|No such thing as a small change|
ACKKKKKKKKK! I Have been cracked!by scottstef (Curate)
|on Apr 03, 2001 at 06:17 UTC||Need Help??|
I know i may be beating a dead horse, but i am writing this to warn everyone about how we all play a role in security after i spent all day correcting a hack attempt. We all need to be security aware. Too many times we ignore security features that are preventable. We all fail to have other people check our code, pay attention to to processes running. While we are still investigating, i want to talk about how easy this exploit was.
Basically someone got in the box and root kitted inetd. This started a service called ingreslock. Once this process started, anyone could telnet to the port, and get a psuedo root shell. With this shell ANY commands could be ran remotely.
We were lucky, the guy couldn't type, ran a rm -r /var /logs.
After he wiped out that directory we couldn't log in.
Fortunately he had just done this,(checked our back ups)and then we had the process of cleaning up and investigating this incident.
I am hoping we all will consider the following issues next time we logg into a machine:
I hope this will make a few people think, no one intends to make a machine insecure, but how often do we all get lax? Skimming through a log file because we do not have the time? Doing an incomplete security audit because "They will never get past the firewall" (Substitute your favorite excuse here, you have all of mine :^)
UPDATE: See http://project.honeynet.org for some preventative steps.