Forum OpenACS Q&A: Security: Hacker sends Viruses

Request notifications

Collapse
Posted by Bob OConnor on
Ok, we are not using SSL or secure access to our site, shame on you
Bob....

So now someone has been able to get into our Linux RH6.2 box and send
to our MajorDomo list.  This person has now sent two different virus
messages to our list.  I've disabled the list now so that I'm the
only subscriber...  Also, I changed our root password but that didn't
stop this person.  I'm also concerned that he/she could damage
our AOLserver/PG/ACS.

Any ideas for quick stop of this person
and perhaps finding them?

We're planning to move to a new secure server very soon...

-Bob  :-(

Collapse
Posted by Don Baccus on
Can you be more clear as to what you mean by "get into your box"?  Sound like a bad line from an XFL broadcast...

Seriously, did they get shell access?

If not, and if you're not running Postmaster with -i and an externally  visible IP, you should be OK regarding PG.

And if they didn't gain shell access AOLserver should be fine, too.

If they got shell access, they very likely got root access.  At least, you should presume they did.  Even if they didn't, the user account they logged in under might have access to PSQL and the database.  So in theory they might've gone in and played with database tables.

I rather doubt it, though.  One advantage of using relatively unknown AOLserver and PG (as compared to Apache and MySQL) is that your typical unskilled script kiddie won't know what they are or how to screw it up.

I'd be more worried about them having had root access and loaded a bunch of standard rootkit stuff with all sorts goodies that let them take over your system whenever they want.

Collapse
Posted by Ola Hansson on
I'm sorry to hear about your situation...

Disconnecting your network connection as soon as possible is what I would suggest if it's not already been done, but first issue a "netstat -a|less" and look for suspicious connections established.

You might also want to review the log files in /var/log.

Check /root/.bash-history as well...

If the abuser has gained root access really all you can do is blow out the entire RedHat installation and do a fresh install/restore. This time preferably behind some kind of firewall.

Good luck!

Collapse
Posted by Bob OConnor on

Did they get shell access

Apparently so... they created a "moonx" mailbox which I deleted a few days ago along with changing the root password. Apparently they haven't messed with AOLserver or PG... er...yet.

I'm having "X" check things out here shortly....
Thank you.

-Bob

Collapse
Posted by Michael A. Cleverly on
Once you've reinstalled RH make sure you turn off services you don't need, and then keep current with updates & patches on the services you do run.  RH has an up2date GUI tool that will check for updates & download them for you.  Roberto would tell you to switch to Debian and use their cool apt-get tool to stay current (right Roberto? :-).  If you stick with RH and need a non-gui tool, I've recently written a Tcl script that I can run out of cron to fetch security updates and them spam myself once they've been downloaded so I can know to install them (or at least check them out).  If you'd like a copy let me know.  (I need to get around to putting it up on my personal website one of these days...)
Collapse
Posted by Ola Hansson on
Michael,

Can I have a copy too?

Collapse
Posted by Bob OConnor on

We have a new box up and running... with RH 7.0 Guinness and I'd love to get that script... Also, is anyone familiar with the complete installation setup that would include:

  • Run multiple URLs on one IP...
  • Assumed: Multiple AOLServers and One PG 7.0.3
  • Which AOL server version is most stable (best) and should it use tcl7.6 or 8x...
  • Secure shell access and Secure browser access.
  • This new RH version has a cool WebMin access... can it be accessed securely?
  • I've been useing OpenACS mostly 3.2.2 with much customization...Can I just Move it and the PG database to the new machine wholesale?
  • I'm asking for guru level help!
    AND
    THANK YOU.

    -Bob

Collapse
Posted by MaineBob OConnor on

I discovered something on the latest submission to our list. I set up the list so that I'm the only one to get the messages.. This hack may not need shell or root access. It may be a majordomo hole... All the messages sent appear to come from "owner-..." So perhaps they hacked the list password... Anywhay here is part of the header. Can I assume he/she is using a compaq and connected using 162.39.57.35 I did a lookup: Central Telephone Co. in LittleRock AR USA. Am I on the right track?
-Bob

Delivered-To: rocon-rocnet:com-zzztgn@rocnet.com
From: owner-thebulletin@greatestnetworker.com
Received: from compaq ([162.39.57.35])
by www.greatestnetworker.com (8.9.3/8.9.3) with SMTP id RAA00783
for <thebulletin@greatestnetworker.com>; Tue, 6 Feb 2001 17:08:03 -0500

Date: Tue, 6 Feb 2001 17:08:03 -0500
Message-Id: <200102062208.RAA00783@www.greatestnetworker.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEXAFWTYJCTE7WTAB"
Subject: [The Bulletin:07] Message for thebulletin
Sender: owner-thebulletin@greatestnetworker.com
Precedence: bulk
Reply-To: owner-thebulletin@greatestnetworker.com
X-UIDL: 3Y`!!'<w"!=(4"!^BY"!

----VEXAFWTYJCTE7WTAB
Content-Type: application/octet-stream; name="BCKFPEBC.EXE"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="BCKFPEBC.EXE"
...

Collapse
Posted by Don Baccus on
The script file for downloading security patches would be cool for many of us running RH webservers to have.  Maybe it could be included in our documentation, much like my backup Tcl script is?
Collapse
Posted by S. Y. on

Concerning Red Hat: you can probably sign up on the appropriate mail lists at https://listman.redhat.com/mailman/listinfo/ (Redhat-announce-list or Redhat-watch-list) for security bulletins and update RedHat RPMs.

Some MTAs are vulnerable to certain hacks:

  • Execute arbitrary command: RCPT TO: |testing
  • Execute arbitrary command: MAIL FROM: |testing
  • Overwrite files: RCPT TO: /tmp/mail_test
  • Allow remote users to send mail anonymously by sending HELO commands longer than 1024 characters
  • Redirection: mail addressed to user@hostname1@victim will send to user@hostname1
  • The other classic MTA configuration snafu is to allow mail relaying.

    I'm certainly no security expert, but one might start off by

    • Installing OpenSSH
    • Disabling inetd (rsh, rlogin, telnet, ftp, etc.) ASAP - shut it down and never let it start up again. Period.
    • Running the Nessus security scan on your system to find out the egregious security holes
    • Optional but highly recommended: replace your MTA with qmail
    • Webmin is not secure straight out of the box. There are notes on their website about using it with SSL. Of course, the secure Webmin point is moot if you have other security holes that let people have root access.

      The best advice is having whoever is setting up your new secure server run a security sweep on the compromised box. Good luck.

Collapse
Posted by Sam Snow on
I always use http://spamcop.net/ to parse the headers of my spam and figure out where they came from. It works really well and is free...

Sorry about your server :(

Collapse
Posted by Tim Butterfield on
Re the script file to download security patches, is it just the security patches that are checked?  I normally run AutoRPM (a perl script that uses perl-libnet) to alert me of updates.  It compares the currently installed RPMs against those on an FTP site and sends an email when it finds new versions.  The home page www.kaybee.org) seems to be down at the moment, but I can send a copy of autorpm-1.9.8.4-2.noarch.rpm to anyone that needs it.
Collapse
Posted by Chris Hardy on
Yes Michael,  I think many of us would like to see the script! Do we want to set up a "contrib" area in the sdm?  Where code snippits can go such as this? (and the vacuumdb script in the FAQ?)
Collapse
Posted by Michael A. Cleverly on
Looks like a <pre> tag was left open above. I'll attempt to close it... The script I wrote is configurable as to what ftp server and what directory to check. It defaults to checking updates.redhat.com /version-num/i386 (so, for a 6.2 box, it would check /6.2/i386), which contains both both security and enhancements.

I wrote it as an afternoon project. I was unaware of the perl package referenced above (until reading this thread again today). My script is pure Tcl, so it should be easily customized by folks here. It uses the Tcl Standard Library ver 0.8 (available at dev.scriptics.com), which I believe requires Tcl 8.2 or greater(?). (I use Tcl 8.3.2 since that's what AOLserver 3.x has internally.)

I've thrown the script up at http://michael.cleverly.com/aolserver/emdia. The name, EmDia is a Portuguese idiom for "current" or "up-to-date". Running emdia -? will give you a list of all the command line options & their default values.

Collapse
Posted by Michael A. Cleverly on
I "prettied up" my script last night before posting, and in doing so introduced a bug (it barfed attempting to compare some types of RPM file names) and failed to thoroughly test it. In any case, if anyone downloaded it in the past ten hours, my apologies.  Please feel free to come back and grab a fixed version.
Collapse
Posted by David Kuczek on
Hello Michael,

Could you quickly write down some steps for beginners how you get emdia working?

I didn't find anything on your webpage...

Collapse
Posted by Michael A. Cleverly on
Grab the latest version from my website. (The only meaningful changes of late are the default hardcoded directories to look in on updates.redhat.com, since RH recently reoganized the directory structure on their ftp site.)

You'll also need the Tcl Standard Library. The latest, as of this writing, is version 0.8 and can be found at dev.scriptics.com (which is in the process of moving to tcl.activestate.com). The Tcl standard library requires Tcl 8.2 or higher. If you only have Tcl 8.0 you'll need to upgrade. (Source, binaries, and RPMs of Tcl 8.3.3 are available from ActiveState.)

Then, it's basically just a matter of making it executable and running it. emdia -? will give you a list of available command line options, as well as their defaults. I run emdia nightly in my crontab with the following options:

emdia -email michael@cleverly.com -mailhost 10.1.2.2 -ftp-subdir /6.2/en/os/i386 -target /var/emdia -notify-on-abort
I explicitly set the ftp-subdir, because I'm running RH 6.1, but all the 6.x security & bug fix updates end up in the 6.2 subdirectories on RH's site.

If you have any questions/problems, let me know.