Re: Security Breach?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2005-02-03 at 19:05 -0600, Jess Anderson wrote:
> Alexander Dalloz:
> >Chris Strzelczyk:
> 
> >>I will start by looking at all those for recent security
> >>postings. Since the program in /tmp was owned by apache:apache
> >>I would imagine that the intruder used httpd to preform their
> >>exploit. That is where I'm at so far.
> 
> >See Dave's and Leonard's replies. Your system is owned! :( And
> >as it looks it is the worm / trojan known to come in by weak
> >phpBB installs. [...] 
> 
> Getting owned (alas, I know first-hand) is one of the worst
> feelings a computer person can have, I think. It has been
> 5.5 years (knocks wood) since it happened. But I remember how
> I felt, so my sympathies go out to Chris Strzelczyk.
> 
> It's painful and horribly inconvenient, but there really is no
> reasonable alternative to taking the box offline at once and
> doing a complete reinstall, reformatting all partitions.
> 
> (I'm not sure, but isn't possible even then to have a worm or
>  virus left in the boot sector of the hard disk, one that
>  only a low-level format could remedy?)
> 
> As a result of my own experience with getting cracked, I
> decided to dedicate a separate machine to running a very tough
> firewall at the network access point of my building. Most
> fortunately, I don't need to offer any services to the outside
> world, hence am invisible to port scanners, which removes
> probably half or more of the vulnerabilities.
> 
> I don't worry much now (knocks wood again), but I still get
> nervous when I read accounts like the preceding.
> 
> Be careful out there, it's a bad, bad world and getting worse.
> 
...snip..
If your machines have access to external sites, they can be just 
as vulnerable. One of my customers had a Windows box that was 
infected with a trojan. The trojan allowed a hacker to break into 
their SCO accounting server. I discovered the problem when the 
customer complained that their connection was slow. After 
analyzing some network flows I discovered some strange traffic. 
After getting permission from the customer to investigate the 
source of the traffic, I started sniffing the traffic. To my 
amazement I saw what looked like names interspersed with binary 
data. I called the customer and asked if the any of the names I 
captured meant anything to them; it was staff members. After going 
to the customer site I quickly found the machine that was 
compromised and after analyzing there internal traffic I discovered 
a connection to there accounting server that was not supposed to 
be accessed from that machine. After I unplugged that machine 
their bandwidth returned to normal. It would appear that the 
hacker used the trojan to gain control of that machine, then 
used that machine to find the unprotected SCO box inside the 
firewall and tunnelled the data from the SCO box back to a machine 
in Philadelphia, from their I have no idea what happened to the 
data. I gave the information I collected to the customer, and 
suggested they contact the Computer Crimes devision of the RCMP 
if they wanted to take further action. Being a public company 
they did not follow up with the police, due to concerns that the 
information that was compromised could cause problems if people 
found out about it. Their was a bunch of porn that had been deleted 
recently on the machine, and my guess was that someone sent 
an unsolicited email to the person on that machine with a link to 
a porn site with the trojan embedded in the site, once accessed 
the trojan was delivered and the rest is history. Although conjecture 
on my part, it is a likely guess since that company is also behind 
a firewall using NAT and has no ports that are forwarded.

I suggested a consultant for them to secure their site. They were 
extremely thankful that I went out of my way to assist them.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux