[NCLUG] RH 7.2

[Bob Proulx]

Paul Wehr wrote:
> As a neophyte (relatively) in the Linux world, I'm running RedHat 7.2 
> on an old Gateway P133 just to try out some server options primarily 
> for web design.

A fine idea!  Linux breaths new life into older hardware.

> In some of the logs, I see attempted entry, including ssh.

Script kiddies running canned and widely available probing software
are so prevalent on the net that I always see attempted breakins on my
border machines.  Most are looking for older security flaws which have
already been fixed with newer software.  So they are just annoying and
not really a threat.  I rarely see a half-hour window of log file time
without probes or port scans.

But just seeing the attempts is not something that you should be
concerned about.  At least not for the health of your machine that it
might be cracked.  [However you should be concerned about the social
state of the Internet.  If someone were walking door to door through
your neighborhood trying to lift your windows you would certainly take
action against them.  But because people feel anonymous, and to some
extent are, they don't have the moral inhibition against checking your
door locks with lock picks.  But that is another topic entirely.]
Suffice to say that all Internet hosts get probed at such a rate that
in any given half hour slot of log files I see many attempts.  I have
stopped logging some types such as MS-Windows file sharing ports since
there are so many.

You say RH-7.2?  I don't run Red Hat myself and so I don't know if
that release had good versions of software or not.  But I see that 7.2
released on 2001-Oct-22 which would need some updates.  Had you
applied security patches?  If so then you are probably okay.  If not
then there is more work to do.  I believe there were all of ssh,
apache, and bind vulnerabilities closed in that time frame.

> Today, I noticed that all of my http logs, which used to be a mere
> 50-60K are now zero. I didn't trash them. I'm only semi-paranoid,
> but I think I may have been broken into.

Possibly.  But I have also seen buggy log rotation scripts do that
too.  It is a clue but not enough by itself.  I have seen syslogd die
and logging stopped because of that.  The log rotator kept going and
eventually there were not logs.  Restarting the syslogd restarted the
logging.

> Naturally, all of the IP addresses come up empty.

What IP addresses?  From previous logs?  Empty logs mean no IP
addresses to search.  Need input.

> Is my best bet just to reformat and start over? It's not like I have 
> anything valuable there. Or is there another option?

If you really have been cracked then your only recourse is to
reinstall.  The problem is determining if you need to take such action
or not.  The general wisdom of the 'net would be to install from clean
sources if you are not sure since that would be the safe route.
Probably others on the list will suggest other workable solutions.

If you are looking after the fact it can be very difficult to tell if
you have been cracked.  If the cracker was good it may be impossible
to tell from the machine itself.  The wisdom of net would be to
examine the disk as data from another known clean host.  But that is
more trouble than most of us would go through.  At the very least it
is better to run a program like AIDE[1] before you get compromised
such that it can possibly detect the intrusion rather than try to
determine it afterward.  And of course you should keep up to date with
security patches.

If your logs were gone then the cracker could not have been very good.
Actually because of that I doubt you were cracked.  It sounds more
like a simple syslogd bug.  Most rootkits are better than that and
harder to detect.  Try running 'rpm -Va' and see if the rpm packages
verify or not.  If not then that would be a bad sign.  Try looking at
'rpm -qa' and seeing if anything out of the ordinary shows up.  (One
friend with a Mandrake cracked machine had RH packages installed.
Apparently the rootkit was for RH systems and did not realize he was
Mandrake and the package names stood out from the rest.)

If you do decide to install cleanly I would then audit the externally
visible processes such as ssh, http, dns, smtp and make sure they are
patched to the current level.  Remove or disable all services for
which you do not need.  Port scan yourself with nmap[2] to crosscheck
that you are not exposing anything you don't expect to the outside
world.  For all services for which you expose you will need to keep
those up to date with all security patches.  Run a firewall with
iptables.

Bob

[1] http://www.cs.tut.fi/~rammer/aide.html
[2] http://www.insecure.org/nmap/