Forum OpenACS Q&A: Security: Hacker sends Viruses
So now someone has been able to get into our Linux RH6.2 box and send
to our MajorDomo list. This person has now sent two different virus
messages to our list. I've disabled the list now so that I'm the
only subscriber... Also, I changed our root password but that didn't
stop this person. I'm also concerned that he/she could damage
Any ideas for quick stop of this person
and perhaps finding them?
We're planning to move to a new secure server very soon...
Seriously, did they get shell access?
If not, and if you're not running Postmaster with -i and an externally visible IP, you should be OK regarding PG.
And if they didn't gain shell access AOLserver should be fine, too.
If they got shell access, they very likely got root access. At least, you should presume they did. Even if they didn't, the user account they logged in under might have access to PSQL and the database. So in theory they might've gone in and played with database tables.
I rather doubt it, though. One advantage of using relatively unknown AOLserver and PG (as compared to Apache and MySQL) is that your typical unskilled script kiddie won't know what they are or how to screw it up.
I'd be more worried about them having had root access and loaded a bunch of standard rootkit stuff with all sorts goodies that let them take over your system whenever they want.
Disconnecting your network connection as soon as possible is what I would suggest if it's not already been done, but first issue a "netstat -a|less" and look for suspicious connections established.
You might also want to review the log files in /var/log.
Check /root/.bash-history as well...
If the abuser has gained root access really all you can do is blow out the entire RedHat installation and do a fresh install/restore. This time preferably behind some kind of firewall.
Did they get shell access
Apparently so... they created a "moonx" mailbox which I deleted a few days ago along with changing the root password. Apparently they haven't messed with AOLserver or PG... er...yet.
I'm having "X" check things out here shortly....
Can I have a copy too?
We have a new box up and running... with RH 7.0 Guinness and I'd love to get that script... Also, is anyone familiar with the complete installation setup that would include:
- Run multiple URLs on one IP...
- Assumed: Multiple AOLServers and One PG 7.0.3
- Which AOL server version is most stable (best) and should it use tcl7.6 or 8x...
- Secure shell access and Secure browser access.
- This new RH version has a cool WebMin access... can it be accessed securely?
- I've been useing OpenACS mostly 3.2.2 with much customization...Can I just Move it and the PG database to the new machine wholesale?
I'm asking for guru level help!
I discovered something on the latest submission
to our list. I set up the list so that I'm the only
one to get the messages.. This hack may not
need shell or root access. It may be a majordomo
hole... All the messages sent appear to come from
"owner-..." So perhaps they hacked the list password...
Anywhay here is part of the header.
Can I assume he/she is using a compaq and connected
using 126.96.36.199 I did a lookup:
Central Telephone Co. in LittleRock AR USA.
Am I on the right track?
Delivered-To: rocon-rocnet:email@example.com From: firstname.lastname@example.org Received: from compaq ([188.8.131.52]) by www.greatestnetworker.com (8.9.3/8.9.3) with SMTP id RAA00783 for <email@example.com>; Tue, 6 Feb 2001 17:08:03 -0500 Date: Tue, 6 Feb 2001 17:08:03 -0500 Message-Id: <200102062208.RAA00783@www.greatestnetworker.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VEXAFWTYJCTE7WTAB" Subject: [The Bulletin:07] Message for thebulletin Sender: firstname.lastname@example.org Precedence: bulk Reply-To: email@example.com X-UIDL: 3Y`!!'<w"!=(4"!^BY"! ----VEXAFWTYJCTE7WTAB Content-Type: application/octet-stream; name="BCKFPEBC.EXE" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="BCKFPEBC.EXE" ...
Concerning Red Hat: you can probably sign up on the appropriate mail lists at https://listman.redhat.com/mailman/listinfo/ (Redhat-announce-list or Redhat-watch-list) for security bulletins and update RedHat RPMs.
Some MTAs are vulnerable to certain hacks:
- Execute arbitrary command: RCPT TO: |testing
- Execute arbitrary command: MAIL FROM: |testing
- Overwrite files: RCPT TO: /tmp/mail_test
- Allow remote users to send mail anonymously by sending HELO commands longer than 1024 characters
- Redirection: mail addressed to user@hostname1@victim will send to user@hostname1
- Installing OpenSSH
- Disabling inetd (rsh, rlogin, telnet, ftp, etc.) ASAP - shut it down and never let it start up again. Period.
- Running the Nessus security scan on your system to find out the egregious security holes
- Optional but highly recommended: replace your MTA with qmail
The other classic MTA configuration snafu is to allow mail relaying.
I'm certainly no security expert, but one might start off by
Webmin is not secure straight out of the box. There are notes on their website about using it with SSL. Of course, the secure Webmin point is moot if you have other security holes that let people have root access.
The best advice is having whoever is setting up your new secure server run a security sweep on the compromised box. Good luck.
Sorry about your server :(
I wrote it as an afternoon project. I was unaware of the perl package referenced above (until reading this thread again today). My script is pure Tcl, so it should be easily customized by folks here. It uses the Tcl Standard Library ver 0.8 (available at dev.scriptics.com), which I believe requires Tcl 8.2 or greater(?). (I use Tcl 8.3.2 since that's what AOLserver 3.x has internally.)
I've thrown the script up at http://michael.cleverly.com/aolserver/emdia. The name, EmDia is a Portuguese idiom for "current" or "up-to-date". Running emdia -? will give you a list of all the command line options & their default values.
Could you quickly write down some steps for beginners how you get emdia working?
I didn't find anything on your webpage...
You'll also need the Tcl Standard Library. The latest, as of this writing, is version 0.8 and can be found at dev.scriptics.com (which is in the process of moving to tcl.activestate.com). The Tcl standard library requires Tcl 8.2 or higher. If you only have Tcl 8.0 you'll need to upgrade. (Source, binaries, and RPMs of Tcl 8.3.3 are available from ActiveState.)
Then, it's basically just a matter of making it executable and running it. emdia -? will give you a list of available command line options, as well as their defaults. I run emdia nightly in my crontab with the following options:
emdia -email firstname.lastname@example.org -mailhost 10.1.2.2 -ftp-subdir /6.2/en/os/i386 -target /var/emdia -notify-on-abortI explicitly set the ftp-subdir, because I'm running RH 6.1, but all the 6.x security & bug fix updates end up in the 6.2 subdirectories on RH's site.
If you have any questions/problems, let me know.