We got HACKED!
 

Our server was hacked. We believe the hacker sniffed a plain text telnet session. No damage has been found.

We were advised to use SSH, but heard it is exploitable through a buffer overflow.

We are running Linux. What software/protocol should we use to access the server?

Get F-secure...

http://www.f-secure.com/products/ssh/ ?

ssh is perfectly secure. the exploit has been patched, but the exploit is largely misunderstood as well.

yes, it's a buffer overflow attack.. but it is one that requires the attacker to *already* be logged into an ssh client..

so they would have to already have a working user/pass in order to use the exploit.

it is largely a problem on shared systems because the attacker can get root priveleges which he/she should not have.

Yep... That's what I use... I quit using Hyperterm after I learned about SSH...

here's the d/l page... great program...

http://www.f-secure.com/download-purchase/list.shtml

Interesting. I was suggested to use PuTTy,
http://www.chiark.greenend.org.uk/~sgtatham/putty/, for an SSH client and shut off telnet access to my servers completely. Have you heard of it? If so, how is it?

I acutally prefer putty. I have used SecureCRT, and a few others and I find that putty suits my needs fine, and it's FREE.

I vote use putty.

:2 cents:

And ANY ssh client is preferable to Telnet. No matter your reservations about the exploit, remember you were just sending plain text commands to your server.

I don't even have telnet enabled on my boxes.

Jake

SSH is the only thing to use.

Make sure you disable telnet also, don't just stop using it.

if you are concerned that your telnet session has been sniffed, you need to also stop using FTP and switch to SFTP/FTP over SSH/SCP or something similar. SecureFX supports SFTP.

the reason being, FTP is just as insecure as telnet - it sends passwords in plaintext.

if you do not stop using FTP, you might as well use telnet, too, because you're still just as fucked.

now on to SSH. SSH is more secure, but there have been issues with various versions of it in the past. as is true with any software product, you need to make sure to monitor security lists and install necessary patches. sometimes your host can do this for you, sometimes you need to hire a sysadmin/security admin.

I use ssh2

salsbury is correct... you gotta keep up to date on patching.

And just to clear some confusion here, any ssh client is fine, as long as you use ssh. Secure crt, f-secure, putty all use the same protocols... so use any of them, as long as you use ssh.

hi Juge.

friendly advice from a random poster.

you need to either upgrade or find someone to upgrade your Apache and PHP versions. it's as likely that the intruder came in through there as it is that they came through telnet. i see ssh isn't even on the server. if your host told you that they didn't install it because of a buffer overflow bug - switch hosts. today.

Article:
http://www.wired.com/news/linux/0,1411,55172,00.html
Source:
http://crack.sh/hack/Slapper%20Worm.htm

I am disabling telnet access.

I was also told to do the same with FTP, and use SCP file transfer. Does anyone here know anything about that?

Yes, very true. Thanks.

Not sure about the SCP file transfer... but F-secure also has a SSH file transfer utility that is pretty sweet...

Thanks for the info... I guess you answered me before I asked. :)

For all of you who use Putty or F-Secure for their SSH protocol, what do you use for FTP?

I'm geting a new box with all that shit installed. The box I'm on now does not have it enabled. My host isn't making excuses, don't worry. They have been great.

Thank you for the info, Hooper... we have multiple users on the box, so let's say the hacker has a user/pass of one of the users, could the hacker get su access?

I guess the new RedHat 7.2 has a program called up2date that can be run to install the new patches at any time (sort of like windows update, huh? :) ), which is pretty cool... you are right, though, gotta stay with the latest updates.

yeah you should be using ssh instead of just normal telnet

ssh is 128bit encrpted

For FTP I use WS_FTP Pro. :)

The best attitude to adopt is one that assumes the intruder already has root. I think its safe to say that should he have any given user/pass he could have su within a short period. and if he can cover his tracks well, it may even seem as though he is gone. Giving you a false sense of security.

And POP3 is even more insecure than either telnet or ftp because of the frequency it sends your password across the net in plaintext. You can either use an SSH tunnel or find some other way to encrypt the traffic if you're going to use POP3.

-KC

I use WS_FTP LE... so, I assume the Pro version has security features?

Are you fucking serious? This is unreal. I thought this was year 2002, not 1902. When are people going to learn that passwords cannot be sent as text...

Thanks again for the heads up, guys...

None that I'm aware of... I don't think... but F-secure has a SSH File Transfer utility that is just like an FTP program (I haven't really used it much though)... I usually use Dreamweaver to update/synchronize my files coz it's simpler than loading another program... I only use WS_FTP when I have to install CGI scripts and CHMOD files... :)

Is WS_FTP secure?

No, not if you're using the FTP protocol. The protocol is where the vulnerability exists. Any application that uses that protocol to transfer files sens your username and password across the internet in plain text.

-KC

The only reason I would take up jogging is so I could hear heavy breathing again. - Erma Bombeck

Earth to Diluted02, Come in... Earth to 02, Come in..

Ummm... have you been huffing too much pure oxygen? heheh :)

Hey,

You want to make sure you're using ssh2, in fact. SSH1 has crypto vulnerabilities -- they're unlikely, but possible.

The goal is to make sure that no traffic to your box is using plaintext passwords. Of course, your paysite users are, but those accounts aren't important. If you implement your pop3 accounts as virtual (ie, no associated UNIX account) then you can also start treating those passwords as unimportant (worse case scenario: someone's email gets read)

Another option, setup a VPN between your office and your servers and route all traffic over it. This requires a linux box in the office, but the cost of setting one up is low and the benefits are great.

Don't forget you're just as likely to be sniffed on your local subnet as you are in the colo facility.
Perhaps more likely, if your colo has proper subnets.

As for FTP, I recommend setting up FTP over SSH2 (using SecureFX) or an SFTP client. Either method requires a special client, so you'll have to kiss WS_FTP goodbye. Is it worth it? Only if you don't want to post a GFY thread entitled "We got hacked!"

Staying secure is a matter of staying current, slashdorque will have an item for almost all the vulnerabilities you'll encounter.

Good luck, Buran

Use cuteftp pro

sftp and ssh is supported

yes Pop3 is plain text passwords.

if you MUST run pop3 on your server use qmail if running linux. and set it up to use virtual accounts. that way NO system user ids are ever used and if a person captures the password big deal, it is only good for looking at mail :-)

Isn't it easier to use PGP than find an alternative to POP3? Any pros/cons?

PGP can encrypt your mail, but not your passwords... so it doesn't solve the inherent problem with POP3...

Setting up virtual accounts for email boxes... or setting up a VPN... or even an ssh tunnel (which is extremely easy to do) are probably your best bets with the mail.

SecureFX is a great tool for doing secureftp (it works just like the other GUI ftp clients) only it's secure. Your admin will need to do some setup on the backend, but it's worth it.

Thanks for the quick reply KC. :thumbsup