Firewall Wizards mailing list archives
RE: Hacked
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 1 Mar 1999 00:08:27 -0600 (CST)
Run it even tighter then that, why rely on one single tool? Tcpd has been in most packages, slackware for sure, for ages. Set hosts.deny to deny all, and only let in those select machines you feel comfortable with, limit that to ssh and protocals you are 'sure' of. Now there are a few hoops to be conquered for unauthorized entry. Yes, this means you have to address changes in both ipfwadm and also the tcpd databases, buy avoiding a single point of failure via one application has to outweight the disadvantages here. And make sure as hell you dont let it stop there, tos in all the measures and countermeasures available till you get warm fuzzies... On Sun, 28 Feb 1999 jonathan () leto net wrote:
You didn't get hacked, you got script kiddied. Your running redhat right? The 2 most infamous redhat exploits are named and imap. There are scanners that search for just these 2 things, and they still find plenty. First of all, NEVER use any type of default. Its defeating the purpose of linux, customize it. Make it do what you want to do. If this is just a home box that you want to be able to get to, disable everything and install sshd. Telnet is not secure. Make sure you get a brand spanking new ftp daemon, a couple weeks ago a big exploit was found in many of them. Or just be really 3leet and pipe ftp though ssh. On 26-Feb-99 Steve wrote:Hacked this last weekend or sometime. What I'm running: Linux 2.0.35 with ipfwadm, all defaults, added masq for 192.168.1.0 to 0.0.0.0 to feed my home LAN to ppp through a little 56.6k dial up. How I found out: Tried to log in telnet from an inside machine, wouldn't allow me to log in under any user name I had configured - root, col or steve. Finally rebooted (Windows habit) and noticed that syslog couldn't write to any of the log files and still couldn't log in. Long story short: Got the machine back up with a new hard drive (install fresh on the hacked drive???!!! Hell no!!! It's evidence and possible clues as to who/what/when/how - the whole deal. So I mount the drive and find a message in my root directory: hehe.idiot.fix.your.imap.and.feel.glad.i.didnt.rm-rf.everything imap, huh? I knew I was running lots of services - it was a hacker's dream, most likely. But this was at home, and it was quite sloppy. But it did its purpose - my LAN *seems* okay - no evidence of any tampering, though it was quite possible - again, from sloppiness. Anyway, I have a real, honest-to-goodness hacked drive over here - something live to study and learn from. BTW - first thing I did was to check for messages, and, just as the messages on boot-up said, the log directory is gone. First thing this weekend - I will buy a computer for logging - do that transmission trick with the wiring - wire a cable only with the what - 1 and 2 wires, so it would be physically impossible for them to receive any feedback on the connection to try to delete those files on the other machine. (But I may wait until next week - it's First Saturday down here in Dallas). Besides that, I'll be keeping that hard drive off the network, except to look at it - I don't want anything to happen to it! I just may do a dd get a backup while I'm at it. I'm writing to share my experience, get some feedback and learn. I'd love to hear from anyone with ideas on what to look for on that drive, and anything else that comes to mind. Finally, am I ashamed to be writing this? No way!!! I love this! It's all just a game, and I love to play . . .--] jonathan () leto net [-- --] 28-Feb-99 14:39:45[--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- RE: Hacked R. DuFresne (Mar 01)
- ZDNet Article: "Major Unix flaw emerges" David C Niemi (Mar 02)
- Re: ZDNet Article: "Major Unix flaw emerges" David LeBlanc (Mar 03)
- Re: ZDNet Article: "Major Unix flaw emerges" dbell (Mar 03)
- <Possible follow-ups>
- RE: Hacked dreamwvr (Mar 02)
- RE: Hacked Bluefish [@ home] (Mar 03)
- Re: Hacked Bennett Todd (Mar 04)
- ZDNet Article: "Major Unix flaw emerges" David C Niemi (Mar 02)