Juge

Our server was hacked. We believe the hacker sniffed a plain text telnet session. No damage has been found.

We were advised to use SSH, but heard it is exploitable through a buffer overflow.

We are running Linux. What software/protocol should we use to access the server?

GFED

Get F-secure...

__________________
https://www.flow.page/savethechildren

HQ

http://www.f-secure.com/products/ssh/ ?

Hooper

ssh is perfectly secure. the exploit has been patched, but the exploit is largely misunderstood as well.

yes, it's a buffer overflow attack.. but it is one that requires the attacker to *already* be logged into an ssh client..

so they would have to already have a working user/pass in order to use the exploit.

it is largely a problem on shared systems because the attacker can get root priveleges which he/she should not have.

__________________
<a href="http://www.adultplatinum.com/"><img src="http://www.adult.com/wmbanners/10dcash-468x60.gif"></a>

GFED

Yep... That's what I use... I quit using Hyperterm after I learned about SSH...

here's the d/l page... great program...

http://www.f-secure.com/download-purchase/list.shtml

__________________
https://www.flow.page/savethechildren

HQ

Interesting. I was suggested to use PuTTy,
http://www.chiark.greenend.org.uk/~sgtatham/putty/, for an SSH client and shut off telnet access to my servers completely. Have you heard of it? If so, how is it?

Dusen

I acutally prefer putty. I have used SecureCRT, and a few others and I find that putty suits my needs fine, and it's FREE.

I vote use putty.

Dusen

And ANY ssh client is preferable to Telnet. No matter your reservations about the exploit, remember you were just sending plain text commands to your server.

I don't even have telnet enabled on my boxes.

Jake

High Quality

SSH is the only thing to use.

Wilbo

Make sure you disable telnet also, don't just stop using it.

salsbury

if you are concerned that your telnet session has been sniffed, you need to also stop using FTP and switch to SFTP/FTP over SSH/SCP or something similar. SecureFX supports SFTP.

the reason being, FTP is just as insecure as telnet - it sends passwords in plaintext.

if you do not stop using FTP, you might as well use telnet, too, because you're still just as fucked.

now on to SSH. SSH is more secure, but there have been issues with various versions of it in the past. as is true with any software product, you need to make sure to monitor security lists and install necessary patches. sometimes your host can do this for you, sometimes you need to hire a sysadmin/security admin.

__________________

-=HOAX=-

I use ssh2

__________________
Insert Value Here.

L0stMind

salsbury is correct... you gotta keep up to date on patching.

And just to clear some confusion here, any ssh client is fine, as long as you use ssh. Secure crt, f-secure, putty all use the same protocols... so use any of them, as long as you use ssh.

salsbury

hi Juge.

friendly advice from a random poster.

you need to either upgrade or find someone to upgrade your Apache and PHP versions. it's as likely that the intruder came in through there as it is that they came through telnet. i see ssh isn't even on the server. if your host told you that they didn't install it because of a buffer overflow bug - switch hosts. today.

__________________

crack

Article:
http://www.wired.com/news/linux/0,1411,55172,00.html
Source:
http://crack.sh/hack/Slapper%20Worm.htm

__________________
There is a crack in everything. That's how the light gets in.

Juge

I am disabling telnet access.

I was also told to do the same with FTP, and use SCP file transfer. Does anyone here know anything about that?

Juge

Yes, very true. Thanks.

GFED

Not sure about the SCP file transfer... but F-secure also has a SSH file transfer utility that is pretty sweet...

__________________
https://www.flow.page/savethechildren

Juge

Thanks for the info... I guess you answered me before I asked.

For all of you who use Putty or F-Secure for their SSH protocol, what do you use for FTP?

Juge

I'm geting a new box with all that shit installed. The box I'm on now does not have it enabled. My host isn't making excuses, don't worry. They have been great.

Juge

Thank you for the info, Hooper... we have multiple users on the box, so let's say the hacker has a user/pass of one of the users, could the hacker get su access?

Juge

I guess the new RedHat 7.2 has a program called up2date that can be run to install the new patches at any time (sort of like windows update, huh? ), which is pretty cool... you are right, though, gotta stay with the latest updates.

payrollpete

yeah you should be using ssh instead of just normal telnet

ssh is 128bit encrpted

__________________
<a href="http://www.techiemedia.com"><img src="http://banners.techiemedia.net/techie120.gif">

GFED

For FTP I use WS_FTP Pro.

__________________
https://www.flow.page/savethechildren

-=HOAX=-

The best attitude to adopt is one that assumes the intruder already has root. I think its safe to say that should he have any given user/pass he could have su within a short period. and if he can cover his tracks well, it may even seem as though he is gone. Giving you a false sense of security.

__________________
Insert Value Here.

KC

And POP3 is even more insecure than either telnet or ftp because of the frequency it sends your password across the net in plaintext. You can either use an SSH tunnel or find some other way to encrypt the traffic if you're going to use POP3.

-KC

Juge

I use WS_FTP LE... so, I assume the Pro version has security features?

Juge

Are you fucking serious? This is unreal. I thought this was year 2002, not 1902. When are people going to learn that passwords cannot be sent as text...

Thanks again for the heads up, guys...

GFED

None that I'm aware of... I don't think... but F-secure has a SSH File Transfer utility that is just like an FTP program (I haven't really used it much though)... I usually use Dreamweaver to update/synchronize my files coz it's simpler than loading another program... I only use WS_FTP when I have to install CGI scripts and CHMOD files...

__________________
https://www.flow.page/savethechildren

HQ

Is WS_FTP secure?

KC

No, not if you're using the FTP protocol. The protocol is where the vulnerability exists. Any application that uses that protocol to transfer files sens your username and password across the internet in plain text.

-KC

Diluted O2

The only reason I would take up jogging is so I could hear heavy breathing again. - Erma Bombeck

__________________
<CENTER><a href="http://www.matrixbucks.com/?aid=453817"><IMG src="http://www.mindgoo.com/stoob/banner103.gif"></a></CENTER>

KC

Earth to Diluted02, Come in... Earth to 02, Come in..

GFED

Ummm... have you been huffing too much pure oxygen? heheh

__________________
https://www.flow.page/savethechildren

buran

Hey,

You want to make sure you're using ssh2, in fact. SSH1 has crypto vulnerabilities -- they're unlikely, but possible.

The goal is to make sure that no traffic to your box is using plaintext passwords. Of course, your paysite users are, but those accounts aren't important. If you implement your pop3 accounts as virtual (ie, no associated UNIX account) then you can also start treating those passwords as unimportant (worse case scenario: someone's email gets read)

Another option, setup a VPN between your office and your servers and route all traffic over it. This requires a linux box in the office, but the cost of setting one up is low and the benefits are great.

Don't forget you're just as likely to be sniffed on your local subnet as you are in the colo facility.
Perhaps more likely, if your colo has proper subnets.

As for FTP, I recommend setting up FTP over SSH2 (using SecureFX) or an SFTP client. Either method requires a special client, so you'll have to kiss WS_FTP goodbye. Is it worth it? Only if you don't want to post a GFY thread entitled "We got hacked!"

Staying secure is a matter of staying current, slashdorque will have an item for almost all the vulnerabilities you'll encounter.

Good luck, Buran

__________________
[this signature intentionally left blank]

onlyreal

Use cuteftp pro

sftp and ssh is supported

s0laris2

yes Pop3 is plain text passwords.

if you MUST run pop3 on your server use qmail if running linux. and set it up to use virtual accounts. that way NO system user ids are ever used and if a person captures the password big deal, it is only good for looking at mail :-)

__________________

GFED

Isn't it easier to use PGP than find an alternative to POP3? Any pros/cons?

__________________
https://www.flow.page/savethechildren

KC

PGP can encrypt your mail, but not your passwords... so it doesn't solve the inherent problem with POP3...

Setting up virtual accounts for email boxes... or setting up a VPN... or even an ssh tunnel (which is extremely easy to do) are probably your best bets with the mail.

SecureFX is a great tool for doing secureftp (it works just like the other GUI ftp clients) only it's secure. Your admin will need to do some setup on the backend, but it's worth it.

GFED

Thanks for the quick reply KC.

__________________
https://www.flow.page/savethechildren

TheFLY

Damn this all sux...

Juge

Thanks for the info. I must say that WS_FTP LE sucks big time for chmod of files... it remembers the last file permission set the LAST time you set them. It DOES NOT show you the current permissions of the file you clicked on... completely unintuitive.

So, your dreamweaver is secure in uploading files?

Juge

Buran, thank you for all of your useful information... (and people say GFY is no good for anything! bah!)... yes, this has been a wake up call for me to realize that every damn comminucation that I have been using uses plain text to send password. I feel stupid for not knowing this, but I assumed in this day and age that this would already be taken care of with any OS that was made in the past 5 years. I guess I assumed wrong.

I have no problems dumping WS FTP, I was only using the LE edition anyway, and it was bad. If anyone can confirm that the PRO version is any better, then please let me know. The makers of WS FTP sure cannot tell me the differences, so I must assume they are minimal, and thus they have given me no reason to buy it.

Juge

Yes it does... and I really hope this thread is not just educating me.

My damned password was being transmitted over the net 50 times a day... this was a bomb waiting to explode; it was bound to happen. You all should think about this.

HQ

I know, I hate being bothered by hackers.


So... to recap...

4 FTPing, use SFTP
4 TELNETing, use SSH or SSH2

anything else while it's on your mind?

playa

ok i am bout to get a headache,,
my lack of server knowledge and this thread
is scaring me

GFED

After you CHMOD your files in WS_FTP try refreshing the directory... that works for me...

Yes, DreamweaverMX has a SSH plugin called PUTTY that is secure. I'm not sure about the ealier versions.

__________________
https://www.flow.page/savethechildren

HQ

I already have one. Fucking hackers.

The lesson here is if you are insecure, you will eventually get hacked... it is only a matter of time.

pentae

PuTTy

spanky

The WS_FTP server can use SSL. It is probably one of the only secure ftp servers out there that isn't sftp. I think the pro version of the client is needed to work over SSL .