Comments on: My blog was defaced yesterday

By: Guss

Guss — Tue, 07 Aug 2007 16:39:58 +0000

Avi: I actually had a server that was attacked and an IRC bot installed. It was fairly educational experience

Leo: Thanks for the offer, I’ll try that. But the problem was not brute forcing the password as I initially thought: check the post update.

By: Leo

Leo — Tue, 07 Aug 2007 14:43:19 +0000

To minimize risks of actually using FTP at all, you should configure/change to software that will allow you to lock IP / account after number of failed attempts. This will prevent brute forcing your server.

By: How to Get Attacked :: Avi Alkalay

How to Get Attacked :: Avi Alkalay — Tue, 07 Aug 2007 14:38:59 +0000

[...] noticed Oded’s blog was attacked which make me remember some [...]

By: Avi Alkalay

Avi Alkalay — Tue, 07 Aug 2007 14:28:08 +0000

I was once invited to analyze a Linux machine that was invaded. I ended up writing an article about it to the brazilian Linux Magazine.

The problem with the machine was a VERY weak root password. We could also find the tools they used to break that machine, cause they have installed it to attack other machines.

We could see a file containing about 18000 user+password combinations, a modified SSH client and a script that runs it all based on an IP range.

In our case, the attack was silent. They just wanted to use the machine to attack other machines. Pretty stupid.

It easy to learn about this attacks. Just connect to the Internet a machine with a plain Linux installation and ‘passw0rd’ as the root’s password, wait 1 or 2 weeks and your machine will be attacked. One way to verify the crackers are already in is to reinstall the netstat command (because they’ll modify your previous one) and see if there is some connection to IRC ports (around 6667).

If you investigate this IRC bot you’ll able to connect the IRC server, find the chat room, and actually talk to the cracker. I did this once and was not very funny.

Take care Oded !

By: Guss

Guss — Mon, 06 Aug 2007 23:09:58 +0000

I have a checksumming software – I use Mandriva’s msec, but it does not monitor the hosted websites, because files change there all the time (as people updated their websites), so I didn’t get a notification for that. My first clue was Avi’s email that he sent after checking my site and seeing that it was defaced. As the attackers didn’t do anything to my site other then put in an index.html, and as the bookmark I use to go to my site is directly to the blog, there would have been no other way for me to notice the problem.

After I identified the attack vector as the FTP access (I checked SSH and couldn’t find problems, and FTP was next), I looked in the logs for files that were recently uploaded to the compromised accounts, and just removed everything I found. I was lucky because I never use FTP to upload files to the site (only file transfers over SSH) and the second account is not very active – its a commercial website that doesn’t update often, so it was easy to identify malicious files. Once I got the files that were uploaded, I could analyze them – some were harmless HTML files, others were less harmless. The rootkit wasn’t successfully installed – I found the C file for the exploit that was uploaded by the attackers, but the attacker never managed to actually run the exploit.

Anyway – I was too early to rejoice. Apparently I didn’t block entirely enough of the attacker’s usable IP range, and worse – changing the password didn’t prevent them from logging in again, and so my website was targeted again – this time a phishing scam website was uploaded. I now blocked the attackers entire ISP and I need to figure out how they gain FTP access, ASAP.

By: Jonatan

Jonatan — Mon, 06 Aug 2007 21:48:45 +0000

Hi,
can you explain me who did you detected the modfiled files that uploaded? who did you detected the rootkit? do you have some kind of a checksum software?