he dealt with said infection.
3. Blog posting gets linked to on Slashdot.
4. Millions of computers attempt to access the blog, hence bringing down the server.
Don't you see? We've a socially engineered botnet!
(And please, for the love of all that is sacred and funny, don't reply to this and add steps for "???" and "Profit". It's just tired and completely not funny. And the clever little variation on that theme you're thinking about posting right now isn't funny either.)
I got hacked back in February - March 2001 time-frame. I made the mistake of setting up my Linux server as a router, and left my Samba and NFS shares active. This kind of info would have really helped me then.
No matter where you go... there you are.
Before everybody complains how he could have done the analysis much better I think it reflects quite well the approach a lot of people would use here. If my friend would ask me about a failing apache server my first reaction would not to dd the whole system.
Unfortunately the article is a little low on details about the running configuration. Ubuntu 6.06 seems like a solid distribution security wise, so where all current patches installed, was there a weak root password? Was root ssh login enabled?
It is quite lucky that the attacker was not really experienced and more or less just used the scripts he downloaded somewhere without knowing exactly what they were doing. Otherwise without anything like tripwire this might have gone unnoticed for quite some time.
The shell is a working Bourne shell
I knew it! Jason Bourne was involved in this!
j00'v3 b33n PWN3D! I 4M 3r337.
I think it's probably the fact that the owner of this system had the root password set to "GOD" as all good sysadmins do. The hacker's extensive experience hacking the Gibson made getting into this system a cakewalk.
Clearly, we as sysadmins should rethink the long-standing policy of setting all root passwords to either love, secret, sex, or god. Perhaps we should at least add another password to the list, like "unhackable" or something truly secure like that.
http://mirrordot.org/stories/36c2ae6afc0420241dbcc 88a56046a6c/index.html
You still don't know I 0wnz0red you teh hole t1m3?
/dev/null
Hahahaa, stupid kid. Check your log files @
God I feel smug _now_. But then again, I AM a Lunix user.
> Go back to play with your nintari. Press A to start and B to stop, you knows...
There's a few things which immediately spring to mind:
1. We already know that it was meant to be running Apache. Perhaps there was some PHP application which wasn't very secure? Even so, if that were the case then the exploit they used must have been fairly convoluted because it probably wouldn't have got them root access immediately.
2. We don't know what other services were supposed to be running, how/if they were firewalled and secured. SSH, for instance, is only as secure as the weakest password on the box - for best results you probably want to combine it with minimising the number of shell accounts, only allowing root access through private/public keys and using denyhosts (or similar) to automatically block bruteforce dictionary attacks.
3. We don't know how secure the desktop PC which was used to administer this box is. There is an awful lot of Windows-based malware out there - it wouldn't surprise me if there's more than one piece which looks around for when you start a connection to a host on port 22, enables a keylogger and sends the results back.
Linux has many local exploits and very little effort to fix them sadly. If you have 'regular' users, you need to keep cracklib hooked in to all password change methods and try to use john the ripper often on password files. OpenBSD has a likely safer userland, but in general local root exploits happen on many services that are necessary on a server. The best thing would be to have an OpenBSD jump server with no extra services/tools for users that can easily be monitored/rebuilt. Even better, expose daemon servers (apache,etc) by NFS only if users must touch their actual filesystems.
He was collecting a good bit of data there. If he pulled the drive out before doing that, he would of lost all volatile data, including possible info that hadn't been garbage collected. Granted, a dump of the RAM should have been his first command, since everything before it risks trampling de-referenced addresses.
If your going for a court case, your better off with the mountain of information than just a sheet of what really matters.....unless your the RIAA, then you make accusations at dead grandmothers.
How server was accessed in the first place is what I really want to know.
import system.cool.Sig;
Raise your hand if you typed "ls -h" on your box just to make sure it still works right.
Suuuure you are.
It's not wasting time, I'm educating myself.
Does rtkhunter send you a email when the cracker changes /usr/bin/rtkhunter so that it won't email you the attacker's changes?
If you think that rtkhunter will protect you from a Linux kernel module rootkit your completely delusional. NOTHING will _reliably_ locate a LKM rootkit. That's the point of it.
Think about it. Rtkhunter relies on the ability of the kernel to accurately indicate files sizes, file names, and running proccesses as well as a bunch of other little detail things that normal rootkit makers tend to get wrong. When that kernel is subverted and controlled by it's new owner to give rtkunter, as well as other processes (such as your bash shell) false information about the system then those things are completely worthless.
It's the same as virus scanning on Linux (or any other system). Once the attacker gets root access then they have access to the kernel. Once they have access to the kernel they can use the kernel against you to hide what they are doing. Since userspace runs on top of the kernel then any sort of activity can be hidden by making the kernel lie to anything running in userspace.
This includes logging daemons, rootkit detection software, administrators, virus detection, rpm checksums, or anything else that people use to give themselves a FALSE sense of security.
There are two ways to reliably detect a rooted machine.
The first way is to use a network-based Intrusion Detection System (IDS). One of the best ones is commercially supported open source application called Snort. These guys can be hooked up to networks in a passive and completely undetectable way and are used to monitor traffic. They will alert administrators to any unusual network activity.
Network based IDS can be fooled, but as a administrator your at least operating on the same playing feild since your own software isn't used against you.
The second, and more reliable way, is to use a checksum-style IDS. MD5deep, AIDE, or Tripwire are 3 very good examples of this.
However how people use these things are completely worthless. If you keep the checksums and run the checksum software on the same machine as the one your trying to detect, then it's not good. Since they rely on the kernel any kernel-level rootkit can defeat them and the attacker can edit and substitute incorrect checksums.
In order for stuff like AIDE to be usefull it needs to be ran from read-only media and from a different operating system then the one your checking. (for example booted up in a knoppix cdrom, or a removable disk in a dedicated unconnected-to-any-network 'Tripwire' machine)
Both forms of IDS are very expensive and difficult to correctly use. Virtual machines make this stuff somewhat easier, but it's still much better to have dedicated machines for these things.
rtkhunter is nice if it's job is to make you feel good. If it's job is to make sure your machine is secure then it's shit. (no offense to the rtkhunter authors, I am sure they understand it's role and effectiveness.. to bad their users don't tend to) It's only good for kiddies that don't know better and if your being owned by kiddies then you have bigger problems.
Does Ubuntu install selinux and a policy in a default installation, or is it necessary to add it later?
/tmp, lesson learned. But it was interesting to see selinux do its job and I'd be curious if it was utilized in this instance.
I've only performed one Ubuntu install and most of my experience is with Red Hat and Fedora linux distros. Fedora installs selinux with a targeted policy enforcing by default which I think is a good thing. I had an experimental Fedora web server with PHPbb installed which was comprimised via the PHPbb application but looking through the log files it appeared that selinux had thwarted attempts to root the box or setup a zombie to connect to an irc server.
Other than the mistake of an outdated PHPbb application I also made the mistake of allowing execution of code in
All of these will help only if it is cracked by amateur sr1pt k1dd10tz like in this case. If it is cracked properly you will not see anything or spook off the intruder. He will either go underground or destroy the box with all of your data (not that you should try to use it as it may have been altered).
I have seen a number of rootkits for Linux as far back as 97-98 which were considerably more advanced. It was a bit of an arms race between the admins (including me) and the guys who were breaking in. By the end the best rootkits could:
1. Load a whole hidden fs with tools into a ramdisk or hidden area on the filesystem not visible using normal tools.
2. Hide all sockets, processes and files belonging to the rootkit completely. You simply could no longer see them using netstat, ps and other similar tools.
3. Monitor network driver state for the promisc flag and "scrub" backdoor traffic out of it so it is no longer visible using tcpdump and ethereal.
4. Adjust memory totals and df so that you do not see them. This was also the only way we found to catch it. Try to allocate 95% of the remaining free memory and see the system oops magestically.
5. Doctor logs so that you could not notice anything.
6. The rootkit itself handled all connections via something that looked like ssh. I never managed to figure out how it loaded. One of the executables in the system loaded at startup was backdoored. Probably sendmail or one of the other daemons it could not do without.
7. The rootkit managed to masq changed files completely. Tripwire and md5sums were reporting all OK while executables were being changed.
That was a the tech level in 97. I would expect 10 years later a good rootkit to be even better. Looking at the blog post I can only laugh.
If you suspect a system is cracked:
1. Take it offline and take the disks out. Analyse the system completely offline looking at the disk from another system mounted as ro (on SCSI discs use the RO jumper). Never ever even try to start it. Nowdays knoppix is a great help. Most importantly - do not fsck systems before mounting as the rootkit may hide in orphaned areas which fsck will fix.
2. If you are monitoring traffic, monitor it on a switch span port or create yourself a simple multiple interface box which serves as a firewalling bridge (so you can hijack the more interesting bits and alter them). Lex Book PCs are a good choice as they can run either Linux or BSD and are as portable as a laptop. A recent Via with 2 Ethernet ports is also a good choice as it can handle up to 1GB of traffic across as a bridge.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
"The definition of the word forensics is..."
No, that's A definition. Here's another
1 : an argumentative exercise
OP was wrong, and so are you.
I only go to buffets for the unlimited soft serve.
The 220,000 or so members of the Slashdot Members Who Post Authoritative Statements On The Inner Workings Of Microsoft To Support Their Arguments warmly welcomes you to the club.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Hey if it was a "racked" server to begin with, it was only one Letterman-gets-evil-off-his-meds move away from being "cracked" or "hacked".
The real "Libtards" are the Libertarians!
Security is very important to me, I can't be screwing around with something that can be so easily cracked.
Oh please twitter, please post in this thread and tell us all how this is Microsoft's fault. I can't wait for your explanation for this one!
If you suspect a system is cracked:
1. Take it offline and take the disks out.
And I've been told don't use the 'shutodwn' command--instead, pull the power plug out of the wall. A rootkit could include a cleanup routine that gets run at shutdown time.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Screw it I'm switching to windows.
Correct. Always pull the plug out of the wall the moment you suspect that something is wrong. This is what I meant when I said - take it offline (my fault, should have written it better). If it is compromised the data on it is worthless anyway and you need to go back to backups so the loss of data from pulling the plug is trully in the "who cares" area.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Do not use if the seal has been broken.
Questions? Call 1-800-no-spell
You're nothing; like me.
Don't see any need to add another password quite yet. There's still 8,999,999,999 other names to choose from.
>love, secret, sex, or god Perhaps we should at least add another password to the list, >like "unhackable" or something truly secure like that. or what about "password" nobody would guess that?
A friend recently forced me to watch this movie. I can't believe I was depriving myself of it for all these years.
Kernel who?
Linux servers cannot be cracked. They may be borrowed every once in a while but not cracked.
He who said 1,000,000 monkeys on 1,000,000 typewriters would eventually type the great novel, never saw an AOL chat room
And disks have gotten very good in the last few years. I haven't seen any (immediate) data loss from hard power cycling/plug pulling in I don't know how long. A former co-worker used to turn her G5 off every day by pressing the front button. I saw her do this once and said (very nicely) "You know it's better to shut down from the menu, right?" and she answered "Yeah, I know you're not supposed to do that, but it's faster." She had been doing that nightly (or maybe just weekly) for a couple years.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
...good enough to identify the sonofabitch that cracked your machine so you can go and crack his balls with a baseball bat. Screw the courts.
--amazing, the captcha to type this is "offenses"
In computer security, 'forensics' has a well established meaning. Any computer security class will teach proper forensic procedures that preserve the trail of evidence for use in a court of law. As this is an article about computer security, I and the other posters naturally assumed the word was used in that context. This analysis is not proper forensics, and the evidence gathered would likely be inadmissible in court.
That was what was meant. You can argue semantics and definitions all you like, but anyone with even a few course credits in computer security will be unimpressed by your presumption and general lack of security related knowledge. Hell, even someone who merely spent a few days boning up for one of the security related certs will be amused.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
If you read the article though, you get to the conclusion:
The compromised could be caused by: An exploit unknown to the public. [or] A user accessing this server from an already compromised host. The attacker could then sniff the the password.
I'll give you two guesses at which one of these methods were used by the script kiddie who's mistakes are so well spelled out in the rest of the write up.
Security is only as strong as your weakest link. If you use an OS with a one in four chance of compromise, you have a one in four chance of giving away all of your passwords.
Friends don't help friends install M$ junk.
"That was what was meant."
No actually, it wasn't.
"You can argue semantics and definitions all you like"
And I'd be right, and there's nothing you can do about it. Funny how your kind always tries to make it into "semantics and definitions" when you're wrong, like trivializing what you're wrong about makes you less wrong.
I only go to buffets for the unlimited soft serve.
I have often wondered how people get away with this. However, your ability to detect where the shananigans were coming from was amazing! I really had no idea just how deeply compromised a machine can become in 2 seconds?! It's scary. I have often wondered how I can check my machine's status. Thanks for giving me a good start. God bless you for posting this. I've learned a mountain from this. Thank you.
because the Linux system was so secure that a third-party was able to sniff a plaintext password right off the wire. Judging by the article author's own writeup, and the experiences of others in this thread, I'm going to go with 'unknown remote exploit'. As another poster said it, "Don't be blinded by your religion".
PS, the word you were reaching for was whose. Who's is a contraction for either who is or who has.
I work in a large, low-end datacenter. Almost all the servers there are rented buy non-technical people, who for some reason feel qualified to run web hosting businesses. There are so many exploits going on there at any given time, we can't really do anything about it--especially as theoretically the customer is responsible. So when they call in because their server is running slow, we usually find a php hijack happening, tell them their server has been compromised, and suggest that they do something about it.
It's pretty appalling. We would need an army of sysadmins--an army which is currently employed already--to really do something about it. Most of what we see are primitive script kiddie hacks, but guess what--that's good enough, and rarely are the perpetrators hunted down.
Who knows what the more sophisticated hackers are up to!
expandfairuse.org
It's certainly a long time since disk heads had to parked manually - you shouldn't ever see damage to the disk itself from a power failure. The usual source of data loss is OS and drive controller caching.
I'm afraid that most software tools are not inherently better than those in 1997: most attackers, and even most successful attacks, are by script kiddies with tools. Even skilled crackers like Mitnick consistently make foolish mistakes. (In Mitnick's case, it was leaving messages mocking his victims and getting the FBI really, really mad at him,, angry enough to actually prosecute.) There are plenty of vaunted crackers who make other amazingly stupid mistakes, both programming and social.
The IRC-bot creators seem to be among the worst of the script kiddies. Frankly, IRC should go the way of open relays. Too much of the traffic is illegitimate to justify allowing it through any firewalls or any ISP provided system. It should be blocked even before non-ISP-server bound SMTP, simply for damage control.
Deception Toolkit. Learn it, love it.
http://all.net/dtk/download.html
Friends don't let friends run PHP.
“Common sense is not so common.” — Voltaire
6. The rootkit itself handled all connections via something that looked like ssh. I never managed to figure out how it loaded. One of the executables in the system loaded at startup was backdoored. Probably sendmail or one of the other daemons it could not do without.
:-)
I once had a machine compromised with very similar symptoms. It turned out that it was infected with a loadable kernel module rootkit. Back then I didn't even know that such beasts existed! However, I managed to find and examine it by compiling my kernel without module support, so the rootkit couldn't start. Originally I thought that the kernel was just acting weird and tried to configure it as simple as possible. When booting, it warned it could not load the rootkit module.
When I said 'that was what was meant,' I meant that the posters to whom you were replying were using the word forensics in the proper, computer security related context. You presume too much in assuming you know what others meant. Crow your triumphant pedantry to the world, it won't change the fact that we are all laughing at your utter lack of knowledge.
The funny thing is, even the definition you tried to apply does not fit. The term 'forensics', when used in the context of 'an argumentative exercise' means public speaking. Perhaps you've heard of the forensics club at your high school? Thats what 'forensics' means in that context. Looking up words you don't know in a dictionary and misapplying them does not make you seem wise.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
My previous employer was waaaay ahead of you. All of our systems in the field had the root password set to 'cat'. No way in hell was any snot nosed cracker going to try THAT three letter word.
I'll believe in corporations having personhood when Texas executes one... - advocate_one
There would be 'haha' and 'insecurebydesign' tags. The hypocrisy just shows how retarded you peons are and why the computing world will not take you serious (less than 7% desktop share for over 10 years straight for mac and linux each, and apache losing ground to IIS). Have fun making hysterical senseless replies, I won't bother checking since I know they're going to be retarded and the same crap that's been rebutted thousands of times. BK.
++
This article was junk, as you point out the state of play 10 years ago was already way ahead of this.
I always assumed lack of progress was caused by the kiddies discovering that a large install base of Windows machines was more profitable than the odd *nix machine that took a bit of work to get into.
feh.
I don't read your sig, why do you read mine?
I don't even trust Putty just because it *is* windows.
You are being MICROattacked, from various angles, in a SOFT manner.
Even though I'm not very strong using Linux; I am not smug! I desire to move to the Linux platform instead of Microsoft for many reasons( too many to mention, LOL! ). If Linux is really this insecure then what are you telling people? By posting your comment; are you no less smug than the smugees you claim to hurt by doing the things you do to their systems? I don't get it? I really want to make the transistion but this makes me think perhaps I should use a Mac instead? How can I protect myself from somebody like you and enjoy my computer? I'm just a regular user.
You forgot 'pencil' ;)
First thing you do is shutdown the server and boot from your CD drive.
From there you get out your archive copy of your RPM checksums, and you run a checksum test against that CD. The programs that don't match have been modified.
Thats the benefits of RPMs.
There's fuck all evidence that Windows had ANYTHING to do with the exploit. Twitter's just karma-whoring to make up for the smackdown he took this week.
Still think Linus Torvalds is a "M$" shill for not being as irrationally paranoid as you, Twitter?
We have numerous servers on various subnets and have learned a few elemental precautions to having more than one server cracked:
/bin/false;
1. Change the ssh port to something other than 22;
2. Use different root passwords on each machine;
3. Use selinux to block connections from IP addresses you do not control and to ports you don't want the machine connected to (like 6667);
4. If possible route all packets through a bridged machine which you can then use to monitor activities... be especially wary of IRC connections;
5. If you have email users set them up as nologin or
6. If you use ftp do not allow anonymous logins or, if you must allow connections, do not allow anonymous uploads;
7. Configure syslog so that it logs to several locations; and,
8. Use access lists on the routers to limit connections both in and out (including the new ssh port);
Crackers often forget to change lsof (list open files) and that utility can often be used (or reinstalled) to determine if a machine has been cracked and where the nasty bits are hidden.
No one ever had to evacuate a city because the solar panels broke!
I think Slashdot needs to stop acknowledging the fact that teh Lunix has no security.
It only emboldens teh enemy (i.e. teh MiKKKro$$$l0th). If anyone were to realize how teh Lunix's security is provided entirely by teh obscurity, teh entire house of teh cards would fall down.
A former co-worker used to turn her G5 off every day by pressing the front button. I saw her do this once and said (very nicely) "You know it's better to shut down from the menu, right?" and she answered "Yeah, I know you're not supposed to do that, but it's faster." She had been doing that nightly (or maybe just weekly) for a couple years.
On a G5 (and, indeed, most PCs anf Macs <6-7 years old) pressing the power button should result in a clean shutdown.
In my case the attacker did not leave the rootkit on the system. We never managed to find it.
We found a couple of backdoors now and then none of which was particularly fancy. For example sendmail had an extra command added which executed a shell, etc. So I suspect that he loaded the rootkit straight into memory over the network after accessing the compromised machine through the backdoor. As a result it was never present for forensics.
The most unpleasant bit was that he nuked the machine at the slightest suspicion of being observed.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Couldn't agree less. IRC must die. If you need a chat server for work you can always run jabber.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I have no idea why you say "Couldn't agree less" when eliminating most if not all IRC services is exactly what I meant. Open relay mail servers are relentlessly exposed, hounded, and blocked by most email servers.
But by the way, do not begin to pretend that most installations of Jabber are any better administered than most installations of IRC. Plain text passwords stored on the server is just an amazingly bad idea: it's almost as stupid as Subversion keeping your user passwords in plain taext in your home directory.
Would holding the power button for 5 seconds alert the root kit? Because that's what I normally recommend instead of pulling the plug. It would be a shame to damage the power supply just to shut down the computer.
Sorry, too high blood level in the caffeine subsystem when posting the GP. I was in absolute agreement. IRC must die.
As far as Jabber vs IRC vs the rest of the IM I agree they all suck and they can all be used for zombie control. You can write a BOT that logs in on yahoo, AIM or anything else you like. I used to have a Yahoo Messenger BOT that talked to a MON alert system and pinged me when something went apeshit in the network (you could also get network status and such). Writing it was quite trivial, unfortunately Yahoo changed the protocol and the underlying perl modules stopped working. Modifying that code for zombie control would have been trivial as well.
The difference IRC makes is:
1. Its tradition. It has been the stomping ground of 1337 wankers since the mid-90es. Gives cred to socially deficient people.
2. Ability for the user to gain some level of administrative control over a chatroom (aka channel) and exercise it to exclude everyone else from it so it can use it for its own nefarious purposes.
By the way, as far IM of any form is concerned it is also yesterdays day tech for BOTs. Newer ones build peer-to-peer networks and encrypt them. As a result finding the command and control center becomes practically impossible.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
If I suspect something is wrong with my home machines and I didn't care to figure out what happened, I'd just revert the relevant virtual machine to a clean snapshot, disconnect the network connections and patch, restore data etc.
:). Once x86 hardware gets more efficient at running VMs (including IO), I think I'll run everything virtualized. You can't get away with doing that red pill, blue pill thing to my system if I do it first :).
If I did care, I could either suspend the virtual machine or make a snapshot of it.
Virtual machines are cool
If you don't run machines in a VM, I believe the proper way to do forensics is to pull the plug (not sure if attackers would tamper with fsync) then make a copy of the drive using hardware that is certified to block writes to the drive - there are few vendors about selling such hardware and software to go with it. Google should show up a few.
If you do it any other way, any evidence gathered could be considered suspect or tampered with by the defense, or you could accidentally destroy your evidence, or you could be allowing the attacker to destroy the evidence.
Doing what the chap did in the article is definitely not "forensics", anymore than stomping all over a murder scene while touching everything is forensics or a proper investigation.
Security is more than just making certain that your operating system is patched and up to date. Good security practices only start at OS updates. Look at your perimeter defenses. Are there ports that you could specifically block outgoing as well as incoming? Are you using a strong password? This article is not FUD at all. This could happen to any system where competent security audits and mesasures are not taken. In fact, this gives a junior admin some guidelines to begin the detective work of figuring out if a system has been compromised. Bottom line, this attack should not have happened as it likely was not done by a skilled attacker. A competent admin will also be aware of what is running on his or her machine and the open files. As a final note, once a system has been compromised, I could never trust it again without a full blown format and OS reinstall.
"When I said 'that was what was meant,' I meant that the posters"
Here's what you're not getting cunt.
I don't give a fuck what YOU meant. YOU are an imbecile, who consistently posts garbage and makes me what to scratch my eyes out after reading the nonsense you think is worth posting.
And in this case, you're exactly fucking wrong.
"The funny thing is, even the definition you tried to apply does not fit."
NO IMBECILE, THE FUNNY THING IS THAT YOU'RE SO STUPID THAT YOU THINK I WAS TRYING TO APPLY A DEFINITION. I WAS RESPONDING TO ANOTHER IDIOT WHO THINKS THERE'S ONLY ONE DEFINITION OF THE WORD, WHICH MY POST PROVES WAS WRONG.
WHICH WAS MY POINT THE WHOLE FUCKING TIME BUT YOU WERE TOO STUPID TO GET IT. I WAS TELLING HIM THERE'S MORE THAN ONE DEFINITION, NOT TRYING TO APPLY THE DEFINITION I GAVE.
Get it now you fucking moron? Do you understand why you should have kept your fucking loser mouth shut? Or are you too stupid to grasp that too?
I only go to buffets for the unlimited soft serve.
I dunno if English is your fourth language or you're 12 or what, but here's a tip: you sound like a moron. Stop saying things like LOL. Any post with 5 questions in a row should probably be rethought, especially if some of them aren't actually questions. Don't respond to arrogance with pathetically sincere and self-deprecating crap. Most importantly, don't even respond to posts like the one you responded to, as you clearly don't understand the mindset of the poster. You'll come to understand how people work as you listen to them more, but right now you clearly don't, based on the tone of your reply.
sync
sync
*pull*
Bush and Blair ate my sig!
Yes it can, because on many systems the hardware sends e.g. an ACPI event to the operating system when the power button is pressed. I don't know why pulling the plug would damage the power supply, but maybe that's possible.
examplehttp://www.example.com/example
The point of forensics is to provide legal evidience, and what he did wouldn't be useful in court. For this to count as forensics he should have at a minimium needed to image the server's disk(s). Then calculate and store the images md5 hashes, so he can prove the images haven't been tampered with. Then mount the images on a trusted computer and use a hardware write blocker. Then and *only* then should he poke around.
If any slashdotters are interested in actual forensics I highly recommend File System Forensic Analysis by Brian Carrier. Best part is the author only uses FOSS tools so anyone can follow along (in addition to pragmatic reasons).
There are 11 types of people, those who know unary and those who don't.
"Please have the courtesy as such not to cross my path again, for I fear I find you most distasteful and boorish."
YOU responded to ME you stupid fuck. We crossed paths because your reading comprehension sucks, and you thought it would be a good idea to respond when you didn't know what the fuck you were responding to.
Please do me the favor of choking to death on your lunch today, as the world would easily be a better place without you.
"You have proven yourself capable, without justification or reason of ad homeniem(sic) attacks (that's misspelled Latin, by the way) on others, for the simple justification of deflating what appears to be a small ego."
FYP.
Fuck off now.
I only go to buffets for the unlimited soft serve.
No, she pressed it and held it until the machine went dark.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
"Here's a clue for you: no one cares what you say."
You obviously do or else you wouldn't respond.
"I'm only responding because it amuses me to keep yanking your chain"
You'd have to start first. Your posts were serious until I S you TFU, then suddenly you're "yanking my chain".
"I bet you'll feel compelled to respond to this post, too."
You mean like you did when you HAD to post "you lose"?
Right, that was YOU yanking my chain.
"At this point it's not even about wining the argument, everyone knows I won several posts ago."
Was that the post where you lied, or where you posted a reply to an argument I never made? And how does either of those things "win" an argument that we were never having in the first place?
"It's about getting you to humiliate yourself in front of everyone."
You mean like you did when you argued a point no one ever made, or when you got told that you're an imbecile and started responding by "yanking my chain" because I hurt you widdle feewings?
"Here's the hilarious part: even knowing that, you will be unable to keep from responding to this post and humiliating yourself further."
You mean like you did when you posted a response to an argument I never made, or when I S you TFU and you got your widdle feewings hurt?
At any rate, if I were to "humiliate" myself with this post, that wou;d put me three humiliating posts behind you in this thread alone.
I can take it, can you?
And really, it's pretty obvious when I told you off, you got your feelings hurt. Go ahead and lie, but the tone of your post only proves it. Did you cry (yes, but you'll lie and say no).
And I LOVE how you use my "go ahead and reply" gimmick, but you should give me credit for using it, you know very well who you stole it off of and I'm a little sad that you use against me knowing you learned it from me.
I guess that makes me your master, since you're learning how to post from me.
I like that, when you respond, call me master.
I only go to buffets for the unlimited soft serve.
Dear Beautiful Mackenzie Morgan (an Actual Girl):
I'd like to sneak up behind you and start fondling you violently and then as you struggle to try to escape I'll take a scientifically-proven magic petrification ray from my bag and zap you with it, and it would first disintegrate all your clothing, leaving you gloriously naked, then it would start the process of transforming your body into marble, inducing in you a massive magically-induced which would be captured eternally as your body is turned into solid stone from the feet up to the head gradually, freezing your final moan of ecstasy as you become a beautiful, cold lifeless statue, but with your mind still alive inside the statue, aware of everything that happens to you. I would put you in display in art museums so that everyone could admire your spectacular naked & petrified teen body, then I would put you on a pedestal in my apartment and admire you constantly, and climb up on the pedestal and make love to your stony form, getting my penis raw & red from the friction, and covering your beautiful hard marble skin with my spooge, my beloved naked-and-petrified queen.
(NOTE: This is just a fantasy; I would not actually do this.)1
p.s. I like masturbating to your Blogspot picture.
This is a great object lesson to the public regarding the fact that Linux boxes can be hacked just as anything else can. We need more security training for everyone who will be administering a Linux system. Even if there is nothing particularly sensitive on your system, you do NOT want it being used as a bot! That said - for larger organizations, hosting a critical application on swarms of little boxes isn't the answer. I suppose there's a reason why some people might call me a "mainframe bigot." For large-scale applications that need extreme reliability and uptime, along with the least likelihood of penetration by hackers, host them on IBM "big iron." If you have a lot of *nix boxes of any flavor, you're going to save a ton of money by way of electric power, floor space, and support time by switching over.
http://twitter.com/1389 http://pownce.com/1389 http://www.technorati.com/people/technorati/1389 http://www.gleamd.com