Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Brenno on July 29, 2005, 03:31:16 AM
-
While backing up my server this evening I noticed several unusual files in one of my ibays. They were all tarballs of complicated PHP and C scripts, email address databases, IP address databases, IRC connection scripts and detailed exploits for known OS vulnerabilities.
(Before you panic, I knew that the ibay was chrooted to a specific user - the one who happened to have the weakest password on my system. A check of the server logs revealed that this user made a successful FTP connection earlier this morning at the same time the files were datestamped as last modified. Obviously I have since changed this password with something much stronger and removed the files from the ibay.)
Many of these files seemed designed to run in a Unix/Linux shell. My question is this, if all other user passwords were strong, and standard users do not have shell access, could these scripts have been executed on my machine? Is there any way to determine this? I theorize that the ibay was likely being used as a "repository" for these scripts more to allow distribution than execution from my server, but I am still concerned.
Of course, to be practical, I encourage anyone with sensitive information to contact me privately instead of posting to this forum. I can also provide copies of the files for analysis if need be. Some of the contents are extremely intriguing!
Thanks in advance for any advice/help - and don't worry - lesson learned. No more users choosing their own passwords!
-
Many of these files seemed designed to run in a Unix/Linux shell. My question is this, if all other user passwords were strong, and standard users do not have shell access, could these scripts have been executed on my machine?
If the user in question did not have SSH access via password enabled, then I would think that the scripts have not been executed.
Is there any way to determine this?
Before your curiosity overcame you and you had a look then you might have been able to tell. But now that you have had a peek, the access time of the files will have been updated, so you can't tell whether they've been accessed since they were uploaded. Or you can tell, and they have, but that's not of interest.
security@contribs.org might be interested in taking a look at your collection. As might CERT (and various other bodies), if there's anything rare or new there.
-
Charlie,
I assume the user could not execute scripts because non-root users on SME do not have shell access by default - am I right? I have sudo installed, but none of the users were enabled (nor have they ever been.) Regardless, I don't think any of the scripts had been executed because none of the tarballs had been unpacked yet.
Also, I did not play with the original files - I copied them to my WinXP machine to run AVG against them before continuing with my investigation. Of course, to be safe, I deleted them from the server.
I traced the IP through which the user FTP'd into my system and found it to belong to an ISP in California, so I contacted their abuse hotline and took the issue up with them.
-
I assume the user could not execute scripts because non-root users on SME do not have shell access by default - am I right?
That's correct, although even if they did have shell access, the remote user would still need to log in to invoke a shell. The only way they might do that is via SSH, which you hopefully had disabled, or at least disabled for password access. Default setting is disabled.
-
Charlie,
I did have SSH remote access enabled so I could manage the server from out of the office, but I checked the logs and there was no SSH access on the compromised account before, during or after the FTP issue. I have since turned that off :)
When I was digging through the zip files of what was there, one of the hacking programs contained a text database of thousands of username/password combinations. These would likely be used by the script to try and hack into other systems. It would be useful to analyze that list and be sure to not use any combinations found on there.
The FTP logs show they came in at 8:40am, 8:42am and then again at 9:02am. The files were deposited during the second login, so I suspect they were trying things out to make sure they could get back in later. My main concern is that there were no "failed" attempts to log in - they got it right the first time which leads me to believe they knew in advance that the UN/PW would work. They must have fished it out earlier, though when I went through the old logs looking for hits from that IP, there weren't any. I could see, however, other IPs logging in with that username throughout June, mostly from Japan. I suspect it is one of these Japanese IPs that actually cracked the account and then distributed the information to others through an IRC network or otherwise. It seems also that there were no other files deposited there at any other time in the last 6 weeks.
I traced the IP of the offender to an ISP in Stockdale, California. I called their toll-free abuse hotline and spent 1/2hr on the phone with their tech support guys informing them of what occurred. I explained that I wasn't complaining about the fact that they got in - since this is my fault, really - only about the nature of the files they left behind. I told them that if I was savvy enough to trace things back to them, other users would be too and others may not have been so forgiving of it, especially if these tools had been used to hack computers or send spam. (BTW, the spam that the script was built to generate was designed specifically to fool users into downloading some sort of virus infected executable file from a site in Romania under the guise of receiving an online postcard from a family member!)
I realize that this could have been a lot worse, and that horrible feeling in the pit of my stomach will hopefully translate into good things - being more conscious of vulnerabilities and perhaps, through this posting, making others more aware.
It does raise a good issue though - relative rookies or non-expert sys admins like myself are more easily caught off guard like this. How can we, as a community, work together in sharing knowledge from those who have the experience and expertise to prevent this sort of thing? This forum is obviously a great step forward (within reason.)
Thanks,
-
Enforcing stronger passwords is a huge step in the right direction.
I get my users to use simple passwords, but with a twist. As they are ALL touch typists, when typing their passwords, i get them to move their fingers from the usual "f" and "j" locations to the "r" and "u" and even "r" and "i". This makes a simple password like "password" more complex as it becomes 0qww294e or even -qww204e. If you get them to use a capitol letter as well, the password becomes more difficult to crack, even as a brute force.
)qww294e and ;_qww204e are a lot more difficult to guess than password.
You can take this advice if you wish, but also, make your users change their passwords at least every month. This makes login attempts from remote script kiddies a lot more difficult.
KegRaider.