Hacked systems and the law

Jonathan Hutchins hutchins at tarcanfel.org
Tue Apr 22 15:47:48 CDT 2003 

Quoting Bradley Miller <bradmiller at dslonramp.com>: 
 
> My fear is it was a telnet session or perhaps a sniff of traffic at my new  
> server's location.  RAQ4 boxes are shipped with ... a GUI to get  
> into the system.   
 
My bet would be on the GUI, possibly a known back door or admin password.  The 
GUI _should_ be running over SSL, if not it's probably the weakness.  Telnet 
servers are hackable, but mostly as you said by sniffing.   
 
Sniffing an entire ISP would be quite a project though - lots of data to find 
a new system at the time the admin's logging in.  One would suspect an inside 
job if it were a sniff attack.  You might also go prowling the newsgroups for 
the specific combination of packages that were installed.  And sort through 
your logs to see if you can figure out precicely what was done through what 
interface. 
 
> What am I doing to fix it?   Simple -- both of these machines are going  
> away in a matter of a week or so ... 
 
You should make sure that you have telnet disabled; telnet should of course 
not allow root to log in, nor should SSH, which must run v.2 not v.1, and you 
should make sure that if the GUI is still active it only runs over SSL.  If 
you haven't found and secured the vulnerability, you'll be hacked again (if 
you haven't already). 
 
I've been trying to recall where I saw this excellent article on recovery - 
sysadmin, Linux Mag, or Linux Journal in the past year.  You need some basic 
tools on secure media, you need checksums on critical programs (login, ls, 
bash). 
 
Tripwire's a great idea - scans critical files for changes in checksum, which 
gives you notification that you've been hacked as well as a roadmap to recover 
what was changed.  It is, however, a real PITA to set up - you have to weed 
through the default configuration eliminating all the stuff your server 
doesn't have or that you know can change daily without a problem. 
 
RH6.2 is a valid and securable platform.  The GUI RAQ4 supplies may not be, 
but you should be able to (and should immediately) secure the boxes as they 
are. 
 
This is an example of something security professionals try to hammer home 
again and again: assuming that a default installation is secure without 
investigating the specific settings is foolish, whether the installation is 
linux, Microsoft, or any other OS.  Unless you have someone's name on the line 
saying "this system is secure from intrusion", you should assume you have an 
open system and take positive action to secure it. 
 
I figure any system I didn't secure myself is essentially a honeypot. 

---------------------------------------------------
This mail sent through tarcanfel's horde/imp system

More information about the Kclug mailing list