[NCLUG] I was hacked!

[Michael Dwyer]

At 03:37 PM 12/28/00 -0700, you wrote:
>Ditto for one of our customers Rh6.2 machines which got hacked on 12/2. Didn't
>notice it until the bandwidth for the customer went way up due to it flooding
>a machine in NY.

I'm embarassed to report that when that happened to us, I just assumed that 
the network card freaked out.  I intended to check out the machine later, 
because of the trojan'd tools, I didn't notice anything bad, so I just left 
it off the network until the machine was needed again.

>         I do hope you have made sure your machine isn't still 
> compromised.     check the md5sum of your /bin/ls file.
>
>On a RedHat systems "rpm -V -a | more" is a better tool. There is quite a 
>point I would expect the root kit to include md5sum and tar too.

Ahyeah...  Tripwire is the ideal solution, but for some reason it isn't 
widely used, yet.  (I think it was recently GPL'd, so that's not the 
reason, eh?) John brings up a good point, though -- they usually get the 
obvious tools, but miss the less obvious ones.  You can get a file list 
with "echo *", and get around a trojan'd find(1) with tar(1).  My solution 
was to boot from the LinuxCare bootable cd 
(http://www.linuxcare.com/bootable_cd) to start the machine and look around 
with known-good tools.  Amazing what appeared...

(PS: The club needs to score us some LinuxCare bootable business cards! 
They won't sell them!  Doh!  But you can get the ISO image!)

>containing the hackers tools/files ... including an IRC log of over a 100 
>machines
>that were on the compromised network. From info in the IRC log, it appears
>they automatically segment the hacked network when it reaches a certain size.
>This probably allows for multiple hacked network segments to become 
>compromised
>and shutdown ... but authorities never really can take them completely off 
>the air.

You did your homework too! <grin> According to this article, that is 
exactly what is going on: http://www.robertgraham.com/op-ed/magic-ddos.html

 > Has anyone in the linux community thought about banding togather to
 > actively hunt and kill these slobs? Effective coordination would be
 > interestings, especially to minimize "moles" from diverting/hijacking
 > the effort.

The tools to support this effort already exist. I was about to throw out my 
anti-RedHat speech here, but you've already heard it, and didn't want to 
hear me whining last time, either.  Let me just say that I think it would 
surely help a little if everyone made security the first thing they thought 
about instead of the last.  Why are so many Linux users suprised at how 
many ports are open on their machine?  Why don't more people follow the 
security advisories?  Why is Bastile such a secret?

That said, it is getting better.  Auto-updating is becoming a reality.  I'm 
particularly impressed with -- put down those sticks! -- Windows 
Update.  It works well! (And good thing, too!) And now apparently RH7 now 
does auto updates as well.  Excellent!

I think it is all about education.  I'd love to give a talk about security 
sometime...  I considered offering it up to the CSU-LUG, in return for 
snagging the best book at their first meeting.  <blush>

 > They also added passwords to the lpd and ftp system accounts to telnet 
in, > after

My hacker used a trojan'd inetd that gave a root shell if you telnetted to 
a specific port and gave the right password.  FWIW, it looks like they used 
Linux Root Kit v3 by Lord Somer, or something similar.    The script kiddie 
used Pico to edit his configs!  Bwahahahaha....