158 lines
6.9 KiB
HTML
158 lines
6.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<title>Learning about Security Issue 15</title>
|
|
</HEAD>
|
|
<BODY >
|
|
|
|
<H4>
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H2>Learning about Security </H2>
|
|
<H4>By Jay Sprenkle,
|
|
<a href="mailto:jay@shadow.ashpool.com">jay@shadow.ashpool.com</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
It all started when the system rebooted...
|
|
<P>
|
|
I had been having reliability problems with my system for over a
|
|
month. It would run fine for up to a week or so then it would crash
|
|
with wierd symptoms. I know it's unusual to trust in your software
|
|
these days, but I had faith that Linux was not the culprit. Only
|
|
operating systems produced by large companies have to be rebooted
|
|
every day.
|
|
<P>
|
|
I took the motherboard out of the system and drove down to the
|
|
supplier. The guy behind the counter had the standard "electronic
|
|
supplier salesperson disease". He thought I was A. an idiot, B. trying
|
|
to rip him off or C. trying to ruin his day/profit margin. I explained
|
|
the problem, told him how it gave different symptoms each time it
|
|
died, and how I had swapped out parts. After about 20 minutes he had
|
|
no more arguments and he gave me a new motherboard.
|
|
<P>
|
|
I took it home and put it back into the case. I was back up in a few
|
|
minutes and I put the system back into service. After almost three
|
|
weeks of blissfull operation it rebooted itself and started back up
|
|
without a problem. I didn't even know about it until I saw the system
|
|
log file a day later. ARGGG! The **** thing is broken again...
|
|
<P>
|
|
I studied the logs and found that odd things had happened. The web
|
|
server process log was filled with total nonsense. The system log had
|
|
stopped working shortly after the reboot. I felt that a power failure
|
|
had caused the odd log messages and possibly damaged the system
|
|
logging program.
|
|
<P>
|
|
As I began looking at the other logs I found that someone had
|
|
transferred copies of some of my files to a system I had never heard
|
|
of before. This was serious! I had been violated! I didn't have
|
|
hardware problems, some sleazoid-weasel had broken into my system! I
|
|
had previously been over the system carefully trying to eliminate all
|
|
the security holes. I hadn't been careful enough!
|
|
<P>
|
|
I copied off every log file I could find and immediately changed all
|
|
the passwords on the system. If they had gotten in and copied the
|
|
password file they could eventually crack the encoding on their own
|
|
system and they would have all the passwords.
|
|
<P>
|
|
I sent off a message to the system administrator of the system that
|
|
the files had been sent to. With a little time at a search engine site
|
|
I found that this system was located in Chicago. I later found out
|
|
from the site's system administrator that this guy had somehow broken
|
|
through the security in one of their systems routers. Once into the
|
|
router he installed a packet sniffer. This program reads the data
|
|
packets that go across the net and records anything that looks like a
|
|
password.
|
|
<P>
|
|
I had been connecting to my system remotely to get mail from it. I
|
|
have since found out that the POP3 protocol used to get mail sends
|
|
your account password in clear text (unencrypted) when getting your
|
|
mail. This sleazy booger's packet sniffer probably captured my
|
|
password when I was getting my mail. The rlogin, rsh, rexec, rlp,
|
|
telnet, adn FTP protocols also send passwords in clear text by the
|
|
way!
|
|
<P>
|
|
I went through the '/etc/services' file one more time and found that I
|
|
had not disabled the 'rlogin' service as I had first thought. This
|
|
service runs on port 513 but is not called 'rlogin'. I went through
|
|
and disabled every service that starts with an 'r'. These are the
|
|
remote services programs that a cracker can use to get into your
|
|
system. I disabled all file sharing and all protocols except tcp/ip. I
|
|
disabled the telnet service altogether since there is a better
|
|
replacement. I also made sure that NFS and RPC were disabled since
|
|
there was supposed to be a security hole in these too.
|
|
<P>
|
|
Well, not a lot had been done to my system, other than the reboot
|
|
after the break-in. One nagging thing was that the system logging no
|
|
longer worked. After goofing around with it for a day or so I finally
|
|
noticed what should have been obvious. The 'syslogd' program had been
|
|
replaced with another program with the same name.
|
|
<P>
|
|
I haven't verified it but I believe this program is another copy of
|
|
the packet sniffer the cracker used in the router. When you do a 'ps'
|
|
to see what's running you wouldn't think anything about it since this
|
|
program should be running all the time. I replaced the 'syslogd'
|
|
program with the correct one and it worked like a champ again.
|
|
<P>
|
|
While poking around in my /tmp directory I found a copy of the 'bash'
|
|
shell with the SUID bit set. WHOA! What's this? With this little baby
|
|
you can become root by simply running it. When I happened to mention
|
|
this to a fine gentleman [Jim Dennis, The Answer Guy --Editor]
|
|
who was helping me try to get it working he
|
|
immediately remembered the security hole associated with this. There's
|
|
a bug with the 'sendmail' program that allows you to make an SUID copy
|
|
of your shell in the /tmp directory. If you don't have version 8.8.3
|
|
or later of the sendmail program you're vulnerable too! (go to
|
|
http://www.sendmail.org for the latest stuff).
|
|
<P>
|
|
So, what have I learned from all this?
|
|
<ol>
|
|
<li>Security is more important than I thought.
|
|
<li>Security is no fun to implement...
|
|
<li>Cracker's read the CERT releases so they can keep up on
|
|
the latest, coolest, ways to break into your system. They
|
|
think it's a fun challenge to 'beat you'
|
|
<li>Security is no fun to implement...
|
|
<li>Don't use FTP, telnet, rlogin, rsh, or POP3 remotely. If
|
|
you need to do this get the newer versions that encrypt
|
|
the session BEFORE they log in.
|
|
<li>Security is no fun to implement...
|
|
<li>If you have an older version of sendmail than 8.8.3 replace it. 8.
|
|
<li>Don't give access to programmers tools. It just makes
|
|
the cracker's job easier.
|
|
<li>Security is no fun to implement...
|
|
<li>Turn off all remote services on your system
|
|
<li>Security is no fun to implement...
|
|
<li>Read the CERT bulletins to see if you have any obvious holes
|
|
in your system. If you do, fix them
|
|
</ol>
|
|
and lastly... <BR>
|
|
Security is no fun to implement!
|
|
<P>
|
|
best of luck to you!
|
|
<P>
|
|
Jay
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<center><H5>Copyright © 1997, Jay Sprenkle<BR>
|
|
Published in Issue 15 of the Linux Gazette, March 1997</H5></center>
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
|
|
ALT="[ TABLE OF CONTENTS ]"></A>
|
|
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
|
|
ALT="[ FRONT PAGE ]"></A>
|
|
<A HREF="./gm.html"><IMG SRC="../gx/back2.gif"
|
|
ALT=" Back "></A>
|
|
<A HREF="./midi.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
|
|
<P> <hr> <P>
|
|
</BODY>
|
|
</HTML>
|