[TCLUG] Attack

[Pastor Doug Coats]

Enlightenment...

It looks like I don't have to change all the passwords.  The user apache
cannot view the shadow file only root.

That just saved me a Saturday!

Doug

-----Original Message-----
From: tclug-list-bounces at mn-linux.org
[mailto:tclug-list-bounces at mn-linux.org]On Behalf Of Pastor Doug Coats
Sent: Friday, March 05, 2004 7:09 AM
To: TCLUG Mailing List
Subject: RE: [TCLUG] Attack


The answer is.....

Me!

I programmed our web page with a vital error.  I passed a variable that
contained the name of a file to be opened is such a way that it could be
changed.  So the hacker simply changed it to whatever file they wanted to
see and presto - I handed them my box.

Good news - We find no evidence that they have capitalized on this
information yet.

Bad news - I have to change everyone's passwords immediately.

I fixed(with the help of a friend) the website by checking the variable for
a "/".  If it contains that if simple kills the script.  So now they are
locked into that directory.

I will probably change it more so that the variable doesn't match the exact
file it is opening but I think the passwords come first.

Thank you for everyone that helped out.  I finally tracked what the cracker
was attempting to do in the httpd error logs and then duplicated their
efforts to my horror.

Live and learn.

Doug

-----Original Message-----
From: tclug-list-bounces at mn-linux.org
[mailto:tclug-list-bounces at mn-linux.org]On Behalf Of Pastor Doug Coats
Sent: Thursday, March 04, 2004 8:55 AM
To: TCLUG Mailing List
Subject: [TCLUG] Attack


I am running Fedora Core1 and had an interesting attack show up in my logs.

Someone tried to ssh running through the entire list of users.

My question is how did they get that list of valid users?  There is no
evidence of simply trying random users - they knew every user.

Is there something in Linux that would return a request for every user name?

Is there something I should have turned off so that cannot happen again?

I blocked their IP address in IPTables but they can find a way around that.
And I would like to block anyone from trying something similar.

Any suggestions would be greatly appreciated.

Thanks All,

Doug


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list