Topic: Hacked SME5.6

[Bob Todd]

Been running SME 5.6 developer edition for a couple of weeks now as a test web server. Tried logging in this morning and the admin/root user password isnt working - I assume as I am only user with the info/access on the server that someone has hacked into it and changed the password. There are no other user accounts on the system.

No problem says I, simply reboot and use the ctrl-x method to boot into single user mode and modify the password again and re-examine our firewall setup, except 5.6 doesnt seem to support the single user mode that previous versions of SME offered - or I am too daft to find it. Oh and before anyone suggests using the boot floppy - I didnt create one (waits for deserved abuse). Any other ideas of how to regain control?

[Lloyd Keen]

Take your caps lock off ) (Sorry I had to slip that one in)

[Bob Todd]

/me slaps Lloyd around with a wet fish for being so damned cheeky

[Stefan Braunstein]

Hi!

Bob Todd wrote:

> Been running SME 5.6 developer edition for a couple of weeks
> now as a test web server. Tried logging in this morning and
> the admin/root user password isnt working - I assume as I am
> only user with the info/access on the server that someone has
> hacked into it and changed the password.

dito here this morning. I´m sure,  the password was correct (especially since I saved the password in WINSCP2 and used this program many times to copy files to the SME server).

In my case, it was only the test server, which was intended to test all the contribs I found and finally replace my working SME 5.12 server (after a freh install).

So I tried to hack myself in (with a CD boot from Knoppix)  and changed the /etc/shadow file. This broke everything and I decided to reinstall this test server. No matter here, but ...

It is strange, since I use a Netgear ADSL router as firewall and the SME server cannot be accessed from outside.

Stefan

[Adam Thompson]

I have the same problem here. Only in two of my servers the admin login consistantly does decided to go on strike at random intervals. I will try again in half hour and it will probably work. Every other server i have set up has been perfect. But these two............

[Ray Mitchell]

I don't know if this is a bug, but have any of you reported it and the details, to
bugs@e-smith.com

"bug reporting
what to do if you find a bug
If you find a problem with our software and think it may be a bug, please send an email to bugs@e-smith.com giving us as much detail as possible."

Regards
Ray Mitchell

[Steven Stovall]

You should refrain from posting that your server was "hacked" when you are, in fact, unsure of what the problem is.  These threads are archived.  Posts like this give SME a bad name!  Often times, a user without sufficient knowledge has installed a program which corrupted SME/e-smith's customized file system's hierarchy or have entered the wrong password when changing/setting the admin/root password.

Users are quick to say they were "hacked" just because something doesn't appear the way that they think it should.

Therefore, I seriously doubt the system was hacked.  Even if it was, it is very unlikely that it was because of SME/e-smith default setup but because of an installed application which had a security hole.

Next time, please do more research!  I don't mean to sound harsh, but it is irritating when inexperienced users jump to conclusions without sufficient knowledge.  I apologize if you are an experienced user and this was an authentic post!

Steven

[Jim Danvers]

Thanks Steven....

I (and I'll admit it too) AM a fairly new user of e-smith, and relatively new to linux as well (been using it fairly regularily for about a year now - +/- a month or two) but I am HARDLY as competent with it (linux) as I am w/windows OS's.  I've been running a 5.6 server for about a month or two now, I have all of my mail on it, and use the imap and web mail extensively.  It fills the bill just great for my needs as I have been wanting to find a solution where I could centralize my mail and yet be able to get to it from anywhere - (I travel a lot).  I've been following this thread since the original post and have been just 'listening' ...  

I've been following the many posts on backup and recovery also - frankly that subject has me somewhat more concerned....  I'm in the process of setting up a windows machine right now that I'm hoping to use as a testbed for the various backup methods.  SME seems like a perfect solution for a SOHO, but with the sheer size and quantity of todays files and data that people save - the backup seems a little kludgy.... ;(  I'm just gonna keep reading/listening/learning... and eventually do some testing of my own so that I can get a feel for it.

Anyway - hopefully this thread will die gracefully and any further discussion/news of this will come from official 'SME' folks with news on some patch and (hopefully) a relatively painless installation readme.  

-=- jd -=-

[Bob Todd]

in reply to steven stovall's post. the server in question is a standard install off the shelf copy of 5.6 developers edition with no other applications installed. it has in no way been tampered with since installation apart from uploading the website to the primary website folder. the installation routine was documented step by step and the password written down for retrieval in the event i get run over by the proverbial bus (securely stored in a safe in the "locked" ict office I hasten to add).

In the end I decided just to re-install the server from scratch but this time I'll leave it off the net till I get a look at the gnatbox firewall setup, make sure I havent left any open doors


thanks anyway everyone. I'd still like to know if its possible to still boot into single user mode with 5.6 if anyone knows.

[Tim Jabaut]

I too have this same problem. I is happening on a production 5.0 box. I migrated all files in the ibays to another server, and copied all my email messages to another temp server. I then downed th ebox and went on vacation...

When I got back, I decided to troubleshoot this box. I ran chkrootkit and it reported no errors. It also apparently seems to have resolved itself, as I am able to login without incident.

The problems, that I was experiencing were as follows:

Running in Gateway/Server mode is was still able to get out to the internet (named was working)
I was still able to get into eMail and webmail
I was still able to view my web page

I could not SSH into the box anymore, nor could I directly login at the console.
It did not matter what username/password combination I choose I would simply get:

username: root
password: *****

login incorrect

it would then do a clear screen and present me with another login prompt.

I thought this was a little strange as it normally appends the screen with multiple failed attempts, but does not perform a clear screen.

Any ideas would be greatly appreaciated as I no longer trust this box, as I feel it may have been compromised.

[Ray Mitchell]

Hey guys,
This is potentially a very serious problem, if it is in fact a bug which allows a hack to occur. I have never experienced it, but anything is possible.

PLEASE do yourselves and all of us a big favour and report it to bugs@e-smith.com, and include details and some log files.

I'm sure thay will consider something this potentially serious and investigate whether it is truly a bug or possible operator error or something else.

Regards
Ray Mitchell

[Ray Mitchell]

This is how to reboot in single user mode, but I have not actually tried it on 5.6

Press Ctrl X when you see the Mitel logo appear on the screen after a reboot. This will start the server at a lilo text prompt.
Type:
esmith single
or
esmith 1

Regards
Ray Mitchell

[Lightman]

Hi all
Referring to the Steven Stovall's post, I would like to comment that, I'm
a SME user for about 2 years now, and as far as I know and as I can
test & tell, the SME server is one of the most heavily protected servers
I've ever seen, I have about 40 to 50 attempts to hack my server from the
outside and it NEVER happened, I also feel confident in this system enough
to left FTP and VPN access open to the outside, and never have any
problems.
The more close that I was from an intrusion was because I had Version 5.0 and didn't upgrade to the new SSL encription, as the e-smith site recommended.
And the only problem I saw, was a script inside of my sme that couldn't copile because the compiler wasn't there )
So even in such a bad situation (that was in fact, my fault for not apply the upgrade, Any of them! ), the server was still secure!.

I can tell only for my little experience, I fully trust in the SME security, as long as the user don't left the door open, nothing would happen.
of course, nothing is absolutely secure, but SME server is the most close to that that I can think of

c-u
Lightman

[Ray Mitchell]

Bob Todd wrote:

> I'd still like to know if its
> possible to still boot into single user mode with 5.6 if
> anyone knows.

I have tried it out and the command for booting to single user mode in v5.6 is different to previous versions of sme/e-smith. Try

Press Ctrl X when you see the Mitel logo appear on the screen after a reboot. This will start the server at a lilo text prompt.
Type:
Mitel-SME single
or
Mitel-SME 1

Regards
Ray Mitchell