Yeah! We got hacked again :(

[Mucman]

Someone is running port scans from one of our nameservers . Yes I should be on top of this but I am swamped with so much work I haven't had a chance to do a security audit. The admin who setup these machines has left so I have to familiarize myself with em.

Man I wish he put OpenBSD on them.

Just curious as what you guys to with a hacked box? Come on, you can't all be perfect .

I would like a checklist of commands that I should do.

 

[spidey07]

Sorry to hear about the mucman. I leave this stuff to the server techs.

The only safe way I know is reformat and restore from tape. Hopefully you can selectively restore.

Or find find out where the offending program is and kill it, then montior the box like a hound? Check services, patch, check permissions and userids, check logs. The bigger problem is how did it get compromised in the first place.

 

[Mucman]

They got in through rpc.statd exploit, well known and easy to fix! We did not need the service running.

The problem is that I am the server tech, cable guy, NT4 and NT5 admin, postmaster, webmaster . One disadvantage of working for a small company, but it is paying off in spades with the amount that I am learning!

These guys did some stupid stuff... They made a ping bomb and DoSed some @home machine! It used 20Mbit of our network bandwidth for 1 hour!. We killed it removed it and it looks like they go in again and ran a program called linsniff, as well as installing nmap.

I would like to format and installed OpenBSD. I just need to learn how the old admin instaled DJBDNS (tiny-dns) and installed a perl script that rebuildings the zones from a SQL7 DB.

Oh well, live and learn.

 

[Garion]

You know, you might want to consider a RedHat box running Snort to get a bit of IDS protection going on there.. It'll catch most of those kind of things and let you know when something's wrong. Pretty much a free solution, save the cost of a box.

- G

 

[Nothinman]

When you do get around to reloading it (which you must do since you have no idea what else they did) take your time no matter what OS you use, OpenBSD is far from a panacea =)

 

[Mucman]

Garion - I will look into that... I may add it on to my Nessus project. Unfortunately with the way things are going now, I won't be starting that until a few months down the road.

Nothingman - I understand that nothing is 100% hack proof, but I find OpenBSD easier to follow along. All these machines do is resolve names! They need to run DJBDNS and be able to query our SQL DB to update the zone files.

I decided to go book shopping and found 2 good finds! "Hack Proofing Linux" and "Cisco TCP/IP Routing Professional Reference 3rd Edition" .

 

[Nothinman]

All these machines do is resolve names! They need to run DJBDNS and be able to query our SQL DB to update the zone files.

Yes but since you don't know how the update takes place you can't pick an OS yet, it may require something that only runs on Linux.

 

[Mucman]

Hehe, I talked to the guy who wrote the script (we are good friends). He loves OpenBSD but could not get OpenBSD to talk to the MS SQL7 server. He admits to being a hack programmer and that his script isn't that portable... looks like my "Hack Proofing Linux" book will come in handy.

 

[me19562]

Man that book "Cisco TCP/IP Routing Professional Reference 3rd Edition" it's and excelent book, i love it. Good Luck

 

[spidey07]

3rd edition already. thanks for the update.

 

[AkumaBao]

OpenBSD rocks!

 

[Mucman]

The date in the book says 2000 in the front cover, so it has been out for a while . I love the half price computer book store here in Vancouver . I have gotten almost all my books through there. That Cisco book cost me $40cdn which is chump change for you US people!

While exploring the 1337 h4x0r3d box I found a file called voodoo which contains all the servers these punks scanned for open FTP servers. I find crap like that is the equivalent of keying some dudes new car, they did not harm us directly... but indirectly they have been a royal pain the the behind.

 

[Mucman]

I just receive this pleasant email! I wish most people would react like this :




<< Sorry to bother you, but it seems that one of your hosts has decided to ftp
scan our entire class B. No harm, no foul, but this kind of activity usually
indicates a no-good-script-kiddie-user, or a compromised machine under the
control of a no-good-script-kiddie-user. In either case I thought you would
like to know about it. If you do in fact have a cracked machine on your
hands, feel free to respond to this message so we can compare notes.
Sanitized and truncated (for your comfort) log excerpts follow... Thanks for
your time, and good luck with all future endeavors. >>

 

[Sunner]

Indeed, mails like that can brighten up a whole day

 

[CrazyHelloDeli]

I once got a mail from someone that said:

"Youre network is fvcking up ours. Fix it"

I replied

"Youre attitude if fvcking up my mood. Fix it, and then we can talk"

 

[n0cmonkey]

Forget redhat or Mandrake and pike a lighter distro. Slack or Debian would be great.

And DJB does a lot of his development work on OpenBSD, so running that platform wouldnt be a bad thing (if you could get past the little incompatibility problem ).

But you definitely need to format and try to run snort (on OpenBSD ) when you can.

EDIT: Oh yeah, smack the heck out of whoever left RPC open! Thats just *STUPID*

EDIT: Especially with such an old and well known vulnerability. Smack him again just for me.

 

[cipher00]

I just receive this pleasant email! I wish most people would react like this :

Geez, post the address so we can all thank this person for his attitude!

 

[Mucman]

HelloDeli - Yeah, we get those too. Those peeps don't deserve responses.

N0c - Yeah, I gave the guy a hard time about leaving it open... He says he knows very little about Linux since he primarily uses BSDs. These were Dell servers and they came with Redhat only. The main problem is getting BSD to talk to MS SQL7. I will smack him again for ya

 

[Thor86]

HelloDeli - Thanks! I gotta remember to use that one! LMAO!

 

[n0cmonkey]

<< HelloDeli - Yeah, we get those too. Those peeps don't deserve responses.

N0c - Yeah, I gave the guy a hard time about leaving it open... He says he knows very little about Linux since he primarily uses BSDs. These were Dell servers and they came with Redhat only. The main problem is getting BSD to talk to MS SQL7. I will smack him again for ya >>



rpc is dangerous no matter what OS you are using. So thats a lame excuse. BSDers should be better than that

 

[RagManX]

As others said, format and reload. Go with whatever OS you know best. No matter what other tools you get, find a machine you can load nmap on (http://www.insecure.org/) and run a complete TCP scan and default UDP scan against every machine you have. Find out what ports are open and start finding out why. If you had DNS boxen left unsecured, you've probably got tons of other boxen unsecured. Plus, if the attackers could use the DNS boxen to attack other machines on your network, they probably did. So, you have to see what is running on all your other systems. I would recommend installing and running nessus against all your machines as well, even if you don't have time to learn much about how nessus works. The default install and run settings work great for catching almost everything known.

I run nmap, nessus, and snort routinely at work. I don't have a boatload of time, but if you need help with any of them, I'll provide what assistance I can.

RagManX

 

[Mucman]

N0c - I am just sticking up for my friend . Trust me, I have already gave him a hard time.

RagManX - I plan on setting up nessus setup in the near future... now if I can finish the MivaNOW integration script, and CommuniGate mail server I would be set . I am familiar with nmap but have not really learned how to use it as the powerful tool it is.