I know i may be beating a dead horse, but i am writing this to warn everyone about how we all play a role in security after i spent all day correcting a hack attempt. We all need to be security aware. Too many times we ignore security features that are preventable. We all fail to have other people check our code, pay attention to to processes running. While we are still investigating, i want to talk about how easy this exploit was.

Basically someone got in the box and root kitted inetd. This started a service called ingreslock. Once this process started, anyone could telnet to the port, and get a psuedo root shell. With this shell ANY commands could be ran remotely.

We were lucky, the guy couldn't type, ran a rm -r /var   /logs. After he wiped out that directory we couldn't log in. Fortunately he had just done this,(checked our back ups)and then we had the process of cleaning up and investigating this incident.
Now comes the fun part, the people I work with running a complete analysis of all the servers on our network. So far we blew all of today doing the basics, restoring what we knew was corrupted, rewriting etc/passwd & shadow. In addition, several of us are going in at midnight and cyclying all of our servers to make sure they are clean

I am hoping we all will consider the following issues next time we logg into a machine:
1. As perl writers, we have a LOT of power in our hands, how do you use that power? (The classic good vs. evil)
2. This could have been very easily have been ignored, fortunately this guy made a typo and zapped the wrong directory( would you know if your box was rooted?)
3. This was first put on the net over a year ago from the research that we did, how did this service get on our box a year later?
4. People often ignore security issues unless they involve BIND, while BIND can be very insecure, too many people by pass other exploits
5. And lastly what role do you play in your systems security? (If you are a programmer/developer do you have code reviews so other people can strip your code apart and make sure you aren't doing anything risky? If you are a sysadmin are you checking your logs on a regular basis? Are you making sure these machines are not left compromised? Do you go off and get a cup of coffee with a root shell on your terminal?)

I hope this will make a few people think, no one intends to make a machine insecure, but how often do we all get lax? Skimming through a log file because we do not have the time? Doing an incomplete security audit because "They will never get past the firewall" (Substitute your favorite excuse here, you have all of mine :^)

UPDATE: See http://project.honeynet.org for some preventative steps.

In reply to ACKKKKKKKKK! I Have been cracked! by scottstef

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.