RE: Hacked

["R. DuFresne" <dufresne () sysinfo com>]

Run it even tighter then that, why rely on one single tool?  Tcpd has been
in most packages, slackware for sure, for ages.   Set hosts.deny to deny
all, and only let in those select machines you feel comfortable with,
limit that to ssh and protocals you are 'sure' of.  Now there are a few
hoops to be conquered for unauthorized entry.  Yes, this means you have to
address changes in both ipfwadm and also the tcpd databases, buy avoiding
a single point of failure via one application has to outweight the
disadvantages here.  And make sure as hell you dont let it stop there, tos
in all the measures and countermeasures available till you get warm
fuzzies...


On Sun, 28 Feb 1999 jonathan () leto net wrote:

> You didn't get hacked, you got script kiddied.
> Your running redhat right? The 2 most infamous redhat exploits are named and
> imap. There are scanners that search for just these 2 things, and they still
> find plenty. 
> First of all, NEVER use any type of default. Its defeating the purpose of
> linux, customize it. Make it do what you want to do. If this is just a home box
> that you want to be able to get to, disable everything and install sshd. Telnet
> is not secure. Make sure you get a brand spanking new ftp daemon, a couple
> weeks ago a big exploit was found in many of them. Or just be really 3leet and
> pipe ftp though ssh.
>
> On 26-Feb-99 Steve wrote:
> > Hacked this last weekend or sometime.
> >
> > What I'm running:
> >
> > Linux 2.0.35 with ipfwadm, all defaults, added masq for 192.168.1.0 to
> > 0.0.0.0 to feed my home LAN to ppp through a little 56.6k dial up.
> >
> > How I found out:
> >
> > Tried to log in telnet from an inside machine, wouldn't allow me to log in
> > under any user name I had configured - root, col or steve.  Finally rebooted
> > (Windows habit) and noticed that syslog couldn't write to any of the log
> > files and still couldn't log in.
> >
> > Long story short:
> >
> > Got the machine back up with a new hard drive (install fresh on the hacked
> > drive???!!!  Hell no!!!  It's evidence and possible clues as to
> > who/what/when/how - the whole deal.
> >
> > So I mount the drive and find a message in my root directory:
> >
> > hehe.idiot.fix.your.imap.and.feel.glad.i.didnt.rm-rf.everything
> >
> > imap, huh?  I knew I was running lots of services - it was a hacker's dream,
> > most likely.  But this was at home, and it was quite sloppy.  But it did its
> > purpose - my LAN *seems* okay - no evidence of any tampering, though it was
> > quite possible - again, from sloppiness.  Anyway, I have a real,
> > honest-to-goodness hacked drive over here - something live to study and
> > learn from.
> >
> > BTW - first thing I did was to check for messages, and, just as the messages
> > on boot-up said, the log directory is gone.  First thing this weekend - I
> > will buy a computer for logging - do that transmission trick with the
> > wiring - wire a cable only with the what - 1 and 2 wires, so it would be
> > physically impossible for them to receive any feedback on the connection to
> > try to delete those files on the other machine.  (But I may wait until next
> > week - it's First Saturday down here in Dallas).
> >
> > Besides that, I'll be keeping that hard drive off the network, except to
> > look at it - I don't want anything to happen to it!  I just may do a dd get
> > a backup while I'm at it.
> >
> > I'm writing to share my experience, get some feedback and learn.  I'd love
> > to hear from anyone with ideas on what to look for on that drive, and
> > anything else that comes to mind.
> >
> > Finally, am I ashamed to be writing this?  No way!!!  I love this!  It's all
> > just a game, and I love to play . . .
>
>
> --] jonathan () leto net [--
> --] 28-Feb-99 14:39:45[--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!