Under Hack Attack!

Under Hack Attack!

Post by Chris Willia » Tue, 23 Feb 1999 04:00:00



Hey folks,

My web site has been hacked three times in the last year. My assumption
is that the holes originate from some poorly written CGI's. What is the
best way to protect form this happening again? This is killing me!

I've set up a stand alone server and have re-written all CGI's to ensure
only acceptable characters are allowed. I've checked all permissions,
disabled every service except httpd and telnet, and I plan on running
SATAN to sniff out some other possible holes.

Anyone have any good links on security? Does anyone know how someone
gets into the server through the CGI's??

Any advise would be greatly appreciated.

Thanks,
Kafka

 
 
 

Under Hack Attack!

Post by Eric Turne » Tue, 23 Feb 1999 04:00:00


The best advice I can give for your CGI scripts is, when you check for
proper input by the user, check for values that you WILL allow rather
than values that you WON'T allow. If something in the input doesn't
match up with the "approved list" then reject it.

Check out http://www.cert.org/

Eric Turner


> Hey folks,

> My web site has been hacked three times in the last year. My assumption
> is that the holes originate from some poorly written CGI's. What is the
> best way to protect form this happening again? This is killing me!

> I've set up a stand alone server and have re-written all CGI's to ensure
> only acceptable characters are allowed. I've checked all permissions,
> disabled every service except httpd and telnet, and I plan on running
> SATAN to sniff out some other possible holes.

> Anyone have any good links on security? Does anyone know how someone
> gets into the server through the CGI's??

> Any advise would be greatly appreciated.

> Thanks,
> Kafka


--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
You can send something to me securely by encrypting it using PGP.

Free PGP software is available from http://bs.mit.edu:8001/pgp-form.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 
 
 

Under Hack Attack!

Post by Jukka-Pekka Suomine » Wed, 24 Feb 1999 04:00:00



> Hey folks,
> disabled every service except httpd and telnet, and I plan on running
> SATAN to sniff out some other possible holes.

Hi there!

I might not be the right person to answer this, since I haven't really
got any experience on administrating a linux box where security would be
a big issue, but... Here at school we have a linux box, and due to
increased security needs telnetting to the box is no longer available.
Instead we use ssh for remote connections. It should be a lot safer than
telnet.

Well, if I'm wrong, please correct me, coz security is a big issue, and
I'd hate to mislead people on this. Also, I can't recall where to get
ssh, but it should be rather easy to find...

Hope this did any good...

JP

 
 
 

Under Hack Attack!

Post by Heinieger Marce » Wed, 24 Feb 1999 04:00:00


SATAN is obsolet and the Project vas stoped and integrated in a new project
SAINT.
more info :
http://www.wwdsi.com/

cu
Marcel Heiniger


>Hey folks,

>My web site has been hacked three times in the last year. My assumption
>is that the holes originate from some poorly written CGI's. What is the
>best way to protect form this happening again? This is killing me!

>I've set up a stand alone server and have re-written all CGI's to ensure
>only acceptable characters are allowed. I've checked all permissions,
>disabled every service except httpd and telnet, and I plan on running
>SATAN to sniff out some other possible holes.

>Anyone have any good links on security? Does anyone know how someone
>gets into the server through the CGI's??

>Any advise would be greatly appreciated.

>Thanks,
>Kafka


 
 
 

Under Hack Attack!

Post by M. Buchenried » Wed, 24 Feb 1999 04:00:00


[...]

Quote:>Here at school we have a linux box, and due to
>increased security needs telnetting to the box is no longer available.
>Instead we use ssh for remote connections. It should be a lot safer than
>telnet.

[...]

It is. Telnet connections transfer plain-text passwords. ssh doesn't .

Michael
--

          Lumber Cartel Unit #456 (TINLC) & Official Netscum
   Note: If you want me to send you email, don't mungle your address.

 
 
 

Under Hack Attack!

Post by Glenn Valent » Thu, 25 Feb 1999 04:00:00




> [...]

> >Here at school we have a linux box, and due to
> >increased security needs telnetting to the box is no longer available.
> >Instead we use ssh for remote connections. It should be a lot safer than
> >telnet.

> [...]

> It is. Telnet connections transfer plain-text passwords. ssh doesn't .

> Michael
> --

>           Lumber Cartel Unit #456 (TINLC) & Official Netscum
>    Note: If you want me to send you email, don't mungle your address.

My experience is that once they gain root access, they replace a bunch of
executables like ls and df and such that always gives them access even though
you have changed your system to block these guys.

I would re-load everything and only use ssh to log in with. Shutdown all
services as well and use the tcp wrappers package.

--




 
 
 

Under Hack Attack!

Post by Howar » Thu, 25 Feb 1999 04:00:00


Also look for processes that are suid root. This is the easiest way to
create a root jumper. Also it will not log in the sulog.

As the other posts mention these may be simly copies of ksh or sh however,
hiding them as ls, cp  etc gives the users a reasonable amoun tof stealth.

As mentioned before - reload time
Regards
H



>[...]

>>Here at school we have a linux box, and due to
>>increased security needs telnetting to the box is no longer available.
>>Instead we use ssh for remote connections. It should be a lot safer than
>>telnet.

>[...]

>It is. Telnet connections transfer plain-text passwords. ssh doesn't .

>Michael
>--

>          Lumber Cartel Unit #456 (TINLC) & Official Netscum
>   Note: If you want me to send you email, don't mungle your address.