• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 659
  • Last Modified:

gaining Root access

I have a friend who has a machine that has Debian 3.0 (woody). he wasn't updating some of the software as he said debian is relaible. anyway, somebody gain a root access to the machine. he took it off to see how it gets that. I scanned it with nessus and found there were some high risk services without updates such as

wu-ftpd 2.6.2
send mail ESMTP 8.12.3/Debian-6.6

How would somebody gain access to the machine as root?
thanks for any comments or links.


0
fm250
Asked:
fm250
  • 3
  • 3
  • 2
  • +4
7 Solutions
 
m1tk4Commented:
Number of ways. There was a direct remote root exploit in wu-ftpd once for example: http://www.landfield.com/wu-ftpd/mail-archive/wuftpd-questions/2000/Jun/0080.html , chances are this is possible in the future as well. Bad security in wu-ftpd was one of the reasons RedHat replaced it with vsftpd in back 9.0(?).

Nessus might give you some clues, however the best method to determine how it happened would be to investigate the application logs on the server (that is, if this was a script kiddie who didn't clean up after himself).
0
 
fm250Author Commented:
But that was Debian.
0
 
m1tk4Commented:
So? It's the same wu-ftpd wherever it is. The vulnerability I provided as an example was fixed at around 2.6.0.2, what I meant there probably was another one in either wuftpd or someplace else. All in all, nessus will not do all your work for you - you gotta dig the logs.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
fm250Author Commented:
Well, there was no helpfull logs. But he just wondering how somebody could get a root access without even having normal user access and ways to prevent such thing with limited monitoring to the server. it is not his main job.  
0
 
m1tk4Commented:
1) stay patched and updated
2) minimize the services exposed to the outer world
3) install "hardening" kernel patches
4) hire somebody for whom it would be their main job (i.e. either switch to managed hosting or hire a sysadmin).
0
 
Gabriel OrozcoSolution ArchitectCommented:
just a comment here

"but it is a debian" is a *very bad* approach to security. debian is reliable, but not secure by defiition. even openbsd which has all it's code AUDITED is not 100% secure out of the box.

the Sysadmin should take care that EVERY hole done to the firewall, has an application listening, and then such application should be monitored to maintain it current.

from here on, the last comment from m1kt4 is the way to go =)

(p.s. I use slackware and I consider it much more secure than debian because it makes me do all the job and then recheck everything, but still on an unmonitored server we had an intrusion a year ago... since then I patch all servers with out disctintion)
0
 
MysidiaCommented:
If somebody gained root access, then you need to assume, that from that point onward, the system
is compromised, until you do a clean re-install of the OS.

One thing to note is that it is very likely that the intruder cleansed the system logs that might otherwise
indicate who and how they got in; other changes may have been made to the system that you don't know
about, to hide future activities, or to ensure the intruder can regain access to the system in the future
(backdoors, trojans, etc).

Recovering the information about how the intruder got in with a live analysis would probably be impossible,
if the attacker cleansed the logs -- your best bet at figuring out  would have been to cut off the system soon after
the compromise was detected, and permanently preserve the contents of the disk  using an image copy
of the filesystem (for use as evidence).


The fact that WU-FTPD was  not updated with the latest security fixes, Alone could have resulted
in the compromise.


It is important to keep software up-to-date,  ESPECIALLY  popular software  that is installed on many
machines, and will definitely by on the average kiddie's list of services to attempt to exploit including...

* Web servers, FTP servers, Mail Servers, IMAP, POP,  NFS, RPC,...
* Login servers, SSH, Rlogin, ...

It's fairly important to keep server software up-to-date.  

Every service you enable for access from the outside world, whether it's a FTP service or a Mail service,
poses a risk of system compromise.

And that risk may reach an especially intolerable level, if the updates that fix an exploitable security
vulnerability are not applied on a timely basis.


0
 
cjl7Commented:
Hi,

Same as the other comments, but here goes...

Running an ftp server in non-anonymous  mode (normal users can login) is the same as giving your username and password to the world...

Other really good ways to get hacked is to;

-have standard accounts with standard passwords
-have accounts that have the same name/password (for example: user: test password: test = hacked!!!)
-use ftp, telnet, webmail in non-ssl mode, snmp with same password as a user, snmp as a rw community... (long list)


My general advice is the same as m1kt4, update ASAP and get to know what you are doing... (or find someone that does...)

Install a firewall that blockes inbound AND outbound traffic. That way the script-kids are lost...


Cheers

Jonas
0
 
fm250Author Commented:
thank you all for the comments. I have prvided him with some links about how to keep his box secure in addition to some scripts that are out there for impliminting the exploits such as: http://www.securiteam.com/exploits/3V5QGQKQ0C.html  for wu-ftp since he was more interested of how they get it in.

So any more comments on the how part such as, can these exploit first use some of the system accounts with nologin sucha as ftp, mail, nobody etc.

Thanks and will spilt the points.
0
 
Gabriel OrozcoSolution ArchitectCommented:
some software expose your server to a compromise. ok.

but some other has vulnerabilities that can lead to a privilege escalation. this is, you exploit that software, which is running as root, and then now you have root privileges. what to do first? if the exploit takes too much time, then just change root (not recommended), create another user with root privileges (way better), etc. etc. etc.

this is why a system must be up to date always.
0
 
avatechCommented:
I'm no expert but generaly speaking, remote attackers can cause a buffer overflow in remote services without the need of a local account.  A buffer overflow can contain code to cause the program to error and execute code as root.  If such a buffer overflow were exploited and linked or contained code that modifies /etc/passwd for example, they could just insert a local account of their chosing or even possibly get a remote root prompt.  If you really want to know the how and why I suggest putting Google and SecurityFocus to work for you.  Here are some of the many examples of problems with wu-ftp.

http://www.google.com/search?hl=en&lr=lang_en&newwindow=1&safe=off&q=define%3A+buffer+overflow&btnG=Search

http://www.google.com/search?hl=en&newwindow=1&safe=off&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=wuftpd+buffer+overflow&spell=1

http://www.securityfocus.com/bid/599/discuss

There are many over the years those are just some ideas to get you in the right direction.  Bottom line is ... always monitor your systems, logs and update with security patches as soon as possible.  If you can't patch immediately for whatever reasons at least be aware of the patches and find work arounds or test patches on other systems not in production.
0
 
mwnnjCommented:
Hi, i'm doing also debian - sarge 3.1 rc2.
some usefull hints:
-nessus is not the only and last remedy ;
--make a cron job on the woody server for running chkrookit ,quiet mode is also OK!!!:
http://www.chkrootkit.org/ --> this is the real importaint tool against the rootkits!
-or try out also :snort,netcat,ethereal:
http://www.insecure.org/tools.html  ;
---------------------------------------------------------------------------------------------------
-make a good iptables script for the server,MonMotha's script is a good one,perhaps you need to modificate it for your needs:
but i think his own server is currently down ;( => do a google for to find the latest version.
-use only ssh and no telnet for remote administration;
-use only ssh for sFTP as best use gFTP or any other client which is ssh/ssh2 capable;
--------------------------------------------------------------------------------------------------
-add to your sources list in /etc/apt/ :

deb http://security.debian.org/ stable/updates main

or
 
deb http://security.debian.org/ stable/updates main contrib non-free

and do regularly:
#apt-get update    and
#apt-get upgrade
-----------------------------------------------------------------------------
-subscribe to the debian security mailing-lists:
http://lists.debian.org/debian-security-announce/  so you can get per e-mail every annaunce for a very security update.
--subscribe to debian users mailing list where you can get also superb support regrding your distri:
http://lists.debian.org/debian-user/ --> you can ask here for security support and everykind of debian problems/issues
--subscribe to another security mailing list ,something like:
http://www.us-cert.gov/cas/signup.html
----------------------------------------------------------------
-run crack at least once a month from a remote machine to scan your server for leak passwords
-if you wish install also clamav,but it isn't really needed:
http://www.clamav.net/
----------------------------------------------------------------
-check out these links:
http://www.debian.org/doc/user-manuals#securing
http://www.debian.org/doc/user-manuals#system
http://www.debian.org/doc/user-manuals#network
http://www.faqs.org/docs/iptables/
http://www.debian.org/doc/user-manuals#quick-reference
http://www.debian.org/doc/user-manuals#users-guide
http://www.debian.org/doc/user-manuals
------------------------------------------------------------------------
(-buy a firewall router on the ebay ,perhaps you can get a cheaper one for not more than 150-200 bucks...)
-check out also:
bastille
http://www.bastille-linux.org/
also as firewall:
http://www.shorewall.net/
http://www.netfilter.org/projects/iptables/
-update to sarge,it's really better than woody at all.

cu

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now