[nSLUG] my system was cracked!

gnwiii at gmail.com gnwiii at gmail.com
Sat Jun 3 15:27:59 ADT 2006


On 6/3/06, ricardd at mathstat.dal.ca <ricardd at mathstat.dal.ca> wrote:

> Someone remotely cracked into my system on Thursday afternoon when I was
> at the CEOS conference and my laptop was running in my office at
> Dalhousie. Another machine running Ubuntu was cracked into last week as
> well.

You have lots of company, including places like UCSD's Supercomputing
Center that is often regarded as a model (which does make them a
target).  They don't use vendor configurations but create their own
toughened images, which is too much to expect from individuals, but
really should be done at the Univ. Computing Services level (where
they assume user accounts will be compromised and concentrate on
making sure users can't escalate privileges).

> This is a first for me and it now makes me feel vulnerable. A few pros
> looked at my machine at the InstallFest yesterday and had various
> explanations for what happened.

You shouldn't feel vulnerable!  On Wed. you were living in a state of
ignorance and on Thurs. you learned an important lesson without too
much damage.   A few years ago an admin. at work was approached by the
RCMP after p0rn was found on his workstation.

Compromised machines usually had multiple vulnerabilities -- it is
often not worth the effort to anayze the specific ones were that were
used unless you are in a position to go after the bad guys (e.g., in
cooperation with authorities).  Most will get zapped by hardening
practices.  Do that and make sure you have good backups.

> I discovered that something was wrong when I tried to login as user
> postgres and the password wasn't accepted. I then reset the password for
> postgres and logged in as user postgres. The history of command included
> things that I didn't type and were malicious (dowload an admin kit, etc).
> After that, I could not log in as root anymore, the "sudo" command must've
> be corrupted. We rebooted from a CD and noticed that the entries for sudo
> in /etc/passwd and /etc/shadows were indeed corrupted. The root password
> was reset by editing the files in a text editor and rebooting. The dudes
> also suggested a re-install of my whole system.
>
> So, short of hiring a sysadmin, what should I do to protect myself against
> this? I'd like to get a "checklist" of things that I should watch for
> after I reinstall. For example:
>
> - run a firewall
> - change the ssh listening port to something other than 22
> - use strong passwords for everything (the postgres password was weak)
> - ...
>
> Suggestions, comments? And, yes, I will get a "Security for Linux" book
> and read it.

In a university or other large organization you really need to work
with professional staff.  They need to know what is going on and it
may help get some resources allocated and also prevent other attacks.
Of course the "pros" may just tell you not to connect to their network
because they are too busy dealing with WIn32 VISTA (VIruses, Spam,
Trojans, and Ad-ware) -- a sure sign of an organization that has
already lost the battle.

Do it yourself sys. admin. is becoming less practical for machines
connected directly to the internet.  The problem with everyone doing
for themselves is that a few people coast along using insecure OS's,
weak passwords and not noticing when machines are hacked, thus making
life harder for people who are individually trying to secure their
machines.   You don't assemble your own mainboard; why should you have
to harden your OS?

Even with professional assistence some reading will be helpful, if
only so you can understand the tradeoffs between security and things
that no longer work the same way.  Many "Security for Linux" books are
oversimplified -- shop carefully and keep a couple good books on linux
basics handy for reference.

Securing a machine isn't just configuration.  You need to schedule
tests to make sure things are working (run port scans), examine logs,
run a security analysis tools, debsum, smartctl, etc.  This is much
better done by someone whose job is security and who is in a position
to see patterns across many machines, and who can spend time
configuring tools to analyze logs, etc.

-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia

!DSPAM:4481d643151921041191448!




More information about the nSLUG mailing list