Post #111,558
7/26/03 8:32:03 AM
|
Help!
It appears that my Debian Box has been hacked again.
Either it has, or I've changed my root password and can't remember it. I don't remember changing it, but I did install Apache 2 on it about 2 weeks ago.
Anyway, I rebooted the box last night and it attempts a fsck. It gets to about 90% complete, then says I have to do a fsck manually. It prompts me for the root password for maintenance.
I've tried:
1. Breaking into the boot script with Ctl-C to attempt to get a prompt, then init to s or 1, no luck.
2. Booting to my install CD.
I would rather not reinstall the OS to solve the problem, but if that's the only solution, then that's the only solution...
Any other ideas before I wipe out my system?
Is there anything I can do to get to single user mode without the root password to fix the disk? If I can be root in single user mode without a password, then I can do the fsck, replace the passwd file and fix this.
If you don't want to publish this publicly, email me a gdaustin at comcast dot net.
Thanks,
Glen Austin
|
Post #111,560
7/26/03 9:10:17 AM
|
Use the install CD
Do "rescue root=/dev/whatever single" and it'll dump you in single-user mode, from whence you can change the password.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #111,572
7/26/03 10:45:44 AM
|
Not quite that easy, but I think I have it fixed....
Thanks.
I had to use the init= option to open a root shell.
Then I had to figure out how to remount the root drive as rw.
Just finished and am rebooting now.
Glen Austin
|
Post #111,576
7/26/03 12:23:14 PM
|
Fixed...
Now I'm changing all the passwords in the system.
Then, I'll start looking at all the listening processes on the system.
They can attack something that isn't listening.
Glen
|
Post #111,577
7/26/03 1:17:48 PM
|
Shouldn't you be fixing this at the firewall?
That's what I do.
That way I limit the amount of stuff I have to secure.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #111,638
7/27/03 6:31:42 PM
7/27/03 6:36:08 PM
|
This box IS my firewall...
I thought I had it set up pretty tight, took an IPTABLES script from gfolkert, turned off FTP and TELNET, moved ssh to a high-numbered port.
Still, the passwd file was dated July 12th, and I was building and installing apache2 about that time. So it is possible I changed the root pw and forgot. I tried all the common variants I use and none worked.
Also, I have a co-worker at work who "hacks for fun". If you tell him to break into your box, he will. Then he gives you a list of things to fix. I did about 1/2 the list, so I need to go back to him and find out about things like chroot (which I didn't do) and others. It is possible, he set his little cracker software out against my box. He doesn't attack people maliciously, he says, and he usually tells you when he does something.
Glen Austin
Edited by gdaustin
July 27, 2003, 06:36:08 PM EDT
|
Post #111,640
7/27/03 6:33:44 PM
|
Re: This box IS my firewall...
apt-cache search firewall, then :-)
I'm sure Rick will leap in with some useful suggestions for tools to help automate the firewall process.
Me, I have a hardware firewall and have never ever configured firewalling on a Linux box.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #111,578
7/26/03 2:02:12 PM
|
If you haven't already
you might want to look into tools like SNORT:
[link|http://www.snort.org/|http://www.snort.org/]
They might help you.
|
Post #111,587
7/26/03 5:28:52 PM
|
Chasing ghosts?
Glen wrote:
Now I'm changing all the passwords in the system. Then, I'll start looking at all the listening processes on the system. They can attack something that isn't listening.
Umm..., is the only reason you think you've suffered security compromise the fact that suddenly what you thought was your root password didn't work, and you weren't entirely sure whether you'd changed it? No other signs of break-in whatsoever? That sounds more than a little thin.
However, if you haven't looked at all the listening processes on the system, it's indeed about time. I'm curious about how you're doing that without trusting any of the tools on the suspect system.
(Yes, I am being mildly ironic. How to examine a running system for signs of compromise is a difficult problem.)
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #111,644
7/27/03 6:48:39 PM
|
Now I'm thinking I changed it...
The passwd file was dated 7/12, and that's the date I installed apache2 and php. I set up a tester web server with PHP installed on that very date.
I've been getting the latest apt-get about once every two weeks. Maybe I need to be a little more vigilant about that.
I'll take a look at snort, and I'll get the rest of the list from my "hacker" co-worker. I'd like for this system to be pretty "hard", if it can be.
Glen Ausitn
|
Post #111,573
7/26/03 10:47:43 AM
|
Re: Use the install CD
I had the arguments as:
bf24 single root=/dev/hdax and it didn't stop in single user mode.
In addition, it wanted the root password to do an fsck because the scripts run sulogin.
Glen
|
Post #111,601
7/26/03 9:33:24 PM
|
Root password, rooted box
Glen: try a meaningful subject line. \r\n\r\n [link|http://z.iwethey.org/forums/render/content/show?contentid=100252|As I said] the last time someone asked this question, this is a FAQ, you can Google the answer readily, and the question is answered, under the subject "root password recovery", here. Short answer: boot single, or with a shell as your init. \r\n\r\n Answering the other part of your question, as Rick suggests, performing forensics from a potentially compromised system is a rather charming exercise in misplaced trust. I'd strongly recommend keeping a bootable disk (viz: Knoppix, lnx-bbc) around for just this purpose, though a known-good sash shell may be useful. Simply changing your passwords won't do much good if the hole's still there. \r\n\r\n Debian does provide a tool to look for rootkit residues, called chkrootkit. I'd recommend installing it and running it daily or better. \r\n\r\n Rick can probably give (or point to) better resources on post-crack (or suspected hack) cleanup. I thought there was a HOWTO/Mini-HOWTO on the topic but cannot find one presently (searches are slow over a currently slammed 56k dialup). I can, however, think of [link|http://twiki.iwethey.org/|a good place to put info]. Installing from known good backups, or reinstalling all packages (and wiping any odd binaries) is strongly recommended. I'm currently doing (among other things) a reinstall of packages to ensure that any cruftiness left over from an unintentional wipe of my root partition is cleaned up. Under Debian: apt-get install -du --reinstall $( dpkg -S /etc ) is a first-pass approximation. Some incompatibilities and deadlocks force an incremental approach. \r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #111,615
7/27/03 5:25:39 AM
|
Re: Root password, rooted box
Concur -- but, again, the first question I'd ask is whether Glen is trying to solve the right problem: It's really not at all clear from the cited symptoms that his box has been compromised. Changing the root password (accidentally or on purpose) and then forgetting having done so for quite some time would bring about the exact same situation.
That aside, the question of how you tell whether or not your system has been compromised is an interesting one: It turns out that there's no general solution, and it's always a possibility that you're operating a compromised box but just can't detect any signs.
Generally speaking, the bad guys break in because they want to do something, and so you find them by noticing something going on that shouldn't be, e.g., a sudden shortage of disk space or bandwidth that you can't account for even after careful inspection -- or weird network services that seem to be in operation when you probe the system using nmap from elsewhere on the network. But lack of such evidence just inherently isn't (and cannot be) definitive.
You should already have the ability to recover completely from such compromise. Period. If you have to live in fear of "hackers" [sic] because of lack of current, reliable backups and a realistic plan to restore from them, then the latter (lack) should be your top priority as a problem to fix, not "hackers'. After all, hardware failure -- always a strong possibility -- would face you with pretty much the same problem.
If you ever do become reasonably convinced that you've suffered root compromise, the only safe thing to do is cut power on the system immediately, then reboot the system from write-protected maintenance media long enough to confirm the symptoms and secure safety copies of any files you care about, then rebuild the system solely from trusted installation media, carefully not reusing any of the system's binaries, libraries, scripts, configuration files, or dotfiles. System configuration should be reconstructed by examining copies of the compromised system's configuration files, but not directly reusing any of them (because they cannot be trusted). When the system has been reconstructed, but before it's connected to public networks, you should apply all needed patches and updates so you can be confident in its security profile, and should issue new passwords to all logins and not let users back in until you've talked to them individually (about what they should and should not do, to keep the bad guys from getting back in). Ideally, you should have a high-probability guess about the exact method of compromise, and have acted to insure that the hole has been closed, before re-connecting the system to the outside world.
Recovery from root compromise must be done carefully and systematically, or you'll end up doing it multiple times until you get it right.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #111,632
7/27/03 3:22:47 PM
|
Forensics
By encompassing "suspected hack", I was implying forensic analysis to determine whether or not the box actually had been compromised. And while Rick's advice is strictly true, the operational case is generally that you're dealing with a script kiddie using a prebuilt attack -- the type which chkrootkit might be able to pick up (if not from your installed system then from recovery media). As I indicated, this is sorely deserving of a [link|http://twiki.iwethey.org/|TWIT] topic. --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #111,681
7/28/03 4:34:01 AM
|
Re: Forensics
A reasonable approach. Finding evidence of break-in is of course more likely to be meaningful than finding no (real) evidence. I was mostly addressing the latter case, which is what we have been presented, so far. ("The password I think I used to use doesn't work" doesn't qualify as real evidence.)
I would be at least a little wary of false positives from chkrootkit scripts: If the thing gives its opinion that there's a rootkit installed, then adopt a usefully skeptical attitude, and examine the alleged rootkit for yourself. And of course don't forget that there's no reason an intruder would have to install a rootkit in the first place: Those are merely mechanisms to conceal the intruder's on-system activity, which many intruders just don't bother with in the first place.
And there's good reason to beware of false negatives, as well: You're running a system-checking script on a suspect system, and you're willing to trust the results? Really? Does the script use only executables provided with it, and none of the system's own? Do any of the executables invoke (necessarily suspect) system libraries? Did you use any (necessarily suspect) system tools to gain access to the script? And you trust that none of those system facilities would be so evil as to interfere with the system-checking script?
As I said, checking the state of a running system that you suspect of root compromise is a non-trivial problem. Throwing chkrootkit scripts at it doesn't make the obstacles go away.
Real forensics get run from altnerate boot media, never trusting (and never running) any binary, library, or configuration file on the suspect system.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #111,646
7/27/03 7:07:26 PM
|
Exactly what I did...
I just ended up figuring out myself, by looking at the system init scripts. The good news is that I know a lot more about how Linux starts up now. Now, I'm curious to study it more and figure out more.
Took about 3 hours to figure it out, then 10 minutes to fix. Then I was off to College Station, TX (Home of Texas A&M University) to pick up my wife and kids.
Glen Austin
|
