[NLUG] Fw: [ale] Linux Firewall

[Rattle]

On Thu, 8 Apr 1999, Philip Rodgers wrote:

> This came off the Atlanta Linux group.  I thought Dagmar or some of you
> could help this guy

Alrightie!

> > The company I work for uses a linux box running RedHat 5.0 as our
> > firewall, gateway to the Internet and to forward email to our internal
> > mail server. Recently we were hacked by someone using an "eggdrop", or
> > something of the sort that set up users with root privilege. We were
> > alerted to the fact that this had happened our mail service failed when
> > the intruder changed the IP address in resolv.conf and changed our.
> > Because of this break in, we went through and removed all the services
> > that seemed excessive to our base needs and patched ftpd, because we
> > believed at the time that is how they got in, /var/log/messages showed
> > that the process running anonymous ftp overflowed a stack buffer, and
> > after that moment the intrusion began.

In short, you got rooted.  From the looks of it, you even know how.  There
is a known bug in somewhat recent versions of ftpd so that looks like how
they got in.

The "eggdrop" process you refer to is a IRC Bot.  The person who cracked
your box probably placed it there to monitor/takeover/whatever some irc
channel(s).  Sounds like the textbook profile of the average script kiddie
to me.

Hopefully, immediately after the box was hacked you made a complete backup
of it before doing ANYTHING.  The second you discover a box has been
hacked, back it up.  You don't want to risk messing up any evidence.
Chances are they were sloppy and you would have no trouble tracking the
cracker(s) down.

> > Well it appears that we have been hacked again, with someone setting up
> > users with root privilege, no damage has been done thankfully but it is
> > a little disconcerting. This time there is no clear indication of how
> > they got in. Should I disable anonymous ftp? Has anyone else experienced
> > anything like this or have any suggestions, we are planning an upgrade
> > to 5.2 soon.

Any service you do not need, disable.  If you have any question as to if
you boxes are secure or not, hire a consultant.

Also, if you have had a intruder in your network, he/she has probably done
some network sniffing and basically seen you "with your pants down".
Assume any of the servers that were cracked have backdoors in them.  Do a
complete reinstall of them.  Have everyone change their passwords. (Assume
the cracker has them all, he/she probably does.)

PS-  Email me directly with any followup..  I am not on the ALE list, I
just got forwarded this message.  :)

...
. Nick Levay
. rattle at tlorah.net
. "The future masters of technology will have to be lighthearted and 
. intelligent.  The machine easily masters the grim and the dumb."