xfce.org/lunar-linux.org server nearly hacked

Auke Kok sofar at lunar-linux.org
Tue Jul 26 19:56:42 UTC 2005


Dear all,

It's not very often that I have less good news to report but in this 
case I think there's something to learn from it. It's also important for 
all lunar and xfce users to realize how they should treat downloads from 
important sites like ours. (remember debian got owned?).

In the last period, espresso (our main projects' server for both Xfce 
and Lunar-Linux) was compromised. An xmlrpc exploit from the shelf was 
used to upload a backdoor that fortunately was unusable thanks to the 
strict firewall rules we apply. Fortunately this stopped the attacker, 
most likely a "script kiddie". As far as we can see no information was 
leaked or files compromised/altered.

On one of my personal servers, which runs non-important data, I found a 
similar xmlrpc exploit and 3 rootkits, which the attacker managed to 
upload due to me screwing up the firewall rules (a very very stupid 
typo). The 3 rootkits failed due to me keeping the box up2date.

Both "script kiddies" got very close to gaining a root shell and if they 
would have had _some_ knowledge of hacking, most certainly _would_ have 
gotten root access. Only thanks to the fact that I keep my systems very 
up2date and relatively secure (grsec, acls) they exploits failed.

So, what's to learn?

- Always check php scripts and xmlrpc code. Never trust it.
- Mount /tmp and world-writeable mountpoints with noexec, this will stop 
most OOTB exploits immediately as the rootkit or backdoor will fail to 
execute
- Don't trust the hacker that knocks on your door to be as stupid as 
these two script kiddies. They might be as smart as you, or worse for 
you: as smart as me.
- Use a good firewall

Generally: make it everything _but_ easy for them.

but most importantly:

- backup your data!!!
- keep your boxes up2date


sleep tight.

sofar




More information about the Lunar mailing list