My firewall was cracked!

[ddoug at catrio.org (Debra Douglass)]

On 2/21/2001, on discuss at blu.org, Christoph Doerbeck A242369 wrote: 
 >>
 >>Well, it wasn't mine, but a friends firewall box ( i486 running Slackware )
 >>was recently cracked (notice that I used the proper term).
 >>
 >>Anyway, his system was supposedly tied down pretty good.  All exterior
 >>facing services were additionally shunted by ipchain rules,
 >>yet someone still managed to get on and start unpacking a rootkit
 >>of some kind.
 >>
 >>Fortunately the kit was tailored for RedHat, and that's how he detected
 >>that he had been violated.  A lot of system binaries (ls, df, login) were
 >>replaced and because they were redhat built they didn't work on his
 >>slackware system.  I'm not sure of the exact details but...
 >>
 >>Assuming he had a good firewall configuration, does anyone have hints on
 >>what exploits the cracker may have used to get access?

My system (RH6.2) was broken into similarly three months ago and the
entry point was a root shell access bug in wu-ftpd. I've since changed
to proftpd and tightened up my rules. Two things made it very easy to
identify and recover from this breakin. I was running tripwire which
let me know exactly which files were added or changed and I was
running logwatch which let me know who did what and when.

I'm not running a Linksys firewall but I am running simple
ipchains-based firewall script. Any ports that are open in a firewall
are suspect and that is the best argument I've seen for logging both
denied AND accepted packets.

-Debra
-- 
.------------------------------------------------------------------.
|Debra Douglass          ddoug at catrio.org     http://www.catrio.org|   
`------------------------------------------------------------------'


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).