Solved

Security holes, how do hackers get in?

Posted on 2003-10-28
15
437 Views
Last Modified: 2010-04-22
Hi,

I've been told that I may have suffered a hacker attack and also that it could've been because I was running old versions of ssh, ssl, ftp, bind, sendmail and apache.

Now my question is this, how does a hacker get in if ssh is restricted to certain ips? How do they use other services (apache, bind, sendmail, ftp etc etc) to get into the system and gain root access? I'm currently upgrading all services to the newest releases to prevent this happening again, is there anything else I should be doing

Thanks
0
Comment
Question by:choccarlm
  • 7
  • 6
  • 2
15 Comments
 
LVL 18

Expert Comment

by:liddler
Comment Utility
You either break in via a flaw that allows you to predict what the machine is looking for and inject your traffic in, which the server thinks is coming from somewhere else, or you use a buffer overflow, where an extra bit of code is added onto the end of some data going into abuffer, this code is then execute by the kernel, as a privilidged user, this code can then be used to run something else, such as adding a malicious user.
Other things to do, latest kernel patches, firewall, go through your startup scripts, make sure nothing is started that you don't need.
Titan is an excellent resource to help harden your machine (http://www.fish.com/titan/TITAN_documentation.html)
But definately keep all internet facing services (sendmail, bing, apache etc) patched up to date
0
 
LVL 6

Expert Comment

by:mbarbos
Comment Utility
There are many ways in which security can be compromised, many types of attacks and so on. Have a look at www.securityfocus.com and you'll see that there were problems with almost everything (and get scared ;-).

An old example is sendmail. Sendmail allowed emails to be piped to commands (this feature is used by mail lists managers like majordomo). But the default configuration till version xx (I don't remember) allowed  everybody to do that. Imagine what happends if you can run a command (maliciously) remotely on a mail server with the mail daemon rights. And on solaris user sendmail has uid 0 (which means root).

Nessus (www.nessus.org) is also a good tool to check your server security. There is also an article about nessus: http://www.securityfocus.com/infocus/1741

And to state once again what liddler said: "keep all internet facing services (sendmail, bing, apache etc) patched up to date"
0
 

Author Comment

by:choccarlm
Comment Utility
Thanks,

Also I've been told to update my kernel. Whats the easiest way of doing this and where can I find kernels? Also, what is the main purpose of the linux kernel?
0
 
LVL 18

Expert Comment

by:liddler
Comment Utility
You can get the kernel source from whover you distribution comes from i.e. www.redhat.com for RedHat or www.linux-mandrake.com for Mandrake.
The Kernel is the core of the operating system, the same as DOS or windows XP is on Microsoft machines
0
 
LVL 6

Expert Comment

by:mbarbos
Comment Utility
Depending on what you are using see
http://www.redhat.com/support/resources/howto/kernel-upgrade
http://en.tldp.org/HOWTO/Kernel-HOWTO

Also one mybe intersting page: http://www.governmentsecurity.org

What's the purpose of the kernel ? Hmm. Basically is the core of the OS

0
 
LVL 6

Expert Comment

by:mbarbos
Comment Utility
Nice liddler, you're faster :)
0
 

Author Comment

by:choccarlm
Comment Utility
Thanks guys, is there anyway of splitting the points?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:mbarbos
Comment Utility
There should be a split button somewhere bellow the comment area...
0
 

Author Comment

by:choccarlm
Comment Utility
I cant see it, I'll ask the mods.

One more quick question. I've just purchaed Mandrake 9.2 Pro Suite. It comes with sshd 3.6 which is the same version I've got the source files for. Do I uninstall the rpm that comes with the o/s and install from source or is it safe to leave the one that comes with it? This goes for all packages

Thanks
0
 
LVL 6

Expert Comment

by:mbarbos
Comment Utility
None. You install the packages as they came and after you have installed the machine, trimmed it down to what's necessary only and secured it, you use the UPGRADE feature for your distribution. This should contact a server from the vendor (or a mirror) and fetch and install the necessary packages
If you register, you'll also receive emails when an upgrade is available
0
 

Author Comment

by:choccarlm
Comment Utility
I cant use the upgrade feature as the servers dont currently have an internet connection, and when they do, they wont be booting using the gui, it will be command line only. Is it safe to leave the packages that are installed?
0
 
LVL 6

Expert Comment

by:mbarbos
Comment Utility
There should be also a command line tool for upgrading.

Best would be to do the upgrade through a firewall first and than put them on net.
0
 

Author Comment

by:choccarlm
Comment Utility
ok but if its the latest rpm thats been installed during install then it should be quite safe, or not?
0
 
LVL 6

Accepted Solution

by:
mbarbos earned 125 total points
Comment Utility
Bad luck can always strike, but yes, you might have a chance :)
Anyway install tripwire or something similar before conecting the machine to the net.
0
 

Author Comment

by:choccarlm
Comment Utility
Cheers, your advice has been really helpful, thanks a lot
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now