[NCLUG] how was I hacked?

[Kevin Fenzi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Daniel" == Daniel Herrington <dherr at frii.com> writes:

Daniel>   I got a couple of strange email messages during the past
Daniel> week from my web server:

Daniel> First message:
Daniel>  ################## LogWatch 2.1.1 Begin #####################
Daniel> --------------------- ModProbe Begin ------------------------
Daniel> Can't locate these modules: 0: 1 Time(s)
Daniel>  ---------------------- ModProbe End -------------------------
Daniel>  ###################### LogWatch End #########################
Daniel> Second message:
Daniel> /etc/cron.weekly/makewhatis.cron:
Daniel> zcat: ./.../psyBNC2.2.2.tar.gz: unexpected end of file

Daniel> Needless to say, I was somewhat disturbed by these, since
Daniel> normally I would get an empty email from LogWatch each
Daniel> morning. I then did a "locate psyBNC", which returned the
Daniel> following:

Daniel> /usr/man/man8/.../psyBNC2.2.2.tar.gz

Daniel> Interesting. I went to this directory, and now I see this:

Daniel> ...rootkit listing output snipped...

Daniel> So obviously, the server has been hacked! This is very
Daniel> irritating. Now I need to fix it, but I have questions about
Daniel> what happened:

Daniel> Is anyone familiar with this type of hack? If so, was it
Daniel> probably done through some service I should've had turned off,
Daniel> or some other way?

Daniel> This server is running RedHat 7.2. I admit I've been lazy
Daniel> about installing security fixes. Am I better off just

So it could have been any of the gigantic number of 7.2 security
related bugs they used to get in. It's hard to tell... 

Daniel> installing RedHat 8.0 or 9 and their corresponding security
Daniel> fixes, or is there an easy way to fix the current
Daniel> installation?

There is no way you can trust the current install. 
You should re-install a fresh install and carefully move your data
over. 

If for some reason you can't do that, you could try doing a 
'rpm -Va' and see if it will tell you all the system files they
modified, and then 'rpm -Uvh --replacepkgs' for each rpm to put the
real files back. Of course, that will miss any they added not via rpm,
assumes the rpm database or binary hasn't been hacked, and that your
kernel hasn't been tampered with. ;) 
So, re-installing is really the only good option. 

Daniel> Also, this server sits behind a firewall router that only
Daniel> allows web and ssh ports through. I thought this was pretty
Daniel> safe, but apparently not safe enough?

ok, that narrows things down. They probibly used a bug in any of the
things they could access on those 2 ports:

Looking at the security errata for rh7.2 at
https://rhn.redhat.com/errata/rh72-errata-security.html

we see the following possibilities:

mod_auth_any 
openssl
apache
mod_ssl
php
openssh
zlib
mod_python
mod_auth_psqgl

Some of them a number of times (ie, there were 3 updates to apache,
meaning if you had the stock one they could have used any of those 3
bugs). 

Just because your server is behind a firewall doesn't mean you don't
have to upgrade it. It might reduce the number of packages you need to
update, but if the outside net has any access to it at all, you should
keep it up to date. 

Daniel> Thanks for any help, Daniel Herrington

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE+2mT43imCezTjY0ERAkaDAJ9WeVnK1BxcRxKFPPT73Jq/HE1hZACZAQEp
lNH7WY/Mhai6FlMe5JtSQrU=
=oY/A
-----END PGP SIGNATURE-----