On Fri, 2003-12-05 at 16:39, alandd@consultpros.com wrote:
> > what is pan2?
> > We just got hacked, and looking in the root's .bash_history, they
> > downloaded pan2 from a .ro server, and it's still running. I was just
> > wondering what that is..i can't seem to get a clear answer from google.
> 
> Side question that you probably want to ignore for now:  Could you tell us
> about your setup and how you think the cracker got in?
> 
> I am just curious about the whole story.  How are you connected to the
> net?  What firewall technology you were using?  Was the box at home, work,
> co-lo?  What OS?  How did you discover the break-in?  Etc.
> 
> Right now, you need to do investigations and get secure again.  But, at
> some point, I'd like to learn from your experience.
> 
> Alan

It was a work box, behind a DSL line and in the DMZ..my main server is
pretty hardened, and has its own firewall in front of it. The hacked box
was our web-server. 

My guess is it was a rootkit, some script-kiddie tool. Honestly, i was
asking for it. It was an old Mandrake 8.0 box i set up a few years ago,
and updating rpms is a pain in the ass unless you're willing to upgrade
your whole OS. Nothing new or exciting. I _was_ planning on upgrading it
to debian...i guess that priority just shot up to #1.

I could tell cuz it was a very sloppy hack...php.ini was changed to
default, so that broke some stuff as my includes were in a non-default
location. That's what caused me to start looking into the box. The date
on that file was yesterday...and nobody here at work changed it. 

/sbin/init also had a date of yesterday, too...which not only put up a
red-flag in my head, but also set off an alarm like a broken
car-alarm..that zaps passerbys and kicks them...Ya. it started off as
one of those days.

mandrake has some nice security stuff, such as medusa. It logs open
network connections and logs them...the third of december had normal
stuff (http, ftp, ssh), and today had a program called dsniff-st
(network auditing tool) listening, as well as for other anonymous
broad-cast listening programs running. 

Like i said, i had a suspision with php.ini being changed, but the
biggest flag raised was a changed init...i'm also sure a kernel-module
MUST be installed, but of course, it's obfuscated. 

Right now, i'm working on installing debian on a different machine, then
i'm going to take the hard-drive of the old machine and metaphorically
take it out back and shoot it. I was planning on installing snort on a
few machines, (standalone ndis, with a hdis on our main server)...so as
things install, i'm reading "Intrustion Detection with Snort"..Kozial,
sams publishing. 
Instead of coding this weekend, i guess i'll be reading that instead. 

As i'm reading the book, a theme keeps getting repeated...you have to
know your infrastructure. Snort isn't a silver bullet, and is only
usefull if you understand what is and isn't normal behaviour. If i was
away, a co-worker probably wouln't have bothered to know why included
files weren't there, and wouldn't become suspicious as why php.ini was a
changed date..which caused me to look /sbin/init, a very commonly
changed file in rooted boxen.