guy at incentre.net
Thu Mar 3 20:35:09 UTC 2005
On Wed, 2005-02-03 at 19:05 -0600, Jess Anderson wrote:
> Alexander Dalloz:
> >Chris Strzelczyk:
> >>I will start by looking at all those for recent security
> >>postings. Since the program in /tmp was owned by apache:apache
> >>I would imagine that the intruder used httpd to preform their
> >>exploit. That is where I'm at so far.
> >See Dave's and Leonard's replies. Your system is owned! :( And
> >as it looks it is the worm / trojan known to come in by weak
> >phpBB installs. [...]
> Getting owned (alas, I know first-hand) is one of the worst
> feelings a computer person can have, I think. It has been
> 5.5 years (knocks wood) since it happened. But I remember how
> I felt, so my sympathies go out to Chris Strzelczyk.
> It's painful and horribly inconvenient, but there really is no
> reasonable alternative to taking the box offline at once and
> doing a complete reinstall, reformatting all partitions.
> (I'm not sure, but isn't possible even then to have a worm or
> virus left in the boot sector of the hard disk, one that
> only a low-level format could remedy?)
> As a result of my own experience with getting cracked, I
> decided to dedicate a separate machine to running a very tough
> firewall at the network access point of my building. Most
> fortunately, I don't need to offer any services to the outside
> world, hence am invisible to port scanners, which removes
> probably half or more of the vulnerabilities.
> I don't worry much now (knocks wood again), but I still get
> nervous when I read accounts like the preceding.
> Be careful out there, it's a bad, bad world and getting worse.
If your machines have access to external sites, they can be just
as vulnerable. One of my customers had a Windows box that was
infected with a trojan. The trojan allowed a hacker to break into
their SCO accounting server. I discovered the problem when the
customer complained that their connection was slow. After
analyzing some network flows I discovered some strange traffic.
After getting permission from the customer to investigate the
source of the traffic, I started sniffing the traffic. To my
amazement I saw what looked like names interspersed with binary
data. I called the customer and asked if the any of the names I
captured meant anything to them; it was staff members. After going
to the customer site I quickly found the machine that was
compromised and after analyzing there internal traffic I discovered
a connection to there accounting server that was not supposed to
be accessed from that machine. After I unplugged that machine
their bandwidth returned to normal. It would appear that the
hacker used the trojan to gain control of that machine, then
used that machine to find the unprotected SCO box inside the
firewall and tunnelled the data from the SCO box back to a machine
in Philadelphia, from their I have no idea what happened to the
data. I gave the information I collected to the customer, and
suggested they contact the Computer Crimes devision of the RCMP
if they wanted to take further action. Being a public company
they did not follow up with the police, due to concerns that the
information that was compromised could cause problems if people
found out about it. Their was a bunch of porn that had been deleted
recently on the machine, and my guess was that someone sent
an unsolicited email to the person on that machine with a link to
a porn site with the trojan embedded in the site, once accessed
the trojan was delivered and the rest is history. Although conjecture
on my part, it is a likely guess since that company is also behind
a firewall using NAT and has no ports that are forwarded.
I suggested a consultant for them to secure their site. They were
extremely thankful that I went out of my way to assist them.
More information about the users