LINUX SECURITY --- March 13, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* Even when you do everything right, something can still go wrong.
__________________________________________________________________________
____
The Perils of Not Upgrading
By Rick Johnson
By now, everyone has heard about yet another BIND exploit running
rampant. If you are not running at least BIND 8.2.3, then stop reading
and go upgrade. It seems as if this subject comes up every few months,
but inevitably some reader misses the announcements and contacts me for
assistance. This latest case was special however, as I knew the people
involved. After hearing the story, I felt that they had followed the
rules, which piqued my curiosity. Here are a few of the details.
The vulnerability was indeed to the latest BIND exploit. All the other
name servers had been upgraded weeks before but one server slipped
through the cracks. Apparently, the person charged with upgrading it
was leaving the company and did not do the job. Furthermore, no change-
management procedures were in place to verify whether the upgrade had
been done.
This hack had a new twist, though. The partition table was wiped out,
which meant that after the standard shutdown procedure and booting from
a secured recovery OS, the drive appeared empty. Well, that was not
very sporting. With a printout of the partition table (you can make
one with "fdisk -l"), restoration is easy. We were not so lucky.
Thankfully, I could mount the drive as one big partition. Although
insufficient for booting, I could now mount the drive and see what had
happened.
Once inside, I saw the same standard replacements such as ls, top, ps,
and netstat. It looked like a compilation of the t0rn kit plus a few
extras. The following line was in the /etc/inetd.conf file:
smbd2 stream tcp nowait root /usr/sbin/in.smb in.smb
Along with that, /etc/services contained this entry (the port number
gives it away):
smbd2 54321/tcp # Samba
On top of that, the crontab had been overwritten to run /sbin/init
every five minutes. This file, of course, was a part of the kit. The
bad guy had sanitized the logs but left the most common telltale signs -
- parts of the actual rootkit remained in the /tmp directory. The
biggest blunder was that they used touch to change the date on all the
affected files, but forgot to account for the time difference.
Therefore, we found all the files set to GMT instead of the actual time
of the event. There might have been other compromised files, but we had
enough information to know what happened.
So here we had someone who typically follows all the rules and they
were still hacked. Thanks to the monitoring in place, they were aware
as soon as the attack transpired. Luckily, the server was just about to
be replaced so the services were out of action for only a few hours.
All we had to do was grab a few data files, check them for signs of a
compromise, and move them to the new server. Most people are not this
fortunate.
About the author(s)
-------------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
__________________________________________________________________________
______
ADDITIONAL RESOURCES
Stumbling blocks to security
Basic security is often sacrificed to maintain 100 percent uptime
http://www.unixinsider.com/jsw/linsec_nl/swol-03-2001/swol-0302-unixsecuri
ty-dv.html
Study: Many still lax on securing DNS
Firm tested domain name systems for Websites after alerts were released
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2202/ITW010302dn
s/
Suspicious server probes multiply
Experts warn that more sophisticated hacks of vulnerable networks are
coming
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/3832/CWSTO57830/
The sky is not falling
Panic over vulnerabilities may make security experts skeptical of real
emergencies
http://www.unixinsider.com/jsw/linsec_nl/swol-02-2001/swol-0216-unixsecuri
ty-dv.html
Website Security
http://www.itworld.com/jitw/linsec_nl/CDA/Video/ITW_BestPrac_Website_Secur
ity/
__________________________________________________________________________
______
<<attachment: winmail.dat>>