[nSLUG] my system was cracked!

Rich budman85 at eastlink.ca
Mon Jun 5 03:07:40 ADT 2006

Hi Dan,

How did you make out?

Be lucky you caught it when you did. :)
Now you can cleanup and secure your system.

Checking which services are enabled will help.
As for ssh, changing port won't help much if they are scanning your
system.  Find out what version you are running and see if there are any
recent security patches/updates.  

A few years ago, there was an exploit where brute login attempts could
force sshd to root with a buffer overflow error.  Check under what
account sshd is running under, if its root, you may want to create a
sshd user/group and have sshd run under that instead of root.  

If I remember correctly (beers were going down good), I think we saw
postgres running under its own id, this should be okay.  As for what
happened, it looks like there may be a command that needs patching.
Some commands are known to give root on buffer overruns. 

Keep an eye on CERT for new exploits (the site I was trying to recall)

Here are some sites to check out:

What was the kernel version again?
2.4.xx  - could be a possible kernel exploit


On Sat, 2006-06-03 at 09:17 -0300, ricardd at mathstat.dal.ca wrote:
> Hello,
> Someone remotely cracked into my system on Thursday afternoon when I was
> at the CEOS conference and my laptop was running in my office at
> Dalhousie. Another machine running Ubuntu was cracked into last week as
> well.
> This is a first for me and it now makes me feel vulnerable. A few pros
> looked at my machine at the InstallFest yesterday and had various
> explanations for what happened.
> I discovered that something was wrong when I tried to login as user
> postgres and the password wasn't accepted. I then reset the password for
> postgres and logged in as user postgres. The history of command included
> things that I didn't type and were malicious (dowload an admin kit, etc).
> After that, I could not log in as root anymore, the "sudo" command must've
> be corrupted. We rebooted from a CD and noticed that the entries for sudo
> in /etc/passwd and /etc/shadows were indeed corrupted. The root password
> was reset by editing the files in a text editor and rebooting. The dudes
> also suggested a re-install of my whole system.
> So, short of hiring a sysadmin, what should I do to protect myself against
> this? I'd like to get a "checklist" of things that I should watch for
> after I reinstall. For example:
> - run a firewall
> - change the ssh listening port to something other than 22
> - use strong passwords for everything (the postgres password was weak)
> - ...
> Suggestions, comments? And, yes, I will get a "Security for Linux" book
> and read it.
> Cheers,
> Dan (running my own InstallFest this weekend)
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
Rich <budman85 at eastlink.ca>


More information about the nSLUG mailing list