[CLUE-Tech] Hacker question

David Anselmi anselmi at americanisp.net
Fri Aug 1 10:09:11 MDT 2003 

Mike Staver wrote:
> I have had 3 RedHat 7.3 boxes apparently comprised on my network this 
> week alone.

What evidence do you have from the boxes to indicate they've been 
compromised?  You might want to image the drives before you rebuild 
them, to preserve what evidence you have.  Probably you don't have time 
to do the forensics yourself but you might try calling a consultant.

[...]
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host blah (xx.xx.xx.xx) appears to be up ... good.
> Initiating SYN Stealth Scan against www1.globaltaxnetwork.com (xx.xx.xx.xx)

Good thing you blanked out the IP ;-)

[...]
> Whoever comprimised my machine, did it with only ports 443 and 80 open 
> to it through my firewall.

Perhaps your firewall has more open than that.  Have you tested it? 
Perhaps the attack came from behind the firewall.  Perhaps the attack 
came from a local user (much easier to compromise a machine from a shell 
account than over a network).

> I have no idea how this happened.  I have 
> the latest apache from RedHat, is that verion suseptible to a buffer 
> overflow of some kind that I'm unaware of?

How quickly do you update the boxes after an errata is available? 
Perhaps the boxes were compromised before you updated to the latest. 
Staying up to date on security issues is difficult (the above mentioned 
consultant can help you find what you missed).  I usually just watch the 
RHN reports and decide whether they apply to me or not.  If 7.3 isn't 
supported anymore you'll just have to do the work to upgrade.

> And 
> what happens when these boxes get comprimised is that my routers get 
> shut down because they are apparently ddos'n grc.com.  I see a lot of 
> ircd traffic on port 6667, and many other ports as well.

What does "my routers get shut down" mean?  Why does your firewall let 
DDOS traffic out from your servers?  You aren't clear about whether the 
6667 traffic is to or from your servers, but you could block that as 
well.  Might not stop the compromises, but could limit the impact.

[...]
> Besides upgrading to RedHat 9 on these boxes (which isn't an option 
> yet), how can I protect myself, and who should I report this activity 
> to?? I now don't get to go home tonite to spend time with my family, I'm 
> forced to rebuild these damned boxes from scratch once again.

The current state of the art is to patch security holes before they are 
exploited.  So my philosophy is that if you have a port open to the 
Internet it is only a matter of time before you lose the box, no matter 
what you do to protect it.  Which means you absolutely have to have a 
recovery process that is quick and easy (and tested).

Security is a hard business.  Seems like you might be best off getting help.

Dave

More information about the clue-tech mailing list