[WBEL-users] Permissions (Was Problems after updates)

Mon Jun 13 06:55:51 CDT 2005

On Mon, 13 Jun 2005 11:58:35 +0200
Jean Lee <jean.lee at free.fr> wrote:

> Larry Apolonio wrote:
> 
> > Than you should be able to cat /bin/ps and see what
> > processes these guys are trying to hide.
> 
> Can you explain this more in detail ?

The usual purpose of replacing /bin/ps is to hide some processes
like another ssh server, a proxy, an IRC spam/floodbot, etc, from you. 
Rooted boxes are the usual way of "becoming" anonymous on the 'net.
Some people like to have an army of zombie boxes to flood designated
targets, too. The /bin/ps you have in your box will usually have a list
of those processes it is designed to hide. hexedit is your friend.

> Well,
> 
> first of all, thank you for your help.
> Now, I'm sure I have been hacked. I think the only thing i have to do is 
> to back-up personnal data (already done), and to reinstall WBEL. Is it 
> right?

No. Back-up the rooted server, too. Your IP may have been used for malicious
purposes and the only proof is that rooted box. Don't erase it.

> Behind the server, I have a LAN network composed of WINXP machines. Is 
> there a way for the hackers to install something on this machines and 
> then to re-open a hole in my new server installation ?

Yes. It might even be easier to root a WinXP box through Outlook or IE 
and then to root everything on the network (by sniffing keyboards, etc), 
than root your UNIX box from the outside.
Your OpenSSH server should only be accessible through trusted boxes,
but I'm probably too paranoid. At least Windows boxes shouldn't be
allowed to access it.

> These first two questions are the most important ones but it would be 
> interesting to know what i have done wrong to be hacked. I will keep the 
> Hard drive for further analysis and install a new hard drive for the new 
> installation.

Good :)

> When I installed this server 1 year ago, I read the "Security quick 
> start howto" from HAL-Burgiss :
> Things that I did which are big errors (after one year learning the 
> Linux system, I realise it) :
> 
> - No updates since 6 months.

You can do worse. 

> - Run an Openssh server on the server (no DMZ) :

That's bad. Depending on who accesses the box from the outside, you
should have at least a (small) list of public IPs allowed to access port 
22 (ssh).
A better way is to implement both that, and an port-knock thing.

>         - incomming connections are chrooted with Jail
> - Before to install the official OpenSSH server, I installed a patched 
> version with chrootssh. Someone on this list done it for me and packaged 
> this version in an rpm. When I discovered Jail, I removed the patched 
> package to install the official Openssh. The packager was bishop. I 
> think this can be a trusted packager but I don't have the skills to 
> verify it. If someone is interested to study it, I always have the package.
> - No installation of chrootkit and tripwire.
> 
> Things that I respected :
> 
> - I always logged in as normal user and su in a shell.

I trust your sshd_config shows "AllowRootLogin No" ?

> - Iptables policy
> - tcpwrappers
> - no unused services
> 
> Is it possible to know from where I was hacked ?

Dunno. Anyone ?

> The first thing that I will try is chkrootkit.
> What is the DAG's RHEL repo?
> Can I use the tar.gz available on www.chkrootkit.org ?
> 
> Are there other things that I can try ? (trying to reinstall ps to find 
> what are the real running processes for example) ....

Yes, but backup the hacked ps.
This might help, too :
http://www.cert.org/archive/pdf/FRGCF_v1.3.pdf

khaqq