[fox-users] <- via users: server probleme #2
ludwig zeininger
lu at mur.at
Mon Apr 26 22:09:16 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi
1. neuigkeiten deutsch (wieder eher laenglich, sorry)
2. engish version of last week's mail + news/updates
1.
unsere forensische abteilung konnte (ueber einen sog. zweckdienlichen
hinweis von reini urban, danke nochmal!) den hergang des cracks
aufklaeren.
offensichtlich wurde die maschine ausschliesslich als IRC relay
missbraucht, was jede menge netzwerk traffic verursachte und die CPUs
heftig beanspruchte, aber den datenbestand im userspace (homes,
datenbanken, mails) unveraendert liess. dh. wir gehen davon aus, dass eure
daten nach wie vor - und die system daten wieder - integer sind.
(fuer die skeptikerInnen: wir ueberwachen das sytem manisch, um etwaige
verbliebene bosheiten zu entdecken. paranoia gehoert schliesslich zu
unserem berufsethos...)
die eingangstuer war ein wenig bekannter aber klaglos funktionierender
exploit eines administrations interfaces fuer ein php bulletin board,
installiert von einem users fuer eine von ihm betreute homepage.
schlecht geschriebene, veraltete software, einmal installiert, nicht
gewartet, nie aktualisiert.
unsere konsequenz: wer in zukunft software installieren will, muss sich:
1. _zuerst_ mit dem noc in verbindung setzen (wir wollen wissen, was es
ist, und uns darueber informieren)
2. verpflichten, die software auf dem jeweils neuesten stand zu halten und
gegebenenfalls und sobald wie moeglich security patches einzuspielen und
regelmaessig updates durchzufuehren.
was 'software' in diesem kontext meint, ist leider nicht so einfach zu
definieren. auf jeden fall suiten wie CMSs (content managemant systeme),
BBs (bulletin boards) und aehnliches, egal ob von irgendwo im netz gesaugt
oder selbst gestrickt, egal ob php oder perl.
ich bin auch auf phpmyadmin gestossen: weg damit! oder wir machen es.
dafuer gibt es ein systemweites:
https://mur.at/phpmyadmin/
^----> secure, was in euren homedirs nicht der fall ist
eigene bulletin boards aufzuziehn ist uebrigens auch nicht mehr noetig:
http://bb.mur.at/ steht zur verfuegung. wer will, kann ein eigenes forum
bekommen. vom noc administriert, von dem/der jeweiligen betreuerIn
moderiert.
polls und aehnliche kleinere php/perl sachen sind eher unbedenklich,
wobei ich aber auch bitten wuerde, sich vor der installation mit uns in
verbindung zu setzen. ihr koennt euch und uns u.U. aerger ersparen.
(polls koennen uebrigens auch ueber bb.mur.at gemacht werden.)
die vorteile fuer euch liegen auf der hand. ihr habt keinen stress beim
installieren, keinen administrationsaufwand, und wenn was schiefgeht, ist
das noc dafuer verantwortlich.
dass nicht ueber ein user password eingebrochen wurde, bedeutet allerdings
NICHT, dass ich irgendwas von den password- und security-angelegenheiten,
wie im letzten mail beschrieben, auch nur relativiere!
im gegenteil: die spurensuche hat, quasi als nebenprodukt, ua. ergeben,
dass ueber einige accounts (teils mit, teils ohne wissen der inhaberInnen)
dritte wiederholt und sogar regelmaessig zugang zum server hatten.
- -> ankuendigung:
sobald wir einen praktikablen mechanismus ausgearbeitet haben, wird es nur
noch zeitlich begrenzt gueltige passwoerter geben. dh. ihr werdet eure
passwoerter alle drei oder vier monate aendern muessen.
zur einstimmung fordere ich alle (die das in den letzten tagen nicht schon
gemacht haben) auf, jetzt (JETZT) ihr passwort zu aendern. und fuer sich
zu behalten. in faellen von akutem account sharing: bitte melden, wir
legen gern die noetigen accounts an (und werden auch nicht schimpfen,
versprochen!).
soweit mal das, demnaechst sicher mehr...
2. [this is as longish as it is important. so, please...
for your reading pleasure there are some awkward jokes included!]
a condensed version of the tale of last week's inferno and it's
consequences.
the pop thing:
some time in the evening of april 16 our pop server stopped popping.
unfortunately, it took me until monday to realize and until tuesday to get
it running again. sorry for that. we're still investigating the cause.
both, imap and pop, are up and functional since tuesday. if any of you
have migrated from pop to imap (and back) in the meantime and are
experiencing problems, please contact us.
all more recent trouble with mail and other services should have stopped
by thursday afternoon and was most probably due to emergency measures made
necessary by...
the crack thing:
our main server was cracked on april 22 (last thursday) and subsequently
misused as IRC relay, which caused considerable network- and cpu-load but
did not compromise any userland data. ie. none of your data (home
directories, databases, mail) was compromised. the system was cleared of
all malicious files and also a brandnew kernel (not vulnerable to the
exploit used last week) is running without problems.
at the time of my german-only mail to the list i was convinced that the
crack was carried out from a user account because the kernel vulnerability
that was exploited depends on the attacker already being logged in ('local
exploit').
although this proved to be wrong, there is good reason to believe that
some of the mur.at accounts are being used by more than one person. as our
forensics department found out, the login logs for some accounts have
time/location signatures that are impossibly caused by one person, ie.
logins were recorded from different locations that occured simulaneously
and/or with too little time inbetween, assuming contemporary means of
travel.
the passwords for those accounts (and who knows how many others...) have
either been knowingly shared (webmasters, a friend who knows mysql, a room
mate who has a crack of dreamweaver...) or gotten hold of by somebody
through some kind of malicious action (sniffing, backdoor on a DOS box...).
in both cases the result is the same: somebody gains unauthorized access
to the server. not technically unauthorized, but as in 'not a mur.at
member'.
access to our services is restricted to members, and an account is bound
to ONE person. that person is obliged to safekeep the access data and is
responsible for whatever harm is done by misusing that account.
in other words:
# don't share your account!
if you need additional accounts (webmaster, database etc) let us know, no
problem.
# use secure protocols!
we offer secure version for each of our services that need authentication,
no need to send unencrypted passwords over the wire.
ftps instead of ftp: any decent ftp client is capable of ssl/tls. look for
it in the settings, activate it, accept the mur.at certificate and use it
as usual. insecure ftp will be kissed goodbye for good, soon. better
switch now!
use scp: standard on linux, macosx even offers fugu (a filebrowser-like
graphical user interface for scp, a little buggy still, but useable) and
there are free windoze clients around, like winscp
(http://winscp.sourceforge.net/)
both, pop and imap, can be used over ssl/tls. as with ftp, it's completely
transparent to the user, ie. once you have it configured (check it, all
other settings are the same), you won't notice any difference (but THEY
will...). here also, the insecure transport will go away, soon.
# save your passwords only in your head!
don't write them to a file, not on the server, not on your machine. don't
let your programs save passwords (the answer to 'save password?' is a
stubborn 'NO').
the security and privacy of your - and other people's - data should be
worth memorizing a couple of passwords, and typing them in when prompted,
shan't they? (yeah! that's "shan't"! love it...)
also, make sure your browser does not save form data (to save it,
unfortunately seems to be the default setting with most [all?] current
browsers) when you use webmail or similar services. this especially
applies to browsers on othere people's machines and internet cafes (if you
can't change the setting, execute 'remove stored form data' and/or similar
from the options menu, if that's not possible, search for and delete the
browser data via the filebrowser, if that isn't possible, get a gun and
ask for the manager).
there's more...
the crack was initially made possible by a little known but nonetheless
effective exploit in an administration webinterface part of a php bulletin
board that was installed in a user's home directory. badly written
outdated software. installed, no administration done, no updates applied.
as a consequence, users will have to
1. contact the noc _before_ installing software,
2. guarantee that the software is maintained properly, updated regularly,
and security patches and fixes are applied if necessary and ASAP.
'software' here is a tricky term. definitely included are any kind of CMS
(content management system), BB (bulletin board) or similar cgi and/or php
based suites.
btw. there's no need to put up your own bulletin board. there is
http://bb.mur.at/. you can have your own forum there, just let us know.
the same goes for phpmyadmin. use https://mur.at/phpmyadmin/
^---> secure! insecure when run from
your home dir.
(phppgadmin: ditto)
your advantage: no installation hassles, no administration -> no
responsibility in case of admin-caused fuck up.
smaller affairs, like poll scripts, are not so sensitive, but still we
would like to be informed. (bb is capable of polls, btw.)
one more thing on passwords:
as soon as we will have figured out a viable mechanism there will be an
expiry date on every mur.at password, ie. you will have to change it
periodically, like once every three or four months. why not practice by
changing it yourself? NOW.
and to all those who are sharing their account with a webmaster, db-person
or similar: contact us for additional accounts. there's a temporary
amnesty...
so much for now. more soon...
lg
lu
- --
wuensche, wohl administriert worden zu sein!
NOC at mur.at
NetworkOperationCenter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAjWxvea0RHHXBzw0RArYmAKCmhFR4qJGZ9BT0DxClc3hc5Ato/wCgkKDL
ied9e5qH5DQxI5knU0hNSiA=
=pPEj
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users at mur.at
http://mur.at/mailman/listinfo/users
More information about the noc-announce
mailing list