[PLUG] Joe Jobbed

Aaron Burt aaron at bavariati.org
Fri Oct 5 16:47:36 UTC 2007


On Fri, Oct 05, 2007 at 09:13:49AM -0700, Rich Shepard wrote:
> On Fri, 5 Oct 2007, Michael Rasmussen wrote:
> 
> > "The vast majority of the threats we saw were rootkitted Linux boxes,
> > which was rather startling. We expected Microsoft boxes," he said.
> 
>    Unpatched boxes ... for whatever reason? No firewalls or IP table rules?
> Other reasons?

>From my experience:
 * Standard accounts (root, etc) with default or trivial passwords
 * Exploitable web applications (PHP apps are not the only offenders here)
 * Exploitable daemons (FTP and others)
 * Kernel exploits to gain root from user access 

The first is (l)user error on the part of the sysadmin.  The other three
are "unpatched boxes", which is a common condition if the sysadmins are not
perfectly disciplined about tracking and updating what's on their boxes.

It's easy to stay patched if you're running a current distro and
every bit of software was installed with APT or YUM or whatever.

But many hosts are running distros that were installed years ago, hacked
into submission with random tarballs and then ignored until the next
time someone starts shouting about some new website feature.

One of my boxes got hit when a brute-force SSH login script guessed a
password for a test account.  They attempted to get root but failed (I
do a regular apt-get update so it's well-patched) and so they settled
for running a userspace thingy to sling traffic around.

It's nice to have chkrootkit around, but of course you can't really
trust what a rooted machine tells you.  I just keep an eye out for
suspicious net traffic.

Running a current distro with APT or YUM or whatever and a huge
selection of maintained packages (e.g. Debian and its derivatives) saves
a *LOT* of hassle in keeping systems patched and running.





More information about the PLUG mailing list