Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Cracked! Denial and Truth

By noeld in News
Wed May 03, 2000 at 04:52:34 PM EST
Tags: Security (all tags)
Security

I'm sure most of you remember our little security issue. Well, what if it was worse than that? Much, much worse. What if your heterogeneous network of interconnected, donated unix boxen were all cracked? What if you couldn't reinstall the OS? And what if your attacker actually knew what they were doing? rootprompt brings us a personal tale by Noel that's sure to bring a cold sweat to anyone who's ever administered a publically accessable server.


An excerpt:
We were all still convinced in our arrogance that there was no reason to assume that the person or persons that had cracked our boxes was highly skilled. We thought that it was much more likely that the person had just gotten in through some hole that we had not patched yet. After all the set user id programs were not hidden. Not a elite thing to do after all. As time was to go on we were to realize that this assumption was also just as wrong as thinking we were safe from being cracked.
(story writeup by rusty)

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o our little security issue
o rootprompt
o personal tale
o Also by noeld


Display: Sort:
Cracked! Denial and Truth | 36 comments (36 topical, editorial, 0 hidden)
PLEASE! If I want to read this stuf... (2.00 / 1) (#11)
by homer on Wed May 03, 2000 at 08:55:40 AM EST

homer voted -1 on this story.

PLEASE! If I want to read this stuff I will just go to rootprompt! I don't need a freakin' link everytime a new story is posted. Sorry for the rant.
-----------
doh!

mlp... (1.00 / 1) (#4)
by pretzelgod on Wed May 03, 2000 at 08:58:14 AM EST

pretzelgod voted -1 on this story.

mlp

-- 
Ever heard of the School of the Americas?


+1 ... (1.00 / 1) (#5)
by krogoth on Wed May 03, 2000 at 09:32:04 AM EST

krogoth voted 0 on this story.

+1
-1, no description of the story
--
"If you've never removed your pants and climbed into a tree to swear drunkenly at stuck-up rich kids, I highly recommend it."
:wq

Interesting story, but please be mo... (2.00 / 1) (#16)
by flamingcow on Wed May 03, 2000 at 09:34:41 AM EST

flamingcow voted 1 on this story.

Interesting story, but please be more descriptive in writeups people.

I already read rootprompt.org.... I... (2.00 / 1) (#8)
by dave0 on Wed May 03, 2000 at 09:36:45 AM EST

dave0 voted -1 on this story.

I already read rootprompt.org.... I don't need to read it here, too.

Why not just put a link to rootprom... (2.50 / 2) (#14)
by Mrs Edna Graustein on Wed May 03, 2000 at 10:03:31 AM EST

Mrs Edna Graustein voted -1 on this story.

Why not just put a link to rootprompt on the front page, and delete all these stories coming in from rootprompt- or submit the stories here. This is getting silly. Also- if someone just wants us to follow a link to another discussion group, couldn't we just have a quick column of suggested stories on other sites to see?
--
And if any of you put that in a .sig, I'll hunt you down and kill you twice. ;-)
Rusty

That makes sense. Let's set this up. (none / 0) (#21)
by marlowe on Wed May 03, 2000 at 06:28:49 PM EST

But in the meantime, I'm gonna vote +1 on these things.

--- I will insist on my right to question ---
-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --
[ Parent ]
Re: That makes sense. Let's set this up. (none / 0) (#33)
by Mrs Edna Graustein on Thu May 04, 2000 at 08:35:13 AM EST

not +0.5? :-)
--
And if any of you put that in a .sig, I'll hunt you down and kill you twice. ;-)
Rusty
[ Parent ]
Although very interesting and impor... (2.00 / 1) (#13)
by Rasputin on Wed May 03, 2000 at 10:28:06 AM EST

Rasputin voted -1 on this story.

Although very interesting and important, I'm not sure that a multi-part story (especially only the first part) can be handled this way. Maybe resubmit when all the parts are available.
Even if you win the rat race, you're still a rat.

Mmmm, real-life drama (educational ... (1.00 / 1) (#3)
by mdxi on Wed May 03, 2000 at 10:46:05 AM EST

mdxi voted 1 on this story.

Mmmm, real-life drama (educational too!)

--
SYN SYN NAK

I run a very small FreeBSD server t... (4.00 / 1) (#7)
by dvicci on Wed May 03, 2000 at 10:54:42 AM EST

dvicci voted 1 on this story.

I run a very small FreeBSD server through a local cable modem service... about a dozen friends have accounts, several domains are hosted on a single Apache install. I've had spammers try to use me for a relay, have had numerous port scans, and countless failed login attempts from all over the world. I haven't done an exhaustive audit of the system to verify that all the holes are plugged, though I have locked out the ports I don't need, and have checked out the setuid scripts and apps. For the most part, I've relied on the reputation of FreeBSD and the skill and talent of it's developers to keep things locked down. Sure, I've added additional applications since the install, but have checked for security updates and fixes each time. I even employed a very talented friend of mine, and challenged him to break in. He couldn't. :) So far, there's no sign that I've been cracked, but I'm not a professional, and can't say for sure that this is true... especially after reading this article. I very much look forward to Day Two.

Re: I run a very small FreeBSD server t... (4.00 / 1) (#19)
by Alhazred on Wed May 03, 2000 at 05:57:49 PM EST

I've never seen anything but anecdotal evidence to suggest that FreeBSD or OpenBSD are in any way ACTUALLY more secure than Linux.

I've seen several hacked FreeBSD boxes, and a few hacked Linux boxes.

One thing is for sure, you will never really know if you have been hacked or not until you start running some auditing tools like tripwire, and run them properly (IE, save your checksums to removable media, and preferably the program itself too, then REMOVE IT). I'd strongly advise running a seperate machine as a log server too, with nothing but syslog on it. Under Linux you can set the machine up to reject ANY packets that don't relate to syslog. Better yet hang an old dot-matrix printer off your system and hardcopy the critical logs as they're generated.

Be paranoid. very paranoid, and then assume that your still not paranoid enough!

One time a guy hacked into my fully buttoned down SGI box. Nobody ever figured out how, but had I printed log files at the time, I bet it would have tripped him up. There are some darn good crackers out there.
That is not dead which may eternal lie And with strange aeons death itself may die.
[ Parent ]
Re: I run a very small FreeBSD server t... (none / 0) (#22)
by Anonymous Hero on Wed May 03, 2000 at 06:47:41 PM EST

Linux boxes get hacked more because by default most distributions have every port open. For example, Red Hat Linux 6.1, a very popular distribution, shipped with many unnecessary ports open. By the way, no distribution should ever run the finger daemon, but I digress. OpenBSD is not that much more secure than FreeBSD or Linux; however, the default install is more secure. By the way, a default Red Hat Linux install is damn easy to exploit, I could get a root shell in a matter of minutes if I wanted to. On another note, Microsoft doesn't seem too bad either. Have you ever seen microsft.com go down? Has microsoft.com ever been defaced? There has been one successful crack on some development server in India I think... makes you wonder...

[ Parent ]
Re: I run a very small FreeBSD server t... (1.00 / 1) (#24)
by Marcin on Wed May 03, 2000 at 08:33:11 PM EST

Have you ever seen microsft.com go down? Has microsoft.com ever been defaced?

Microsoft.com never 'goes down' because they're running numerous boxes with load balancing.. so even if 95% of their boxen were down the system would still appaear to be up.

In regards to defacement, I don't know how their web site works in this respect but on the Intranet at the company I work for we have two web servers load balanced, and we have the same content on both (ie. content isn't 'shared' from one source).. if one of the boxes were to be cracked and defaced this wouldn't necessarily affect the other one. (Sure however you cracked the first box you could crack the second, but yeah..) :)

I may be being naive, but realistically is it possible to crack a box that is behind a firewall which only allows incoming connections on port 80? Note I mean a seperate firewall box, not running a firewall on the same box as the webserver.


M.
[ Parent ]

Re: I run a very small FreeBSD server t... (none / 0) (#30)
by mattc on Thu May 04, 2000 at 12:50:56 AM EST

Yes it is possible if it is running cgi scripts. There are tons of poorly audited cgi scripts out there.

Another possibility is that a cracker could get into one of the web developers' workstations and crack the web server from there (assuming the web developers' have FTP access or something similar).

[ Parent ]

Re: I run a very small FreeBSD server t... (none / 0) (#31)
by Marcin on Thu May 04, 2000 at 01:02:47 AM EST

Another possibility is that a cracker could get into one of the web developers' workstations and crack the web server from there (assuming the web developers' have FTP access or something similar).

Most of the web environments i've worked with have what's called a "DMZ" which would make this impossible. Basically you have this:

[Internet]-[External]-[Webserver]-[Internal]-[Internal Network]
           [Firewall]             [Firewall]

The internal firewall wouldn't accept connections at all from the webserver or the internet and would only allow outgoing connections from the internal network. (and you could limit those so they were only to the webserver).

Sure this wouldn't allow Internet access for staff. You could have a proxy box within a seperate DMZ (so compromising one DMZ wouldn't compromise both) which would have an external firewall that doesn't accept incoming connections except as a response to outgoing connections, and only on port 80, and the internal firewall would only allow connections as a response to connections from within the internal network again on port 80.

This way you never have the Internet talking to the internal network, there's always an intermediary.
M.
[ Parent ]

No harm in making people think (or ... (none / 0) (#18)
by dgay on Wed May 03, 2000 at 11:05:55 AM EST

dgay voted 1 on this story.

No harm in making people think (or become more paranoid).

I know of a solution. It's called O... (1.00 / 1) (#1)
by xah on Wed May 03, 2000 at 11:47:01 AM EST

xah voted 1 on this story.

I know of a solution. It's called OpenBSD.

Re: I know of a solution. It's called O... (none / 0) (#23)
by fluffy grue on Wed May 03, 2000 at 08:20:06 PM EST

OpenBSD with an incompetent administrator is still just as insecure as Linux with an incompetent administrator. Linux with a competent administrator can be made as secure as OpenBSD in its default configuration. However, neither "answer" works for the situation at hand - a dozen donated servers without installation media, and no time or experience to properly administer them.

Zealotry never solves anything, you know.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Re: I know of a solution. It's called O... (none / 0) (#25)
by Marcin on Wed May 03, 2000 at 09:06:25 PM EST

OpenBSD with an incompetent administrator is still just as insecure as Linux with an incompetent administrator. Linux with a competent administrator can be made as secure as OpenBSD in its default configuration.

The good thing about OpenBSD is that the kernel (and I think the basic system tools?) have all been proactively audited for security flaws, something which I don't believe has occured with Linux.

Linux can be made as secure as OBSD with regards to running services or whatnot, but it's not a trivial task to make sure the linux kernel has no security holes. (Not saying that OBSD doesn't have security holes, but with the audit it's less likely).

One thing I don't like about OBSD is that the default rules for ipfilter are pass in all from any to any and pass out all from any to any. They should be block in all from any to any and block out all from any to any. Sure it'd make the system 'useless' with the default ipfilter setup but at least it would encourage the admin to start with a secure config and open up what they need rather than starting with an open config and blocking bad things.
M.
[ Parent ]

Re: I know of a solution. It's called O... (1.00 / 1) (#29)
by Inoshiro on Wed May 03, 2000 at 11:42:48 PM EST

"Linux can be made as secure as OBSD with regards to running services or whatnot, but it's not a trivial task to make sure the linux kernel has no security holes. "

I'd say that all the root compromises and such that I've dealt with have had more to do with daemons setup incorrectly (things like unaudited BIND v8 running as root). It was very easy to setup K5's server box securey when Rusty and I had to repair after a compromise.



--
[ イノシロ ]
[ Parent ]
Re: I know of a solution. It's called O... (none / 0) (#27)
by xah on Wed May 03, 2000 at 09:43:49 PM EST

OpenBSD is built and configured to be secure by default. No other OS that I know of is like that.

[ Parent ]
Re: I know of a solution. It's called O... (none / 0) (#32)
by pwhysall on Thu May 04, 2000 at 03:47:15 AM EST

Any system is only ever as secure as its administrators though.

My reading is that OpenBSD makes it easier for a competent admin to secure things. An incompetent admin (telnet ports open to the world, etc) will still have a crackable box, regardless of OS.
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

I really liked the full disclosure ... (none / 0) (#17)
by Anonymous Zero on Wed May 03, 2000 at 12:11:46 PM EST

Anonymous Zero voted 1 on this story.

I really liked the full disclosure of the "little" security issue a while back and the helpful description of the auditing process. Look forward to reading more in this mini-series.

this writeup sounds like a horror s... (none / 0) (#15)
by Saint Zero on Wed May 03, 2000 at 12:20:39 PM EST

Saint Zero voted -1 on this story.

this writeup sounds like a horror story for hard core linux geeks.
---------- Patron Saint of Nothing, really.

It's good to scare people into keep... (none / 0) (#9)
by josh on Wed May 03, 2000 at 01:31:53 PM EST

josh voted 1 on this story.

It's good to scare people into keeping thier boxen secure. =)

I've done this sort of thing myself... (none / 0) (#6)
by sergent on Wed May 03, 2000 at 01:50:58 PM EST

sergent voted -1 on this story.

I've done this sort of thing myself on multiple occasions; not sure why I should read about someone else doing it. Doesn't seem to have any particularly interesting technical content and there are better stories out there for the entertainment value.

I like this method of writing the s... (none / 0) (#12)
by nicktamm on Wed May 03, 2000 at 02:11:44 PM EST

nicktamm voted 1 on this story.

I like this method of writing the stories that apparently need to be linked to on rootprompt more. I still don't see how this is going to promote discussion on Kuro5hin, as most people commenting on the story will do so at rootprompt, but at least its moving in the correct direction (the story on Kuro5hin isn't being written by the author of the story on rootprompt, even if it is posted by him). The story on rootprompt is really interesting and I can't wait for the second part, but I don't need Kuro5hin to inform me of it. I'd already read this story before I saw this posting on Kuro5hin. Perhaps if there were added comments for the Kuro5hin posting which would generate discussion (although I can't imagine what you could add to a story like this) it would make sense, but as it is, its just a poor replacement for a slashbox. I am, however voting 1 to encourage further deviation from "There is a story on rootprompt about ________. Go to it", and because it is an interesting story.
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org

What actually happened (none / 0) (#20)
by End on Wed May 03, 2000 at 06:26:41 PM EST

What happened was that noeld posted the usual one-paragraph submission with an excerpt from the article. rusty liked the story but he knew it needed to be overhauled, so he put in his own writeup. This is why the first ten or so votes tended to be negative, then the article was gradually approved after rusty revised the story.

-JD
[ Parent ]

Re: What actually happened (none / 0) (#26)
by rusty on Wed May 03, 2000 at 09:22:04 PM EST

Yep. Actually, Noel emailed me about the complaints, and asked if he should stop posting, or if I thought it was inappropriate, or what. I told him once I learned he was not running a submit-bot, that I had no real problems with rootprompt stories, but I suggested that he cut down to maybe just the most appropriate ones, every couple weeks, and that he do more of a writeup, along the lines of what I did with this one. He agreed that this was a better treatment and promised to try harder in the future. So you see, it always pays to remember there's another human on the other side of the screen before you flame away. :-)

____
Not the real rusty
[ Parent ]
Lesson Learned (none / 0) (#35)
by End on Thu May 04, 2000 at 12:03:11 PM EST

I agree your conduct was more honourable than mine. I shall try to use less inflammatory language when making my points in the future :-) Noel, as I said, I like your site and read it regularly, and I'm glad you and rusty worked it out.

-JD
[ Parent ]

Re: I like this method of writing the s... (3.00 / 1) (#28)
by Inoshiro on Wed May 03, 2000 at 11:38:48 PM EST

Ahh, but what of us who don't read rootprompt.org (such as myself)? I'd never hear about these interesting stories if they weren't posted here :-)



--
[ イノシロ ]
[ Parent ]
Re: I like this method of writing the s... (none / 0) (#36)
by nicktamm on Fri May 05, 2000 at 12:58:04 AM EST

But if you are liking a good deal of the stories pointed to on rootprompt, doesn't that suggest you should start reading it? I know that after seeing a couple of stories pointed to on Kuro5hin, I have started reading rootprompt. Of course, seeing how much discussion this article has generated, I suppose that it is a good idea to post links to stories on sites even if they have their own discussion boards.
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org
[ Parent ]
I'm torn. Once again we have a link... (none / 0) (#2)
by Skippy on Wed May 03, 2000 at 02:16:57 PM EST

Skippy voted 1 on this story.

I'm torn. Once again we have a link propagation issue with Rootprompt.org. On the other hand we have what appears to be a great story. Grrrr. I'll vote ok, but the next link that is even just ok gets modded down.
# I am now finished talking out my ass about things that I am not qualified to discuss. #

To not post would be security by ob... (none / 0) (#10)
by warpeightbot on Wed May 03, 2000 at 04:21:43 PM EST

warpeightbot voted 1 on this story.

To not post would be security by obscurity, never a good thing. Whether or not the article is really any good, and despite the fact that it is link propogation, security is always important, both to get news about, and to discuss Best Practices.

Re: Cracked! Denial and Truth (none / 0) (#34)
by Alhazred on Thu May 04, 2000 at 09:31:43 AM EST

Sure its possible, however security is generally a factor of difficulty. Your average cracker is really an ignorant Script Kiddie. They go to some 'sploit archive and download some program, the function of which they have no clue about, and all they know is it MIGHT get them into some machines. So they go banging on people's doors until they find one that lets them in.

If you close a LOT of the doors, say by using a firewall as you say, then most of them will be turned away.

Will it stop a real serious cracker? Probably not. If they are determined to get into your machine they probably will.
That is not dead which may eternal lie And with strange aeons death itself may die.

Cracked! Denial and Truth | 36 comments (36 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!