How might i have gotten hacked in this situation? 3

[HackedRedhat]

i set up a Redhat 7.2 server with an internal IP behind a linksys router with only ports 21 and 23 forwarding to the pc. the standard redhat firewall was disabled and my username was the only additional user account added to the newly installed system. my password was reasonably secure with 7 alpha-numeric digits that was not a dictionary word. i accessed the Redhat machine remotely on the telnet port repeatedly for several days and occasionally FTP'd files back and forth. within 5 days, sure enough, the system had been fully comprimised and the root login password had been changed.

i realize that this implementation was less than optimal, but what i do not understand is the method that was used to gain entry. does Redhat have a backdoor? were my authentication credentials picked up somewhere over the net? did the hacker simply use a program to methodically test user/pass combinations? or was it something else? i would certainly like to learn more about what made this server so easy to get inside of.

 

[pansophic]

There are numerous ways that this hack could have been perpetrated. My first question would be "Did you install all of the security related patches after installing RedHat?" My next question would be, "Did you install the security patches for your Linksys router?"

First, telnet and ftp are really depricated protocols unless you are a company offering anonymous downloads. You should be using the ssh suite of applications, including scp and possibly sftp. The secure shell applications give you a good measure of protection against eavesdropping, if that is what happened.

Also, ftp and telnet are susceptible to hijacking. Did you ever get bumped off during a session? If so, it is possible that someone used an application like hunt to hijack your telnet session and assume your credentials.

And, the wu-ftp daemon that is shipped with RedHat (and many other platforms) is constantly being compromised. Because this service generally runs as root, if you can compromise it, you automatically become root.

Another thing, are you running X windows? If so, it is possible that someone connected to your X server. As I recall, the default for many X server installations is to allow anyone to connect to it.

I would recommend that you reinstall, preferably with RedHat 7.3 since it has been out for some time now.
Set the system up with a High firewall setting.
Don't install these vulnerable packages.
Download and install all relevant patches (use RHN, it is quite simple).
Only punch ssh through the Firewall on the system and only forward port 22 on the router.
Turn off EVERY service that you are not using (like portmapper, lpd, CUPS, sendmail).
Run nmap on your system and make sure that ONLY port 22 is open.
Turn off X windows (you can always use startx from the command line if you log in locally).
Install Tripwire, or samhain to watch for compromises.
Install logwatch to check for probes of your system.

If you use Windows to access this system, you can download putty. They have a free ssh and scp client. It is very handy.

pansophic

 

[jnicks]

Pansophic, Nice work, good post.

Is there a Linux dist. that starts minimally and only adds packages as he user asks for them? Services or ports too, I think.

Thanks

 

[rycamor]

Yes:

http://www.slackware.com

http://www.debian.com,

to name the two most likely. Be aware that Slackware is modeled after the *BSD's (

http://www.freebsd.org,

http://www.openbsd.org,

etc...), so it has a more sparse configuration system, without the SYSV-style init scripts--no "runlevels", etc... Each has it's drawbacks, but BSD-style init scripts are somewhat simpler. -------------------------------------------

"Now, this might cause some discomfort..."
(

http://www.wired.com/news/politics/0,1283,51274,00.html)

 

[jnicks]

Wow,

I looked at some linuxes two years ago for friends desktop windoze replacements and all of them default loaded a freakin bunch of services and programs loaded with infosec problems. Zombie time. Not a nice thing to do to friends.

If I could start with a near naked linux and add a firewall, netscape, eudora and open office, they might have a reasonably safe desktop.

Comments???

THnaks

Thanks, too.

 

[rycamor]

You have described to a T exactly the way Slackware, Debian, and the *BSD distributions approach things. Text mode install, no fluff, but with all of the nice GUI packages, etc... at your fingertips, if you want to install them.

I personally am a FreeBSD lover, so Slackware is my choice if I have to use Linux. I actually started my Unix experience with RedHat Linux, but once I found FreeBSD, I left RedHat, and only came back to Slackware later. Actually I have not seen anything in Linux that approaches the simplicity and freedom that the FreeBSD 'ports' system gives you. Any piece of software can be installed remotely, either as a binary install, or compiled from source. (cd to /usr/ports/net/samba, make, make install -- automatically downloads source, applies FreeBSD patches, compiles, and installs binaries in place).

Debian does have a nice remote package installation system, though, with it's 'apt-get' syntax, while Slackware is a little more clunky (download packages, then install).

I will say that Linux distributions tend to make it a little easier to get your desktop working right with your video card. The BSD's tend to focus on server issues first, desktop second. -------------------------------------------

"Now, this might cause some discomfort..."
(

http://www.wired.com/news/politics/0,1283,51274,00.html)

 

[pansophic]

That's funny, I started with Slackware back in 95, and have migrated to RedHat and Mandrake. I've nearly always been a custom install though, selecting my own packages as I go.

I have run all of the above, plus SCO, Solaris x86, VA Linux, Monkey, Tom's Root Boot, but my favorite right now is the former linuxcare bootable business card. It is a small bootable CDROM that runs from RAM DISK. It has NTFS support, along with just about everything else, like networking.

I have fixed MANY broken NT systems and even an XP system and never had to reinstall. VERY cool. Try it at

http://www.lnx-bbc.org/

I think that you will like it too!

I may have to try FreeBSD again. It has really been a while. I liked it for its minimalistic approach when I was building security systems, but haven't tried it as a workstation in years.

Oh yeah, you may want to download and run Bastille for your RedHat install. You can get it at

http://www.bastille-linux.org/

It will help you tighten it down to a reasonable level.
pansophic

 

[jnicks]

Thanks again...

I forgot about Bastille. It is a script as I recall. SANS was doing that I recall...

Is it RH only?

Great info, now if only a friend's Windouse would fry real soon, I'm off.

Watson! The game is afoot.

 

[williambishop]

There are some good posts in here, just try to remember the big no'no's...
1.Don't use telnet(that's absolutely begging to be rooted.
2.Don't leave the default installation as is
3.Don't leave unneeded services running
4.Don't forget to secure the system BEFORE putting it on the network.

All distro's can be made secure...just depends on how much time you are willing to put into it.