Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
ARGH! Hacked twice in a month.
Old 03-03-2006, 09:45 PM   #1
Thinks s/he gets paid by the post
BigMoneyJim's Avatar
 
Join Date: Feb 2003
Location: DFW
Posts: 2,627
ARGH! Hacked twice in a month.

Man, now my home server got pwned. Less than a month ago my main web server got pwned. Both were enlisted to send out spam email after getting hacked.

Both of these have been on the 'net for months or years without getting compromised. If you have a server, update it and check it out. And check your outgoing mail logs. My first server crashed...possibly as a result of my host's antispam guards. My home server was using the hard drive more than normal, and then I discovered it's sending out email as fast as it can.

I just rebuilt a server, now I get to do it again. (Once one is compromised you can't trust it.)

Techie info: I think my first server was compromised via an older version of xmlrpc.php in the web root. (I don't even use that thing...well at least somebody made good use of it. ) An early guess for my second hacked server is that somebody spoofed the DNS of it and intercepted an unencrypted mail password from my mail client. (The imap server only talks to the local LAN, so I didn't have it encrypted...didn't think about spoofing the DNS so my client volunteers my password.)

Oh well, live and learn. Time to change all my passwords and make sure my mail password doesn't match my ssh password and root password. And I'll encrypt even the local traffic from now on.
__________________

__________________
BigMoneyJim is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Re: ARGH! Hacked twice in a month.
Old 03-03-2006, 09:59 PM   #2
Thinks s/he gets paid by the post
BigMoneyJim's Avatar
 
Join Date: Feb 2003
Location: DFW
Posts: 2,627
Re: ARGH! Hacked twice in a month.

I should clarify and emphasize that these were my personal, nonproduction servers. I'm far more paranoid and careful about work stuff.

The first server was wide open to the internet. I was a little less careful with the second one because it is mostly firewalled off.
__________________

__________________
BigMoneyJim is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-03-2006, 10:03 PM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
cute fuzzy bunny's Avatar
 
Join Date: Dec 2003
Location: Losing my whump
Posts: 22,697
Re: ARGH! Hacked twice in a month.

That'll teach you to change my thread titles!

__________________
Be fearful when others are greedy, and greedy when others are fearful. Just another form of "buy low, sell high" for those who have trouble with things. This rule is not universal. Do not buy a 1973 Pinto because everyone else is afraid of it.
cute fuzzy bunny is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 02:07 AM   #4
Full time employment: Posting here.
 
Join Date: Aug 2004
Posts: 909
Send a message via ICQ to Marshac Send a message via AIM to Marshac Send a message via Yahoo to Marshac
Re: ARGH! Hacked twice in a month.

if your mail server only communicates with clients on the local subnet, then why would spoofing a DNS entry matter? Maybe Laurence can fill me in

So far my server ('kitchen'... what are you cooking?) hasn't been hax0red yet.... it's running Win2k3, Exchange 2k3, and BlueDragon (ColdFusion/JSP...none of that PHP for me....bleh)

Ever try tripwire?

I know that as soon as I hit the post button, the security log on my server will fill up

Edit: is your network at your house (ie: 100% yours), or is it shared with other people? perhaps someone poisoned your ARP table and performed a man-in-the-middle attack? Just a thought
__________________
Marshac is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 02:32 AM   #5
Full time employment: Posting here.
 
Join Date: Feb 2006
Posts: 784
Re: ARGH! Hacked twice in a month.

This one time, I was playing around with telnetd....
__________________
Cool Dood is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 10:47 AM   #6
Moderator Emeritus
laurence's Avatar
 
Join Date: Feb 2005
Location: San Diego
Posts: 5,234
Re: ARGH! Hacked twice in a month.

If it makes you feel any better, something similar happened to me recently (with my home network). And I'm supposed to be the computer security guy! What's that saying about cobbler's children feet go bare?
__________________
laurence is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 10:54 AM   #7
Thinks s/he gets paid by the post
BigMoneyJim's Avatar
 
Join Date: Feb 2003
Location: DFW
Posts: 2,627
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by Marshac
if your mail server only communicates with clients on the local subnet, then why would spoofing a DNS entry matter? Maybe Laurence can fill me in
I knew I had phrased it confusingly. My orignal thought was: my server has an imap server. My mail client on my workstation is running. Local lan only, so no encryption. However, if the DNS suddenly pointed my mail client to a new server it sends the next "check mail" transaction complete with unencrypted password to the spoofed server. If they were smart enough to capture it and try it to ssh back into my server it would've worked (on my home server; on my web server none of the passwords are the same for accounts or mail access.) After poking around, I don't think that's what happened. In fact I don't think I was hacked...

Quote:
So far my server ('kitchen'... what are you cooking?) hasn't been hax0red yet.... it's running Win2k3, Exchange 2k3, and BlueDragon (ColdFusion/JSP...none of that PHP for me....bleh)
I don't fully understand how they got my hosted web server. It's linux, and somehow (xmlrpc remote code execution vulnerability I presume) they changed the password for the daemon user and logged in interactively as daemon then su'ed to root. (I don't know how they did that; I must've had a privilege escalation vulnerability I haven't yet identified.) Luckily something got goofed up and my server dropped off the network. Actually I wonder if my host blocked my system off for spamming, but if so they didn't tell me they did. But the home server...

Quote:
Ever try tripwire?
Not yet, but I'm going to real soon. The web server hack woke me up. If it hadn't have gone down I wouldn't have noticed the problem for a long time. My IP was already being bulkmail filtered by Yahoo when I got it; good luck on my ever getting off their list now.

Quote:
Edit: is your network at your house (ie: 100% yours), or is it shared with other people? perhaps someone poisoned your ARP table and performed a man-in-the-middle attack? Just a thought
It's all mine. But it was my goof that compromised my home server. I have static IPs but added a private NAT'ted logical subnet. I accidentally enabled NAT both ways which effectively bypassed my main firewall rules *and* made all inbound packets appear to originate on my LAN relaxing my secondary firewall rules and leading the server to believe all inbound traffic was local. I wasn't actually hacked; it's just that my server effectively became an open mail relay through my own misconfiguration.

Even though I now think my logins were not compromised I'm going to rebuild and change passwords, anyway. And I'll have authenticated Submission protocol for mail submission and absolutely no SMTP relaying--even for the local LAN or even the local host. And IMAP will be encrypted, and passwords will not match between users & services.

The DNS thing still puzzles me. What alerted me to the problem was that my homepage quit working, and when I pinged the hostname it was pointing to a foreign server. It wasn't an ARP spoof, it was a DNS spoof, and they didn't seem to get into any local machine so I don't know how they managed that. It may be a side result of all inbound traffic appearing local. At the moment the DNS spoof appears to be coincidental, but it's a heck of a coincidence. Oh, this particular DNS is a DynDns entry, so they might have coughed up a wrong IP, too.

(edited for spelling...really need to get an in-browser spell checker for all the fat fingering I do)
__________________
BigMoneyJim is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 11:10 AM   #8
Thinks s/he gets paid by the post
grumpy's Avatar
 
Join Date: Jul 2004
Posts: 1,321
Re: ARGH! Hacked twice in a month.

My son's blog describes a similar situation he dealt with:

http://zoomedin.blogspot.com/2006/01/spam.html

Grumpy
__________________
...you can check out any time you like, but you can never leave...
grumpy is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 11:20 AM   #9
Moderator Emeritus
laurence's Avatar
 
Join Date: Feb 2005
Location: San Diego
Posts: 5,234
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by Marshac
if your mail server only communicates with clients on the local subnet, then why would spoofing a DNS entry matter? Maybe Laurence can fill me in

So far my server ('kitchen'... what are you cooking?) hasn't been hax0red yet.... it's running Win2k3, Exchange 2k3, and BlueDragon (ColdFusion/JSP...none of that PHP for me....bleh)

Ever try tripwire?

I know that as soon as I hit the post button, the security log on my server will fill up

Edit: is your network at your house (ie: 100% yours), or is it shared with other people? perhaps someone poisoned your ARP table and performed a man-in-the-middle attack? Just a thought
Didn't see your post Marshac, geez, reading it I feel like I'm studying for my test again!

I highly recommend tripwire as well.

BMJ, your response was well written, that's a story I'll have to share at work!

You could get Draconian and use SUDO for everything...

Out of ignorance, since I'm more of a high level guy, how many password characters will your OS support? Some flavors will only recognize/encrypt 8 or even 5 characters and use weak algorithms, so while you may have a 14 character password with letters, numbers and special characters, the bad guys only have to solve the first part.

So you going to set up a DMZ?
__________________
laurence is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 11:25 AM   #10
Thinks s/he gets paid by the post
cube_rat's Avatar
 
Join Date: Jul 2005
Posts: 1,466
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by Laurence


You could get Draconian and use SUDO for everything...

SUDO is the only way to go. yeah, I'm draconian at work but not at home. I don't do IT crap at home very well.
__________________
fuzzy? cute?
cube_rat is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 12:26 PM   #11
Thinks s/he gets paid by the post
BigMoneyJim's Avatar
 
Join Date: Feb 2003
Location: DFW
Posts: 2,627
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by Laurence
I highly recommend tripwire as well.
Any coments on the Open Source Tripwire compared to the commercial version and other alternatives? I figured on using the free open source one but have been searching for discussion on it versus alternatives.

Quote:
BMJ, your response was well written, that's a story I'll have to share at work!

You could get Draconian and use SUDO for everything...
Thanks. And "sudo su -", now I'm root...heheh, maybe I'm not quite grasping the concept.

Quote:
Out of ignorance, since I'm more of a high level guy, how many password characters will your OS support? Some flavors will only recognize/encrypt 8 or even 5 characters and use weak algorithms, so while you may have a 14 character password with letters, numbers and special characters, the bad guys only have to solve the first part.
I have md5 shadow passwords; they'll go over 8 characters...I'm not sure how high they'll go offhand, but my home passwords while not weak were not particularly strong.

Quote:
So you going to set up a DMZ?
Ironically that's sort of what I was doing when I opened up the lan. Even though I have 5-8 static IP's (5 "usable", but part of my changes now let me use all 8 including my linux router/firewall) I decided to put machines behind NAT unless they need a publicly routable IP. That effectively makes my static IP range the DMZ.

(off to read grumpy's son's blog)
__________________
BigMoneyJim is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 12:48 PM   #12
Moderator Emeritus
laurence's Avatar
 
Join Date: Feb 2005
Location: San Diego
Posts: 5,234
Re: ARGH! Hacked twice in a month.

We are required to use commercial version, so I can't compare for you.

Well, you can limit what tasks a user account can execute with sudo, just add the accounts to the sudoers file and then they don't have to "know" the root password. Sudo is pretty granular, it doesn't have to be all or nothing on the priveleges (for example, my account at work will let me sudo, but I can't VI the password file, or even ls the shadow file). So the root password can me 28 characters and use all those hard password rules, then you can have a "emailadmn" account that can accomplish only certian tasks...well, I'm sure you know better than I.
__________________
laurence is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 12:48 PM   #13
Thinks s/he gets paid by the post
wabmester's Avatar
 
Join Date: Dec 2003
Posts: 4,459
Re: ARGH! Hacked twice in a month.

BMJ, I don't think anybody bothers sniffing passwords these days. * The script kiddies just get root through whatever exploit their scripts find. * Do you monitor CERT and the security mailing lists? * If you have a server on the public net, you just need to watch for the exploit of the day and dilligently patch them up.

Are you able to detect a port scan? * *That's the first sign that you're about to be root-kit'd.
__________________
wabmester is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 12:49 PM   #14
Moderator Emeritus
laurence's Avatar
 
Join Date: Feb 2005
Location: San Diego
Posts: 5,234
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by wab
BMJ, I don't think anybody bothers sniffing passwords these days. The script kiddies just get root through whatever exploit their scripts find. Do you monitor CERT and the security mailing lists? If you have a server on the public net, you just need to watch for the exploit of the day and dilligently patch them up.

Are you able to detect a port scan? That's the first sign that you're about to be root-kit'd.
What I should have said.
__________________
laurence is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 12:59 PM   #15
Full time employment: Posting here.
 
Join Date: Aug 2004
Posts: 909
Send a message via ICQ to Marshac Send a message via AIM to Marshac Send a message via Yahoo to Marshac
Re: ARGH! Hacked twice in a month.

Anyone know of a cheap way to implement smartcard based authentication? On my workstation I have a keyboard with a nifty finger scanner, but if you want it to work with an AD domain- better cough up some dough. No thanks. It's just my house :P

Laurence- ever play with CAIN? You could conduct a "security audit" (yeah, that's the ticket) on Apr 1, and try an ARP poisoning attack... once you get in-between, you can rewrite DNS requests, and other fun things. Cain has a scary feature that makes it easy to grab login information for even encrypted websites.
__________________
Marshac is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 01:08 PM   #16
Moderator Emeritus
laurence's Avatar
 
Join Date: Feb 2005
Location: San Diego
Posts: 5,234
Re: ARGH! Hacked twice in a month.

I have been given it by my lead, but haven't messed with it yet. About once a month I set off our IDS at work and the network admins come yell at me. I just had my latest incident thursday with NMAP (port scan one lousy web server and everybody gets in a twist! ).

Only read about ARP poisoning attack, know how it works theoretically, it is very scary. I will have to try CAIN out in 29 days when I'm back off probation.

...or maybe I can notify my buddies first.
__________________
laurence is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 01:19 PM   #17
Thinks s/he gets paid by the post
BigMoneyJim's Avatar
 
Join Date: Feb 2003
Location: DFW
Posts: 2,627
Re: ARGH! Hacked twice in a month.

I use nmap a fair bit at work. Very handy. I've caught and fixed a few vulnerabilities and troubleshot many problems. Corporate network control blocked my IP once, but have about 240 others to use (4 /26's).
__________________
BigMoneyJim is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 01:30 PM   #18
Moderator Emeritus
laurence's Avatar
 
Join Date: Feb 2005
Location: San Diego
Posts: 5,234
Re: ARGH! Hacked twice in a month.

You guys are the big dogs, I just live in your world. As a "systems engineer" I get a request from the customer like, "we want a high speed connection between site a and site b" and then I go distill requirements and reply, "so you want ATM or Gig-E? 1 megabit or 100 megabit?" etc. Then I go to hardware, software, network etc. and break off their respective chunks of requirements, they come up with how much time and material, and spit back at me, and I put together a nice little connection diagram, info flow diagram, hardware list, software list, CONOPS, etc. to throw at the customer, who changes it all around, and I start the process again. Bottom line, I "know of" and play with a whole mess of stuff, but I can't run with the big boys/specialists on anything.

That's why I keep quiet on the all the technical questions posted here. There is always some one who knows more about each specific aspect than I do, and better to keep silent and be thought a fool than open my mouth and confirm it!
__________________
laurence is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 01:33 PM   #19
Thinks s/he gets paid by the post
BigMoneyJim's Avatar
 
Join Date: Feb 2003
Location: DFW
Posts: 2,627
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by Laurence
You guys are the big dogs, I just live in your world.
I'm not a big dog in pay, position or respect. Perhaps I need to promote myself better.
__________________
BigMoneyJim is offline   Reply With Quote
Re: ARGH! Hacked twice in a month.
Old 03-04-2006, 01:43 PM   #20
Full time employment: Posting here.
 
Join Date: Aug 2004
Posts: 909
Send a message via ICQ to Marshac Send a message via AIM to Marshac Send a message via Yahoo to Marshac
Re: ARGH! Hacked twice in a month.

Quote:
Originally Posted by BigMoneyJim
I'm not a big dog in pay, position or respect. Perhaps I need to promote myself better.
It's not the size of the pay, position, or respect- it's the size of your IP block Mine is only a /29... you rule man. What do you use them all for?

I'm not a big dog either... i'm just one of those small shivering ones that bark a lot.... I wish my owners fed me better.
__________________

__________________
Marshac is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Contributing to plans during intra month lows accountingsucks FIRE and Money 20 04-16-2007 02:31 PM
Hungry For a Month FI@35 Other topics 22 01-12-2007 11:51 AM
What to do with 300K from house sale and a 6 month building time. newguy88 FIRE and Money 2 05-03-2006 08:10 AM
How much do you need a month to life and enjoy? newguy88 FIRE and Money 77 03-30-2006 09:28 PM
Same time next month................ MRGALT2U Other topics 3 04-16-2005 11:34 AM

 

 
All times are GMT -6. The time now is 09:28 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.