Visit Our UNIX and Linux User Community


securing a remote box


 
Thread Tools Search this Thread
Special Forums Cybersecurity securing a remote box
# 1  
Old 05-07-2002
securing a remote box

someone has access to my server...

I've got a solaris 7 box with remote access only.
many of the services don't have passwords
and someone recently messed with the shadow file
-the root: line was changed:
. password field was changed to NP
. the number after that was changed too

The intruders seem to be using us to relay spam mainly,
but I'm concerned they may have made other doors.
(I stopped sendmail once and someone else restarted
it later that night.)

I changed the root password

I'm a newbie, so ordered:
"Practical Unix and Internet Security"
O'reilly's Essential System Admin

Books aren't here yet, but anyways...

Where should I begin?

Any other books I should get?

Last edited by sphiengollie; 05-07-2002 at 10:08 PM..
# 2  
Old 05-08-2002
First, you have already been hacked - whether it was from an inside source or outside. You need to build a new server (if possible) and replace the old keeping the old for investigation into who did what.

If you can't do that, then disconnect the server, rebuild it, shut off all services after rebuilding but add ssh to the server. Insure your version of Sendmail is set up to not allow relays. Make sure your group is the only one with root. Don't allow root remote logins. Put it back on-line.

Check out the following links:

To check if you are a open-relay:
Network Abuse Clearinghouse

If you are using Sendmail:
Sendmail


Solaris 7 may have the Sunscreen Lite product for free - use it and
read up on securing your Solaris server.


If you are running more than Sendmail on the server, remove the other apps and put them on their own box. The more a hacker has to use against you the worst off you are.
Search Sunsolve BigAdmin
thehoghunter
# 3  
Old 05-08-2002
limited access blues

The server is located over 1000 miles away...

I have remote access only. (via a windows machine)

It's a Solaris 7 box with many of the system files safe on nfs,
and I've got a backup of everything I had access to from a
week prior to the hack.

Can I just restore from my archive, change all passwords, and
build/install ssh (should I use ssh2 version 3.1.0 or should I
stick to something like v2.0.13)

When setting passwords for things like daemon, bin, sys, adm...
Do I have to make changes to other files (configs) to allow
proper access for services, etc.

Also, thoughts on software like cops or satan?
# 4  
Old 05-08-2002
Quote:
The server is located over 1000 miles away...
It is great that we can telecomute but once in a while, you just have to be there. Our company laid off the only guy we had to do our servers 1300 miles away. The next time one needs an upgrade or service, one of us may have to go there. We have remote access to the console which still allows us to change things all the way down to the boot prom. If you don't have this type of access, you might want to get the equipment and software together and take a road trip.

Quote:
It's a Solaris 7 box with many of the system files safe on nfs
I don't remember who said in these forums, but I'm sure they will respond back with horror at this statement. NFS is not considered secure - it probably the easiest way to get access into your server.

Quote:
I've got a backup of everything I had access to from a week prior to the hack
You better be sure that is prior to the hack or you may miss the files the hacker changed to backdoor you. That is why it should be built from scratch.
thehoghunter
# 5  
Old 05-08-2002
I don't think I said it before, but I'll say it now! Secure on NFS? Is that an oxymoron?

Seriously, bring the box down. Rebuild. Changing passwords won't help a thing if the attacker was decent, or even used to a good rootkit (that are very very easy to find)... He probably replaced a few of your binaries in order to hide himself from ps, netstat, fuser, etc... There's no way to know. I've even seen a few that will not respond to a port scan, but are "activated" when a specially constructed packet hits it.

Reinstall from read-only media (CDROM works well), and use the backup tapes to only move over the old files. leave the binaries behind.

And if you don't do it because it's a hassle, think about all of the people that are being attacked and spammed from your box. On top of that, since you are aware that you have been compromised, you are 100% liable for every attack / spam from that box.
# 6  
Old 05-08-2002
under-budget security and NO time...

If you are trying to help... Forget it!

If I had the time and money, I'd go...
But, I don't! (until mid-summer)

As for the nfs mounted system files that are a CD image,
the other box might be a hole, but that's not my concern.
I've informed that boxes admin, now it's his...

Isn't the CD safe up on the shelf, no one can write to it
without putting it in somesort of device, not even me?
(If you know the trick, please let me know...)

The backup program the admin of nfs system logs files
that have changed. There were a few unknown changes
that couldn't be blamed on anyone who was supposed
to have access about three days ago. The archive is
from prior to that and really seems to be my only option
until more time can be... (like I said "mid-summer")

How should I go about securing this box from here?

Which log files from the hacked box should I be looking
at to discover how they got in? (I think I need to plug
that hole first while keeping an eye out for their next
attempt/hack)

Anything about passwords for things like bin, sys, adm...?

What about cops?

Last edited by sphiengollie; 05-08-2002 at 06:15 PM..
# 7  
Old 05-08-2002
Thanks LivinFree

The NFS system is backed up to CD after any changes to bins...

When I said the nfs system was safe I meant I can have my
buddy stick the CD back in and...

I've shut down my sendmail and no one has restarted it. (yet?)

I think I was the leak... About a week ago while away I needed
to access the box. I was just going to add a user, set his pass,
and got out. I had to connect via telnet. (only option)

I telnet in as a standard user then used ssh root?

Guess someone watching the stream...

Previous Thread | Next Thread
Test Your Knowledge in Computers #728
Difficulty: Medium
Bjarne Stroustrup was awarded the Computer Pioneer Award for pioneering C++.
True or False?

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Notify when the script run(hourly)on my jump-box only when there is a failure on my remote-box

Team, Presently I have a script, which i have set up cron on one of my Jump-boxes,and gives me the output on every hourly basis,fetching the data from the remote machine.Basically it gives me the list of all active users logged and its count once we execute the script.Here the count is... (6 Replies)
Discussion started by: whizkidash
6 Replies

2. Shell Programming and Scripting

Establishing remote connection to a Xserver from a UNIX Box

Hello Guys , I have been working on a script where we are looking to connect a remote Xserver from a Unix box. Once a connection is made , i need to run several commands on remote machine to check various stuffs. As per my knowledge on unix (which is like a drop in ocean) , i found SSH as a... (7 Replies)
Discussion started by: himanshu sood
7 Replies

3. Cybersecurity

securing AIX box

Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX? (0 Replies)
Discussion started by: michlix
0 Replies

4. Linux

How to find remote Linux box login account without login in to that box?

Hi, How to find remote Linux box login account without login in to that box? I don't have login account at my remote Linux box. But I need who are all having login account. How do I findout? Thanks, --Muthu. (3 Replies)
Discussion started by: Muthuselvan
3 Replies

5. Linux

Securing remote connections

Hi all, I have a couple of questions I've been searching on internet but I didn't find a suitable solution. The aim is that I'd like to access to my home Linux (an 8.04 Ubuntu) from outside. I already achieved with ssh, but I'd like to secure as much as I can. These are questions: The... (2 Replies)
Discussion started by: AlbertGM
2 Replies

6. UNIX for Dummies Questions & Answers

Transferring files Permission issues in remote box

Hi, I have a directory 'data' which is a symbolic link to /var/opt/store/rawdata/appname on a remote box. I am not able to SFTP some files from my local box to this dir. in the remote box. Also I am not able to copy or move the files in the robot id home dir. in remote box to this data dir... (2 Replies)
Discussion started by: vharsha
2 Replies

7. Shell Programming and Scripting

Pop up dialog box on remote computers

I need to send out messages to over 100 clients in my sector. I want it to pop up a dialog box letting them know to save work and log out. I have the reboot script created just need the warning please. Thanks (35 Replies)
Discussion started by: deaconf19
35 Replies

8. Shell Programming and Scripting

issue a ping on a remote box

Hi there I am running a script on a central box (boxA) that will send a remote request to boxB to perform a ping test to an ip note: I am not pinging boxB from boxA but sending a request over ssh to get boxB to perform a ping test ! The thing is, I want the script back at boxA to know... (4 Replies)
Discussion started by: hcclnoodles
4 Replies

9. UNIX for Dummies Questions & Answers

remote x session to a server box w/no IO

I am trying to connect to a unix server box and start an X session. It has kde and xfree86 installed. However, since it is just a server, sitting somehwere in another state probably on top of and below other servers, it has no mouse,keyboard,or monitor attached to it. When I try to startx, I... (2 Replies)
Discussion started by: SnakeO
2 Replies

10. UNIX for Dummies Questions & Answers

Beginner: Securing a Unix box

Newbie in the Unix world here....trying to load Solaris 2.8 AGAIN, and trying to secure the box this time. Any suggestions anyone? Any tips? Appreciate your help, gurus! TIA, trigeek8888 (2 Replies)
Discussion started by: trigeek8888
2 Replies

Featured Tech Videos