Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <acruhl@gmail.com>
From: Gavan Fantom <gavan@coolfactor.org>
List: netbsd-users
Date: 01/12/2007 16:37:30
Andy Ruhl wrote:
> On 1/12/07, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
>> On Fri, 12 Jan 2007 06:47:41 -0700
>> "Andy Ruhl" <acruhl@gmail.com> wrote:
>>
>>
>> >
>> > I'm surprised that a few people think you should start over. I would
>> > seriously hope that a compromised user account wouldn't immediately
>> > prompt paranoia that the box was rooted. I understand that this is a
>> > thoght process that needs to take place, but I would hope that NetBSD
>> > is more hardy than that.
>>
>> The odds are not in your favor.  "Reformat and reinstall" is the
>> conventional wisdom, with good reason.
> 
> 
> I need to study this then. I understand that there have been many
> escalation type security holes, and usually they are not as vigilantly
> pursued as remote exploits. But I'm really hoping that my box is not
> so fragile that I should worry about being rooted when a user account
> is compromised. Again, I can easily be accused of being an optimist..

Unless your box was severely hardened against malicious local users, you
really should consider it rooted once a local account is compromised.

Now, based on the fact that your particular attacker didn't bother
cleaning logs, and left stuff lying around in /tmp, and processes that
you could see, it's unlikely that this attacker got root.

However, if some idiot who couldn't even root a box given a local
account managed to compromise your server, how can you have confidence
that he is the only one? It's entirely possible that the five others all
got root, installed rootkits and are still there, hiding out.

>> > I always keep my install sets somewhere else so I can do a checksum
>> > against some important programs to see if it's been hacked.
>> >
>> A good starting point, but far from sufficient.  Finding a
>> well-concealed back door is *hard*.
> 
> Yep. I'm going strictly on odds. If I check a few of the "biggies" and
> they are the same, at that point I can reduce my level of panic and
> then take more time to look through things. I'm not claiming to be
> good at this back door finding though. Also, I'm hoping that I'm not
> so important that someone would want to target me for this nonsense.
> But anyway...

Most such attacks are not targetted. You have an IP address. You have
bandwidth. You have an open vulnerability. That's enough.

If someone has got in and hidden themselves *properly*, then you will
not discover this from within the system. A well-designed rootkit will
operate at kernel level, and provide the illusion that everything is
normal. That's not to say that all rootkits are well-designed, or even
that there are many for NetBSD, but since undetectability is the primary
design goal for a rootkit, this is a game that you're going to lose very
quickly.

A proper search will require that you boot from known clean media, and
mount the compromised hard drive (preferably noexec) and inspect it
*very* carefully.

-- 
Gillette - the best a man can forget