xfce.org/lunar-linux.org server nearly hacked
Auke Kok
sofar at lunar-linux.org
Tue Jul 26 21:56:42 CEST 2005
Dear all,
It's not very often that I have less good news to report but in this
case I think there's something to learn from it. It's also important for
all lunar and xfce users to realize how they should treat downloads from
important sites like ours. (remember debian got owned?).
In the last period, espresso (our main projects' server for both Xfce
and Lunar-Linux) was compromised. An xmlrpc exploit from the shelf was
used to upload a backdoor that fortunately was unusable thanks to the
strict firewall rules we apply. Fortunately this stopped the attacker,
most likely a "script kiddie". As far as we can see no information was
leaked or files compromised/altered.
On one of my personal servers, which runs non-important data, I found a
similar xmlrpc exploit and 3 rootkits, which the attacker managed to
upload due to me screwing up the firewall rules (a very very stupid
typo). The 3 rootkits failed due to me keeping the box up2date.
Both "script kiddies" got very close to gaining a root shell and if they
would have had _some_ knowledge of hacking, most certainly _would_ have
gotten root access. Only thanks to the fact that I keep my systems very
up2date and relatively secure (grsec, acls) they exploits failed.
So, what's to learn?
- Always check php scripts and xmlrpc code. Never trust it.
- Mount /tmp and world-writeable mountpoints with noexec, this will stop
most OOTB exploits immediately as the rootkit or backdoor will fail to
execute
- Don't trust the hacker that knocks on your door to be as stupid as
these two script kiddies. They might be as smart as you, or worse for
you: as smart as me.
- Use a good firewall
Generally: make it everything _but_ easy for them.
but most importantly:
- backup your data!!!
- keep your boxes up2date
sleep tight.
sofar
More information about the Xfce
mailing list