Big Hole in RedHat 7?
Jack Ellis
We just installed RedHat 7 on a new machine and within about 10 days, we got
hacked bigtime. They weren't even sneaky about it - leaving a new home
directory for themselves and everything. They then used our machine to
attack a bunch of other hosts all over the place.
We installed the OS pretty much plain-vanilla off the CD's, only adding
wu-ftp, mysql, and apache to the basic "Workstation" setup. Initial setup
was also pretty plain vanilla unix, just a few users, normal password level
logins, etc. Mysql is pretty well locked down I think, only localhost
access.
Is there such a HUMONGOUS hole in Linux or RedHat that it's common
knowledge? If so, can someone clue me in? I saw nothing about it on
RedHat's site.
I mainly have been using BSD, and have never to my knowledge been broken
into, let alone within 10 days!
Any insights or help would be greatly appreciated.
Christopher M. Long
> We just installed RedHat 7 on a new machine and within about 10 days, we got
> hacked bigtime. They weren't even sneaky about it - leaving a new home
> directory for themselves and everything. They then used our machine to
> attack a bunch of other hosts all over the place.
I'm assuming as they were not very bright in their cleanup that you have
logs to report them to their ISP, yes?
> We installed the OS pretty much plain-vanilla off the CD's, only adding
> wu-ftp, mysql, and apache to the basic "Workstation" setup. Initial setup
> was also pretty plain vanilla unix, just a few users, normal password level
> logins, etc. Mysql is pretty well locked down I think, only localhost
> access.
A) Wu-ftp is probably one of the worst FTP daemons you can run nowadays.
It has had more holes recently than anything I've read about.
B) Vanilla anything makes it easier to do what happened to you.
Passwords shouldn't be "vanilla" and neither should anything else on
your system. Lock it down as much as you possibly can. That way, you
most likely won't have a re-occurence of this event.
> Is there such a HUMONGOUS hole in Linux or RedHat that it's common
> knowledge? If so, can someone clue me in? I saw nothing about it on
> RedHat's site.
Subscribe yourself to Bugtrag & Linux-Bugtraq, that should keep you much
better informed than RedHat's website.
> I mainly have been using BSD, and have never to my knowledge been broken
> into, let alone within 10 days!
True, BSD is much more security concious "out of the box".
> Any insights or help would be greatly appreciated.
I hope my comments helped you somewhat. I know that first installing
*ANY* new relase of an OS can be tricky.
--cml
Jack Ellis
sites I saw that got scanned or DOS'd from us. Pisses me off, but hey, once
burned, twice shy! Thanks for the resources.
--
Jack
Erik de Castro Lopo
>
> Hi,
>
> We just installed RedHat 7 on a new machine and within about 10 days, we got
> hacked bigtime. They weren't even sneaky about it - leaving a new home
> directory for themselves and everything. They then used our machine to
> attack a bunch of other hosts all over the place.
>
> We installed the OS pretty much plain-vanilla off the CD's, only adding
> wu-ftp, mysql, and apache to the basic "Workstation" setup. Initial setup
> was also pretty plain vanilla unix, just a few users, normal password level
> logins, etc. Mysql is pretty well locked down I think, only localhost
> access.
>
> Is there such a HUMONGOUS hole in Linux or RedHat that it's common
> knowledge? If so, can someone clue me in? I saw nothing about it on
> RedHat's site.
Yes, there is a HUGE Jupiter sized hole in most default Linux installs.
There are a number of HOWTOs which deal with locking down a Linux
machine. One of them is:
http://www.securityportal.com/lasg/
Since you're running Redhat, you migt want to look into Bastille,
which is a redhat hardening script. Look for it on
Erik
--
+-------------------------------------------------+
Erik de Castro Lopo er...@zip.com.au
+-------------------------------------------------+
Percussive Maintenance: The fine art of whacking the c**p out
of an electronic device to get it to work again.
Anders Larsen
Jack,
xinetd is your enemy (and ipchains your friend)!
You probably had plain telnet access open to the world, perhaps even rsh
and/or rlogin.
One could perhaps blame RH for not setting up tight ipchains per default
(and let you loosen up the firewall rules only when you really *need*
access from the outside) instead of leaving everything wide open, but
AFAIK, most other distros are similar in that respect.
The general rule is to look carefully which processes are started after
boot-up (# ps ax) and which ports are open (# netstat -tulnp) *before*
the box is connected to a network for the first time, and then close
down anything that is *not* needed (set up ipchains rules and use
chkconfig to remove unnecessary "services").
cheers
Anders
Tim Haynes
[snip]
> xinetd is your enemy (and ipchains your friend)!
ITYM `relying on default setups for xinetd without double-checking' was his
enemy. As it happens, after a couple of explorations recently, I can
happily say I approve of xinetd, especially over & above inetd.
Of course, ipchains are still required, and not firewalling your box before
putting it on the 'net - with what, lpd? oldish versions of bind? rpc.statd
swinging in the wind? says you've not investigated the security concerns in
advance. D'oh.
> The general rule is to look carefully which processes are started after
> boot-up (# ps ax) and which ports are open (# netstat -tulnp) *before*
> the box is connected to a network for the first time, and then close
> down anything that is *not* needed (set up ipchains rules and use
> chkconfig to remove unnecessary "services").
Well, the way I look at is that you definitely do the `netstat pantl | grep
LIST' thing, and kill off everything you don't want or make them bind to
local interfaces only (see - I said xinetd was nice! - and make sure they
don't come back on reboot, either) then stick a DENY-by-default firewall
with either ipchains or iptables on the box. *Then* you may plug in the
network cable!
~Tim
--
Another day, |pig...@glutinous.custard.org
Another kernel recompile |http://piglet.is.dreaming.org
Chris Ahlstrom
ell...@crosswinds.net
> Man who use vanilla settings often get licked.
Except that in this case, 100% of the services he installed are not
part of the "vanilla" install. So this is really a case of Redhat
getting a black eye for something the user did.
--
Matt Gauthier <ell...@crosswinds.net>
Manfred Bartz
> We just installed RedHat 7 on a new machine and within about 10 days, we got
> hacked bigtime. They weren't even sneaky about it - leaving a new home
> directory for themselves and everything. They then used our machine to
> attack a bunch of other hosts all over the place.
>
> We installed the OS pretty much plain-vanilla off the CD's, only adding
> wu-ftp, mysql, and apache to the basic "Workstation" setup. Initial setup
> was also pretty plain vanilla unix, just a few users, normal password level
> logins, etc. Mysql is pretty well locked down I think, only localhost
> access.
>
> Is there such a HUMONGOUS hole in Linux or RedHat that it's common
> knowledge? If so, can someone clue me in? I saw nothing about it on
> RedHat's site.
Do you know how they got in?
wu-ftp has a history of exploits. RH don't use it on their own site
and I don't understand why they ship it.
Also, RH has a history of unstable, bleeding edge *.0 releases. Once
they get to *.2 they seem to be much better. I don't know if you can
blame this for the security breach you experienced.
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linuc/>
Bob Dowling
We had a RHL 7.0 box cracked. LPRng was the hole used.
The RH-provided update RPM closes the hole.
John Achatz
"Christopher M. Long" <chris...@mindspring.com> wrote:
>
<snip>
Christopher M. Long
http://www.securityfocus.com/linux <== to sign up for the "focus-linux"
mailing list
Thats all ya need. :)
--me