I STILL HATE YOU ALL!

I thought I had cleaned it all out. I removed the user accounts he created. I removed the cron jobs that he added. I changed the root password. I closed ftp (which was how he got in in the first place). Everything seemed fine, until I logged back in this morning.

My logfiles were pointing at /dev/null. Basic detection scripts like ps and netstat weren’t working.

I shut the machine down.

Tonight is not going to be fun.

What motivates these bastards to do this? “Because they can”? Not only are the inconveniencing me, they’re inconveniencing the 20 or so people who use my machine as an IRC server, as well as the handful of friends who have accounts on the machine. Yes, I should be the better sysadmin and keep my machine secure, but dammit I thought I was. It’s not like there’s any useful data on that machine. Go bug someone else.

I hate this. Hate hate hate hate hate hate hate hate. When one bastard can download a script and push a button, and it takes up almost a day of my time to fix, something’s wrong with this world.

26 Replies to “I STILL HATE YOU ALL!”

  1. speaking of ftp, i needa learn what all that shit is about for my comp sci class… and ws-ftp. whether there is a difference i obviously dont know..im thinking no tho..ooh does the ws mean web server? that jsut came to me..anyway…carry on.

  2. Fool me once, shame on you. Fool me twice, shame on me.

    If Linux is this easy to hack, get a firewall, and keep your server down until you can install a front-end that won’t fall in 5 minutes to a skript kiddie, cuz he is gonna keep doing this…

  3. Hmm.. Sam was telling me about some nifty trojan that redirected security logs to dev/null. It also logs passwords and stuff.. so you had better be sure to have everyone change their pwd.

  4. Nuke and Pave

    format that HD and reinstall Linux.. hopefully it is Red Hat.

    take out telnet, make everybody use SSH

    use the new irc server that wohali -> http://www.ircd-hybrid.net/ <- has setup which people can login thru a password

    I would suggest talking to oldcrow about securing your box or if last resort talk to the linux geeks on anime.net esp goemon and teapot.

    and get a FIREWALL.. esp if you have a router with a firewall..USE IT 🙂

    LDC

    1. Re: Nuke and Pave

      Never had telnet, always had ssh. Hybrid was the ircd I was using. Firewalls were “too hard to learn”. 😛

      That’s my excuse, and I’m sticking to it. Yes, an actual router/firewall would be nice. I’ll have to settle for a software option, though.

  5. a small but useful spiel on security

    (Post 1/2, thanks for limiting the characters per comment to 2000!)

    So you got hacked. Not surprisingly, logs are missing. You can’t count on those being there or accurate anyway. Whatever the case, you still know some things.

    Your machine was compromised. It was done by someone who either A) utilized a running service remotely accessible by a “remote exploit”, or B) by a user who gained access to a local account on your system (whether a malicious legitimate user, or someone who has subverted their account, perhaps upstream at some other insecure host they use to connect to yours).

    You can do something to prevent both of these paths, not knowing which happened.
    For A, you should, as a rule, have an awareness of every service that runs on your machine and is remotely accessible. Start with every open port you have, udp or tcp (for those unknowing, you can at least get this information from netstat). Correlate them back to a process each, so you know what’s actually using these ports. Then, walk through the exact programs and versions you’re using. If something is there which you do NOT explicitly need (take your time checking this out) *DISABLE IT*. If you do need it, look up security information on the program in question. Walk back through various archives (securityfocus.com is a place to start) and see the general history of the app. If it’s Joe’s wacky webserver v0.0.1, consider whether you really want such an untested product on your machine. If it’s wu_ftpd or some variant on that codebase, consider whether you want to get hacked when the exploit of the month appears for that broken buggy-assed code. And so forth.

    If you don’t want to get hacked, even if it seems like a pain, choose the more secure product. For DNS, for example, djbdns has been known to have NO compromises, whereas BIND, the standard package, has had holes a few times in the past couple of years alone.

  6. a small but useful spiel on security

    (Post 2/2, thanks for limiting the characters per comment to 2000!)

    If B, a user (malicious legitimate or malicious illegitimate) you can at least take SOME countermeasures pro-actively. You can find all of the programs on your system which have setuid/setgid set on them and remote this flag unless it is necessary. Example: ping, traceroute are setuid root. If you really really need to let local non-priviledged users use these programs, or you trust them implicitly, don’t disable them. Otherwise, make it only possible for a priviledged user (via some wrapper like sudo MAYBE) use them. Reduce the number of things which can even possibly, for a split second, run priviledged to a BARE MINIMUM.

    Secondly, keep up with security lists. You may well find out you’ve been hacked with something that hasn’t hit the popular press as kids tend to have tools weeks/months in advance of their popular visibility, but you SHOULD NOT allow anything KNOWN to hit you.
    There are other things to do to clean up your system but this is a good start. Do some reading.

    Also, good fucking luck with the linux kernel, given the wonderful track record the kernel itself has. I trust that kernel as far as I can throw it, and that’s not far given it’s intangible.

    P.S. The folk who suggest installing an ircd which can require passwords: 1) the password capacity has existed for the past 8-9 years at least. 2) this doesn’t provide significant system-level security. It prevents people from coming and screwing with your conversations, I guess. 3) The hybrid ircd (current 6.x and 7 beta both) has unpublished holes in it anyway. Thank you, drive through.

    P.P.S. I’m not a user here and someone just pointed me to this thread. I’m not going to read responses, and if the folks who feel flamed by this message don’t appreciate my tone, then filter my message through some nicifier with lots of smileys and just read the constructive bits, of which there are several.

    1. remember, i have weapons in the house

      if you resort to using djbdns, i will KILL YOU IN MOST INHUMANE WAYS…

      now there, i’ve just opened myself up for attack by cronies of dan bernstein.

  7. I laugh at your misfortune.

    You got r00ted and you didn’t reinstall?

    Well, now you get to do what you should have
    done the first time around. Perhaps you will even learn a lesson or six.

Leave a Reply

Your email address will not be published. Required fields are marked *