I know i may be beating a dead horse, but i am writing this to warn everyone about how we all play a role in security after i spent all day correcting a hack attempt.
We all need to be security aware. Too many times we ignore security features that are preventable.
We all fail to have other people check our code, pay attention to to processes running.
While we are still investigating, i want to talk about how easy this exploit was.
Basically someone got in the box and root kitted inetd.
This started a service called ingreslock.
Once this process started, anyone could telnet to the port, and get a psuedo root shell.
With this shell ANY commands could be ran remotely.
We were lucky, the guy couldn't type, ran a rm -r /var /logs.
After he wiped out that directory we couldn't log in.
Fortunately he had just done this,(checked our back ups)and then we had the process of cleaning up and investigating this incident.
Now comes the fun part, the people I work with running a complete analysis of all the servers on our network.
So far we blew all of today doing the basics, restoring what we knew was corrupted, rewriting etc/passwd & shadow.
In addition, several of us are going in at midnight and cyclying all of our servers to make sure they are clean
I am hoping we all will consider the following issues next time we logg into a machine:
1. As perl writers, we have a LOT of power in our hands, how do you use that power? (The classic good vs. evil)
2. This could have been very easily have been ignored, fortunately this guy made a typo and zapped the wrong directory( would you know if your box was rooted?)
3. This was first put on the net over a year ago from the research that we did, how did this service get on our box a year later?
4. People often ignore security issues unless they involve BIND, while BIND can be very insecure, too many people by pass other exploits
5. And lastly what role do you play in your systems security? (If you are a programmer/developer do you have code reviews so other people can strip your code apart and make sure you aren't doing anything risky? If you are a sysadmin are you checking your logs on a regular basis? Are you making sure these machines are not left compromised? Do you go off and get a cup of coffee with a root shell on your terminal?)
I hope this will make a few people think, no one intends to make a machine insecure, but how often do we all get lax?
Skimming through a log file because we do not have the time?
Doing an incomplete security audit because "They will never get past the firewall"
(Substitute your favorite excuse here, you have all of mine :^)
UPDATE:
See http://project.honeynet.org for some preventative steps.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
