TRG vger.timpanogas.org hacked

TRG vger.timpanogas.org hacked

[Jeff V. Merkey]

Our master server (vger.timpanogas.org) running 2.2.19 was hacked and 
completely obliterated by someone using a Novell Proxy Cache via a kernel
level exploit in [sys_wait+4].  They somehow created a segmentation fault 
down inside the kernel, then gained access to the /lib directory and 
relinked the libraries to a set of bogus libs, which gave them 
access to the server.  Only public code and email is processed on 
this server.  

For those interested in reviewing this attack, I have the entire previous
hard disk available and can mount it under the public ftp area if anyone 
is curious as to how these folks did this.  They exploited BIND 8.2.3
to get in and logs indicated that someone was using a "back door" in 
Novell's NetWare proxy caches to perform the attack (since several 
different servers were used as "blinds" to get in).  

We are unable to determine just how they got in exactly, but they 
kept trying and created an oops in the affected code which allowed 
the attack to proceed.  

Jeff

Re: TRG vger.timpanogas.org hacked

[Alan Cox]

> is curious as to how these folks did this.  They exploited BIND 8.2.3
> to get in and logs indicated that someone was using a "back door" in 

Bind runs as root.

> We are unable to determine just how they got in exactly, but they 
> kept trying and created an oops in the affected code which allowed 
> the attack to proceed.  

Are you sure they didnt in fact simply screw up live patching the kernel to
cover their traces

Re: TRG vger.timpanogas.org hacked

[Daniel Roesen]

On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > is curious as to how these folks did this.  They exploited BIND 8.2.3
> > to get in and logs indicated that someone was using a "back door" in 
> 
> Bind runs as root.

Not if set up properly. And there is no known hole in BIND 8.2.3-REL
so I'm wondering how Jeff found out that the intruder got in via BIND.

Re: TRG vger.timpanogas.org hacked

[Michael H. Warfield]

On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > is curious as to how these folks did this.  They exploited BIND 8.2.3
> > to get in and logs indicated that someone was using a "back door" in 

> Bind runs as root.

	It doesn't have to.  In fact, I just set up a RedHat 6.2 Honeypot
a couple of weeks ago researching Bind based worms that are becoming
a problem.  Much to my surprise, that OOB RedHat 6.2 system ran bind
as "named -u named" and was running Bind under a common user id.  RedHat
6.0 runs it as root and I haven't checked 6.1 yet.  Don't know about the
other distros, yet.

> > We are unable to determine just how they got in exactly, but they 
> > kept trying and created an oops in the affected code which allowed 
> > the attack to proceed.  

> Are you sure they didnt in fact simply screw up live patching the kernel to
> cover their traces

	That would be a hint that they MIGHT have been trying to get a
Linux kernel stealth module going.  Several of the worms I'm looking at
include the Adore LKM to hide processes, files, and sockets.  That worm
(as several others like it) also upgrade the version of Bind they broke
in through to prevent further compromise.  There will be a security
advisory out on these worms, probably later this week.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Re: TRG vger.timpanogas.org hacked

[Jeff V. Merkey]

On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > is curious as to how these folks did this.  They exploited BIND 8.2.3
> > to get in and logs indicated that someone was using a "back door" in 
> 
> Bind runs as root.
> 
> > We are unable to determine just how they got in exactly, but they 
> > kept trying and created an oops in the affected code which allowed 
> > the attack to proceed.  
> 
> Are you sure they didnt in fact simply screw up live patching the kernel to
> cover their traces

Could have.  The kernel is unable to dismount the root volume when booted.
I can go through the drive and remove confidential stuffd and just leave 
the system intact and post the entire system image to my ftp server. 

I have changed all the passwords on the server, so what's there is no 
big deal.  This server was public FTP and web/email, so nothing really 
super "confidential" on it.  

Jeff

Re: TRG vger.timpanogas.org hacked

[Michael H. Warfield]

On Tue, Jun 05, 2001 at 11:30:51AM -0700, Jeff V. Merkey wrote:
> On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > > is curious as to how these folks did this.  They exploited BIND 8.2.3
> > > to get in and logs indicated that someone was using a "back door" in 

> > Bind runs as root.

> > > We are unable to determine just how they got in exactly, but they 
> > > kept trying and created an oops in the affected code which allowed 
> > > the attack to proceed.  

> > Are you sure they didnt in fact simply screw up live patching the kernel to
> > cover their traces

> Could have.  The kernel is unable to dismount the root volume when booted.
> I can go through the drive and remove confidential stuffd and just leave 
> the system intact and post the entire system image to my ftp server. 

	This would be a good thing for those of us involved in investigating
these sorts of things.  :-/

> I have changed all the passwords on the server, so what's there is no 
> big deal.  This server was public FTP and web/email, so nothing really 
> super "confidential" on it.  

> Jeff

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Re: TRG vger.timpanogas.org hacked

[Henning P. Schmiedehausen]

"Jeff V. Merkey" <jmerkey@vger.timpanogas.org> writes:

>is curious as to how these folks did this.  They exploited BIND 8.2.3

Look below.

>to get in and logs indicated that someone was using a "back door" in 
>Novell's NetWare proxy caches to perform the attack (since several 
>different servers were used as "blinds" to get in).  

There is AFAIK no known exploit to BIND 8.2.3 and I don't see why
anyone should use a "novell Netcache backdoor". If I'd want to hack
your box, I would use this:

% telnet vger.timpanogas.com 22     
Trying 207.109.151.240...
Connected to vger.timpanogas.com.
Escape character is '^]'.
SSH-1.5-1.2.27
^]
telnet> quit

Well known exploits downloadable at any of the better hacking sites.

>We are unable to determine just how they got in exactly, but they 
>kept trying and created an oops in the affected code which allowed 
>the attack to proceed.  

Come on, you can't be _that_ blind. Either you didn't install all your
vendor recommended updates or you installed self rolled programs and
got caught.

You even get connects on the telnet port (no daemon, though), so you
either have a hosts.allow (which _is_ spoofable) or a non-cleaned up
[x]inetd.conf which means you didn't harden your box for Internet
usage.

If you don't prepare your box for a hostile environment, you get
hit. First law of the Internet.

	Regards
		Henning


-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

Re: TRG vger.timpanogas.org hacked

[Daniel Roesen]

On Tue, Jun 05, 2001 at 01:07:05PM +0000, Henning P. Schmiedehausen wrote:
> Connected to vger.timpanogas.com.
> Escape character is '^]'.
> SSH-1.5-1.2.27
> 
> Well known exploits downloadable at any of the better hacking sites.

This _may_ be misleading. I had several boxes where I patched ssh 1.2.27
as a short-term solution. 

Anyway, we're getting OT :-)


Regards,
Daniel

RE: TRG vger.timpanogas.org hacked

[Randal, Phil]

Bind 8.2.4 was released on May 17th, with the standard
comment "BIND 8.2.4 is the latest version of ISC BIND 8.
We strongly recommend that you upgrade to BIND 9.1 or, if
that is not immediately possible, to BIND 8.2.4 due to
certain security vulnerabilities in previous versions."

However, there are no release notes on ISC's web site,
and their vulnerabilities page lists no known security
flaws in Bind 8.2.3.

But the paranoid part of me does wonder :-)

(And I haven't the time to do the diffs to see what's
changed.)

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: Daniel Roesen [mailto:dr@bofh.de]
> Sent: 05 June 2001 11:14
> To: linux-kernel@vger.kernel.org
> Subject: Re: TRG vger.timpanogas.org hacked
> 
> 
> On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > > is curious as to how these folks did this.  They 
> exploited BIND 8.2.3
> > > to get in and logs indicated that someone was using a 
> "back door" in 
> > 
> > Bind runs as root.
> 
> Not if set up properly. And there is no known hole in BIND 8.2.3-REL
> so I'm wondering how Jeff found out that the intruder got in via BIND.
> -
> To unsubscribe from this list: send the line "unsubscribe 
> linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

Re: TRG vger.timpanogas.org hacked

[Matti Aarnio]

On Tue, Jun 05, 2001 at 11:33:57AM +0100, Randal, Phil wrote:
> Bind 8.2.4 was released on May 17th, with the standard
> comment "BIND 8.2.4 is the latest version of ISC BIND 8.
> We strongly recommend that you upgrade to BIND 9.1 or, if
> that is not immediately possible, to BIND 8.2.4 due to
> certain security vulnerabilities in previous versions."
> 
> However, there are no release notes on ISC's web site,
> and their vulnerabilities page lists no known security
> flaws in Bind 8.2.3.

	That's quaint...

	The 8.2.4 got some immunity on running out of low fd numbers 
	suitable for stdio at e.g. Solaris.
	(Is there anything else, I haven't checked.)

	Essentially it makes system a bit more resistant against
	(possibly unintentional) denial of service attacks when
	there are heaps and troves of TCP based resolving connections.

	All you need is to have some zone with so massive replies for
	some questions that it does not fit into UDP query/reply packet.
	E.g. have a few dozen different PTR records for some IP address,
	and you will soon see what I mean.

	Run that bind at some saturated load system so that the bind is
	slow as molass, and have lots of people asking for reversers...
	I can pretty much guarantee that you will see what bind 8.2.3
	barfs within a day or so.  Your only solution is to restart the
	8.2.3.  (It fails to act as resolver after the barf until reboot,
	it may also loose one or more of your DNS zones.)

	I haven't checked if 9.1.* series is also immunized for this.
	(That is, if it uses stdio for any file accesses anymore.)

> But the paranoid part of me does wonder :-)

	What else there might be...

> (And I haven't the time to do the diffs to see what's
> changed.)
> 
> Cheers,
> 
> Phil
> 
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK 
> 
> > -----Original Message-----
> > From: Daniel Roesen [mailto:dr@bofh.de]
> > Sent: 05 June 2001 11:14
> > To: linux-kernel@vger.kernel.org
> > Subject: Re: TRG vger.timpanogas.org hacked
> > 
> > 
> > On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > > > is curious as to how these folks did this.  They 
> > exploited BIND 8.2.3
> > > > to get in and logs indicated that someone was using a 
> > "back door" in 
> > > 
> > > Bind runs as root.
> > 
> > Not if set up properly. And there is no known hole in BIND 8.2.3-REL
> > so I'm wondering how Jeff found out that the intruder got in via BIND.
> > -
> > To unsubscribe from this list: send the line "unsubscribe 
> > linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/
> > 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

RE: TRG vger.timpanogas.org hacked

[Brian Wellington]

On Tue, 5 Jun 2001, Randal, Phil wrote:

> Bind 8.2.4 was released on May 17th, with the standard
> comment "BIND 8.2.4 is the latest version of ISC BIND 8.
> We strongly recommend that you upgrade to BIND 9.1 or, if
> that is not immediately possible, to BIND 8.2.4 due to
> certain security vulnerabilities in previous versions."
> 
> However, there are no release notes on ISC's web site,
> and their vulnerabilities page lists no known security
> flaws in Bind 8.2.3.
> 
> But the paranoid part of me does wonder :-)

There really are no known vulnerabilities in BIND 8.2.3.  There are a
number of bug fixes which would make upgrading a good idea, though.

The "previous versions" mentioned were those earlier than 8.2.3.

Brian