[ale] Cracked many Linux systems

Stephen Pellicer spellicer at 8thlayer.net
Wed Mar 28 17:44:58 EST 2001 

On 28 Mar 2001 08:34:49 -0500, Bob's ALE Mail wrote:
> In the past few weeks I have seen MANY Linux systems that got cracked
> (hacked).  The rate of systems broken into seems to have GREATLY increased
> in the past month.
> 
> The suspected paths have been via named (DNS), lpd, or portmap & nfsd and
> all have been Red Hat 6.2.  Sadly, these were clients who thought the risk
> of a break-in to be small enough to not be worth spending the money or time
> to harden their systems.  Hardening would have taken 1/2 to 2 days.
> Recovering from break-ins (even if no data was stolen or altered) is much
> more.

I'm kinda late to the party on this message, but I thought I'd throw in
my two cents. I suspect one of the contributors to the surge is the new
Lion Worm going around. It exploits the TSIG exploit in bind 8.2.(<3).
After getting in, it reconfigures the target, grabs some root kits,
e-mails info back to the attacker, then replicates by scanning random
class b's and repeating. Quick plug for the Atlanta Security Forum, you
can find Karl Sigler's excellent summary and pointers to some good
recommendations for countering the recent crop of bind exploits at
http://www.8thlayer.org/security.html the specific link to the pdf is
http://www.8thlayer.org/bind.pdf .

As for the additional discussion on alternatives to NFS. I'd like to
chip in there and throw in my views. I wouldn't really single out nfs or
portmap as problem children on a network. Any system we use for these
facilities will more than likely exhibit weakness. Samba, coda, afs, ssh
tunnels, etc. have been tossed out there as alternatives, but I believe
you gain very little with these alternatives. I will agree that nfs is
designed in a way that it definitely shows its age a lot easier than
some of these alternatives. It's UDP based, has many companion services
(such as portmapper and the infamous statd), it's old, designed for
local use. These are all bad things, but I'm sure you'll find an equally
compelling list of weaknesses in the alternatives mentioned. I'd say
that the most important thing to keep in mind here is responsible
architecture to isolate problems. Firewalls are no silver bullet, but
they really shine at alleviating a lot of the problems outlined in Bob's
security bulletin. NFS, used responsibly by blocking it's use outside
your network, good anti-spoofing techniques, keeping up to date on
patches, can be just as safe as any of these alternatives.

Stephen Pellicer
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list