On Wed, 2005-02-03 at 19:05 -0600, Jess Anderson wrote: > Alexander Dalloz: > >Chris Strzelczyk: > > >>I will start by looking at all those for recent security > >>postings. Since the program in /tmp was owned by apache:apache > >>I would imagine that the intruder used httpd to preform their > >>exploit. That is where I'm at so far. > > >See Dave's and Leonard's replies. Your system is owned! :( And > >as it looks it is the worm / trojan known to come in by weak > >phpBB installs. [...] > > Getting owned (alas, I know first-hand) is one of the worst > feelings a computer person can have, I think. It has been > 5.5 years (knocks wood) since it happened. But I remember how > I felt, so my sympathies go out to Chris Strzelczyk. > > It's painful and horribly inconvenient, but there really is no > reasonable alternative to taking the box offline at once and > doing a complete reinstall, reformatting all partitions. > > (I'm not sure, but isn't possible even then to have a worm or > virus left in the boot sector of the hard disk, one that > only a low-level format could remedy?) > > As a result of my own experience with getting cracked, I > decided to dedicate a separate machine to running a very tough > firewall at the network access point of my building. Most > fortunately, I don't need to offer any services to the outside > world, hence am invisible to port scanners, which removes > probably half or more of the vulnerabilities. > > I don't worry much now (knocks wood again), but I still get > nervous when I read accounts like the preceding. > > Be careful out there, it's a bad, bad world and getting worse. > ...snip.. If your machines have access to external sites, they can be just as vulnerable. One of my customers had a Windows box that was infected with a trojan. The trojan allowed a hacker to break into their SCO accounting server. I discovered the problem when the customer complained that their connection was slow. After analyzing some network flows I discovered some strange traffic. After getting permission from the customer to investigate the source of the traffic, I started sniffing the traffic. To my amazement I saw what looked like names interspersed with binary data. I called the customer and asked if the any of the names I captured meant anything to them; it was staff members. After going to the customer site I quickly found the machine that was compromised and after analyzing there internal traffic I discovered a connection to there accounting server that was not supposed to be accessed from that machine. After I unplugged that machine their bandwidth returned to normal. It would appear that the hacker used the trojan to gain control of that machine, then used that machine to find the unprotected SCO box inside the firewall and tunnelled the data from the SCO box back to a machine in Philadelphia, from their I have no idea what happened to the data. I gave the information I collected to the customer, and suggested they contact the Computer Crimes devision of the RCMP if they wanted to take further action. Being a public company they did not follow up with the police, due to concerns that the information that was compromised could cause problems if people found out about it. Their was a bunch of porn that had been deleted recently on the machine, and my guess was that someone sent an unsolicited email to the person on that machine with a link to a porn site with the trojan embedded in the site, once accessed the trojan was delivered and the rest is history. Although conjecture on my part, it is a likely guess since that company is also behind a firewall using NAT and has no ports that are forwarded. I suggested a consultant for them to secure their site. They were extremely thankful that I went out of my way to assist them.
