Saturday, February 26, 2005

All my base are belong to...

... some script kiddie. I had to take down my website for a couple of days due to it being hacked. It actually looks like it was compromised sometime around January 21st. It took me a short while to notice because nothing destructive was done to the website itself. It wasn't until I tried to copy some photos to my website that I noticed that samba wasn't running.

After ssh'ing into the box to restart the samba service, I noticed that not only was samba not running, it was no longer installed. I was beginning to get suspicious. I couldn't have unintstalled samba without remembering... could I? And then, I stumbled across this telltale sign:

ls -al .bash_history
-rw------- 1 root root 1387 Feb 26 12:52 .bash_history -> /dev/null

At that point, I dropped to runlevel 1 and yanked the ethernet cable from the back of the computer. The postmortem suggested that the attacker exploited a vulnerability in samba that was discovered in late December 2004. I would have been OK if I was only running samba on my local network. I used to run in this configuration, but I had just recently setup a router with my web server running outside of my private network. I should have installed a second NIC so that I could still copy files on the internal network... but I got lazy and just opened samba up to the world.

Shortly after breaking in, the attacker uninstalled samba (thus preventing someone else from breaking in in the same fashion) and installed a root kit which replaced certain key executable files such as /bin/login, /bin/ps, /bin/netstat, etc. and wiped out all of my log files. The strange thing is that this guy actually went through the trouble of doing an rpm uninstall of samba instead of just deleting smbd or disabling the service.

"For what purpose did all of this occur?", you may ask. Well, of course, for the purpose of running an IRC bot. Why else would a script kiddie break into a web server? I think that my attacker should be proud of himself. I mean any hacker can take on a dual opteron running the latest release of RedHat, but it takes some serious SKILLZ to violate a Pentium 133 running headless in a corner of my office with a 6 year old version of Linux. Congratulations!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)