Re: New RFID Mailing List Owner 0day

[nocfed <nocfed () gmail com>]

On 9/28/07, full-disclosure () hushmail com <full-disclosure () hushmail com> wrote:
> #!/bin/sh
> #
> # Secure v9.3.1b
> # This is to be used on a NEW install only!
> # This script will go through your box and lock the inside down.
> # Copyright audit () radiusnet net | munge () attrition org,
> (munge () radiusnet net)
> # Thanks to jericho from attrition for pointing out some issues
> with it.
> # This script was done thanks to A LOT of alcohol and sleepless
> nights thinking about
> # how things can be changed to make it faster and set the perms
> correctly.
> # This script was created for use on Slackware! "As if there's any
> better disto"
> # If can be used on other versions of Linux.
>
> # Ensure that you are uid 0 (root)
> set `id`
> if [ $1 != "uid=0(root)" ]; then
>         echo "You MUST be root to run this script!"
>         exit 5
> fi
>
> # Change the perms for /etc
> chmod 711 /etc
> echo "/etc Perms changed"
> sleep 3
>
> # Change the perms for /tmp and /var/tmp
> chmod 1733 /tmp
> chmod 1733 /var/tmp
> echo "All *tmp* Perms changed"
> sleep 3
>
> echo "Now we start the fun dir's. The following are the most
> important!!"
>
> # Start on the *bin* directories
> cd /bin
> chmod 510 * | chown root.users *
> chmod 500 umount mount telnet
> chmod 511 ls dircolors date false true uname login
> chmod 4510 ping
> chown root.staff ping
> chown root.root su
> chmod u+s su
> echo "/bin directory is complete"
> sleep 3
>
> # Now we start on the /usr/sbin directory
> cd /usr/sbin
> chmod 510 * | chown root.users *
> chmod u+s sendmail
> chmod 500 ttysnoop
> echo "/usr/sbin dir is complete"
> sleep 3
>
> # Start /usr/bin
> cd /usr/bin
> chmod 510 * | chown root.users *
> chmod u+s passwd
> chmod 4510 traceroute
> chown root.staff traceroute
> echo "/usr/bin dir is complete"
> sleep 3
>
> # Make changes in /etc
> cd /etc
> chmod 600 inetd.conf
> echo "Perms changed in /etc"
> sleep 3
>
> # Make a backup of the original syslog.conf and install a better
> logging one in it's place.
> cd /root
> mv /etc/syslog.conf /etc/syslog.bak
> cp /root/slack/syslog.conf /etc
> killall -HUP syslogd
> echo "syslog.conf updated"
> sleep 3
>
> # Tighten up the log file perms now
> cd /var/log
> chmod 600 syslog log.auth log.cron log.daemon log.kern log.mail
> log.mark log.syslog
> chmod 600 log.user messages ftp.log secure.log
> chown root.wheel syslog log.auth log.cron log.daemon log.kern
> log.mail log.mark log.syslog
> chown root.wheel log.user messages ftp.log secure.log
> echo "Log files secured"
> sleep 3
>
> # Check for SUID files
> cd /root
> echo "Now checking for SUID files"
> find / \( -perm -4000 -o -perm -2000 ! -type d \) -exec ls -ldb {}
> \; >> suid-results
> echo "Check in /root for a file called suid-results and you will
> have a list of what still"
> echo "has the SUID bit"
> sleep 3
>
> echo "#######################################################"
> echo "Congratulations, your box is now more secure!"
> echo "Be sure to add the users to the appropriate groups"
> echo "Make sure you go through and double check the perms!!"
> echo "This was made to make things quicker but you still should"
> echo "double check the perms!!"
> echo "MAKE SURE YOU ADD USERS THAT YOU WANT TO BE ABLE TO SU TO
> ROOT"
> echo "TO THE ROOT AND WHEEL GROUPS OR THEY WON'T BE ABLE TO!!!!!!."
> echo "Make sure ALL your users are listed in /etc/groups on the
> users line"
> echo "or they will be doing alot of bitching"
> echo "Once modified, reboot your system to enable all changes"
> echo "This is NOT a full blown security script, so don't expect"
> echo "your box to be 100% locked down after running it."
> echo "It was created to help speed things up!!"
> echo "#######################################################"


Woohoo!  You now have a non multi-user system!

Comparing a string for the UID?  Why?
Expecting TMPDIR to only be those two locations?  Why?
Breaking many programs by setting TMPDIR to not be listed by group and
other? Why?
Expecting ``users'' and ``staff'' groups?  Why?
Mixing symbolic and octal chmods?  Why?
Not using functions?  Why?
Expecting your binaries to be in a static location?  Why?
Sleeps?  Why?
5,000 echo's?  Why?
Piping chmod into chown?  Why?
Globbing entire directories?  Why?
Using -exec in find?  Why?

hints:
id -u
$TMPDIR
getent group $GROUPNAME
Use only octals
no hint needed.  just use them.
which || whereis - walk through list and read
don't use them
cat <<_EOF_
what?
find . -maxdepth 1 -type f
find / \( ... \) -ls

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/