Solved

Security holes, how do hackers get in?

Posted on 2003-10-28
15
442 Views
Last Modified: 2010-04-22
Hi,

I've been told that I may have suffered a hacker attack and also that it could've been because I was running old versions of ssh, ssl, ftp, bind, sendmail and apache.

Now my question is this, how does a hacker get in if ssh is restricted to certain ips? How do they use other services (apache, bind, sendmail, ftp etc etc) to get into the system and gain root access? I'm currently upgrading all services to the newest releases to prevent this happening again, is there anything else I should be doing

Thanks
0
Comment
Question by:choccarlm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 9632758
You either break in via a flaw that allows you to predict what the machine is looking for and inject your traffic in, which the server thinks is coming from somewhere else, or you use a buffer overflow, where an extra bit of code is added onto the end of some data going into abuffer, this code is then execute by the kernel, as a privilidged user, this code can then be used to run something else, such as adding a malicious user.
Other things to do, latest kernel patches, firewall, go through your startup scripts, make sure nothing is started that you don't need.
Titan is an excellent resource to help harden your machine (http://www.fish.com/titan/TITAN_documentation.html)
But definately keep all internet facing services (sendmail, bing, apache etc) patched up to date
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9636635
There are many ways in which security can be compromised, many types of attacks and so on. Have a look at www.securityfocus.com and you'll see that there were problems with almost everything (and get scared ;-).

An old example is sendmail. Sendmail allowed emails to be piped to commands (this feature is used by mail lists managers like majordomo). But the default configuration till version xx (I don't remember) allowed  everybody to do that. Imagine what happends if you can run a command (maliciously) remotely on a mail server with the mail daemon rights. And on solaris user sendmail has uid 0 (which means root).

Nessus (www.nessus.org) is also a good tool to check your server security. There is also an article about nessus: http://www.securityfocus.com/infocus/1741

And to state once again what liddler said: "keep all internet facing services (sendmail, bing, apache etc) patched up to date"
0
 

Author Comment

by:choccarlm
ID: 9640422
Thanks,

Also I've been told to update my kernel. Whats the easiest way of doing this and where can I find kernels? Also, what is the main purpose of the linux kernel?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 18

Expert Comment

by:liddler
ID: 9640542
You can get the kernel source from whover you distribution comes from i.e. www.redhat.com for RedHat or www.linux-mandrake.com for Mandrake.
The Kernel is the core of the operating system, the same as DOS or windows XP is on Microsoft machines
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9640563
Depending on what you are using see
http://www.redhat.com/support/resources/howto/kernel-upgrade
http://en.tldp.org/HOWTO/Kernel-HOWTO

Also one mybe intersting page: http://www.governmentsecurity.org

What's the purpose of the kernel ? Hmm. Basically is the core of the OS

0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9640567
Nice liddler, you're faster :)
0
 

Author Comment

by:choccarlm
ID: 9640603
Thanks guys, is there anyway of splitting the points?
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9640682
There should be a split button somewhere bellow the comment area...
0
 

Author Comment

by:choccarlm
ID: 9650039
I cant see it, I'll ask the mods.

One more quick question. I've just purchaed Mandrake 9.2 Pro Suite. It comes with sshd 3.6 which is the same version I've got the source files for. Do I uninstall the rpm that comes with the o/s and install from source or is it safe to leave the one that comes with it? This goes for all packages

Thanks
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9650133
None. You install the packages as they came and after you have installed the machine, trimmed it down to what's necessary only and secured it, you use the UPGRADE feature for your distribution. This should contact a server from the vendor (or a mirror) and fetch and install the necessary packages
If you register, you'll also receive emails when an upgrade is available
0
 

Author Comment

by:choccarlm
ID: 9650182
I cant use the upgrade feature as the servers dont currently have an internet connection, and when they do, they wont be booting using the gui, it will be command line only. Is it safe to leave the packages that are installed?
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9650288
There should be also a command line tool for upgrading.

Best would be to do the upgrade through a firewall first and than put them on net.
0
 

Author Comment

by:choccarlm
ID: 9650317
ok but if its the latest rpm thats been installed during install then it should be quite safe, or not?
0
 
LVL 6

Accepted Solution

by:
mbarbos earned 125 total points
ID: 9650401
Bad luck can always strike, but yes, you might have a chance :)
Anyway install tripwire or something similar before conecting the machine to the net.
0
 

Author Comment

by:choccarlm
ID: 9650425
Cheers, your advice has been really helpful, thanks a lot
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question