[*] Most exploited daemons



Here is a short list of a few daemons which are widely exploited by scriptkiddies:



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

. name     - service             .

. ============================== .

.                                .

. wu-ftpd  - ftp                 .

. proftpd  - ftp                 .

. sendmail - smtp                .

. Qpop     - pop3                .

. Lpd      - Line Printer Daemon .

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<



These are just the ones which come to my mind, but there are lots of more vulnerable daemons. So you should check if the daemons you run are vulnerable, and if they are up to date (it isn't very smart to run an old version).



[*] CGI-scripts



If you install a webserver (e.g. apache), it usually comes standard with some cgi-scripts. These cgi's are usually not needed, and they're a security-risk. Delete them if they aren't in need for you, otherwise check if they are vulnerable. www.cgisecurity.com is a good site with more information about security related to cgi-scripts. By the way, php scripts are also very common holes in webservers.



[*] Telnet vs. SSH vs. Console



A lot of administrators use telnet to config/access their box(es) remotely, but telnet sends data (containing usernames and passwords) in plain text. In many papers, advisories and (security)guides they are advised to use SSH instead. SSH stands for Secure SHell, and sends data in encrypted form over the wire. If you really need to config/access your box(es) remotely it's advisable to use SSH, but while there was a few months ago a vulnerability in OpenSSH, I suggest you only access your box(es) on the console. If this isn't possible, install the most recent version of OpenSSH (www.openssh.org). Note that it's recommended to use blowfish encryption instead of DES, Triple-DES or MD5.



[*] Nessus



Nessus is a very good security scanner. It probes your network/host for vulnerabilities. If the system is vulnerable, nessus displays information about the vulnerability and also the URL where a patch is available. To use nessus, first you'll have to setup a nessusd (only available for linux), and with a nessus-client (available for windows too) you can connect to the nessusd and scan your box(es) for vulnerabilities. A very good feature of nessus is that is supports plug-ins, so you can download plug-ins to let nessus check for new vulnerabilities. Refer to www.nessus.org for a download of nessus and more information.



0x04 Local security

===================



Securing your box(es) locally is especially important if you provide shell accounts, but even if you don't it's essential. Why? Because someone might exploit a (unknown) vulnerability in a daemon you're running, and gains a shell with at least normal user privileges. Then he would try to exploit your local security to gain higher (root) privileges.



[*] Buffer overflows



Lots of local-exploits just use a classic buffer overflow to gain a root-shell. Well, there are a lot of papers on the internet describing buffer overflows exactly. But let me give you a short summary of how a buffer overflow exploit actually works:



When a program let's the user input data (e.g. a name or address), it usually stores the input in a buffer. Lots of programmers forget to check the bounds, which causes an overflow if the user inputs for example 80 bytes of data, while the buffer can hold only 75 bytes. Using this overflow the return address can be overwritten, to change the execution flow of the program. When the program is executed it returns to the return address, which points to an address on the stack with evil-code (this code usually spawns a shell).



These buffer overflows can be exploited locally, as well remotely (in a daemon). To protect yourself from attackers exploiting (unknown) buffer overflow vulnerabilities, you should always remove the SUID-bit from applications/daemons so an attacker won't gain a rootshell but a non-privileged-user shell.



[*] Tripwire



Tripwire is a powerfull tool, used to detect modifications in files/binaries. Tripwire makes a "fingerprint" of your system. Each time something is changed on the system Tripwire gives you a warning. This could be very annoying: each time you add a new account or create a new file, you'll get a warning. But if you run tripwire on a dedicated webserver, you can easily detect if someone tampered with critical files or placed backdoors. For more information about tripwire refer to www.tripwire.org.



[*] Kernel Patch



For extra security, it is possible to re-compile the kernel with a special patch. This patch gives you the possibility to set some security-options. Check www.openwall.com/linux for a download of a linux kernel patch.



0x05 Common backdoors

=====================



[*] /etc/passwd -> This one is classic, you should check your /etc/passwd file for (root)accounts which you didn't create.       Note: attackers usually put these accounts in the middle of your /etc/passwd, and give them names like Sym, sadmin,          comp, pass, command, shell or something similar to make it look normal and only noticeable by an experienced system-         administrator. Note: you can filter root-accounts from large passwd files with "cat /etc/passwd | grep :0:".



[*] suid root-shell(s) -> This one is very popular, but only used if the attacker has local access to the system. He just        makes a copy of /bin/sh and makes it suid-root. To fool the system-administrator he gives it a name like "fping" or          "nettrace" or something similar. To find such suid-root files type this command:

    find / -perm -4000 -print > $home/suid.files, then check suid.files in your home-directory.



[*] cronjobs -> Crond is a very powerfull daemon for administrating the system. It allows the administrator to execute           commands (which are called cronjobs) on a hourly, daily, weekly or monthly base (e.g. each Sunday at 23:00 there's made a     backup of all home-directories). An attacker could for example make crond create a root-account each day at 01:00 AM and     delete it at 02:00 AM so the attacker has for 1 hour root-access to the box.



[*] trojaned binnaries -> This one is used if the attacker has local access to the system. He replaces for example               /bin/ls with a trojaned version which operates exactly like the normal /bin/ls, but gives a root-shell if the                attacker uses a special parameter (for example ls -e).



[*] login-trojan -> This one is old, but I think it's still used. When the attacker connects to your machine via telnet and       gives a special password he'll be dropped in a root-shell. This is caused due a trojaned version of "/bin/login".



[*] /etc/services and /etc/inetd.conf -> An attacker could use these files to add a new service (or use an existing one)

    and use it to spawn a shell. It's very easy to discover such a backdoor.



[*] bindshell.c -> This is C source-code used to bind a (root)shell to a port, usually attackers use a very high port so it      won't show up on portscans (wich aren't always from 0 to 65535). It's easy to check for this backdoor, just do a             "netstat -an", and check suspicious open ports. Or even better: do a full portscan (Because the attacker could have          replaced netstat with a trojaned version).



[*] lkm's -> Loadable Kernel Modules are (like the name says) pieces of code (modules) which could be loaded in the kernel,      usually they're very advanced and sometimes (allmost) completely stealth, so they're hard to detect. I suggest you read      Pragmatic's excellent paper on Loadable Kernel Modules, available at www.thehackerschoice.com.



[*] rootkits -> These are complete packages with usually trojans, sniffers, lkm's, log-cleaners, etc. etc.



Note: there are much more backdooring-techniques. To cover them all it would take me to write a whole new paper, so I just discussed the most commonly used.



0x06 Windows

============



More than 80% of the defacements are due the lack of security on windows-systems. In the past there was the RDS-vulnerability which caused lots of compromises. Now the Unicode-bug is one of the favourites of scriptkiddies. Also an overflow in the ISAPI-extensions on win2k/IIS 5.0, is widely being exploited (the exploit-code is called jill.c). Another VERY good example:  the 'code red' worm which was spreading around the internet via the .ida overflow (For more information refer to http://neworder.box.sk/ and http://www.securityfocus.com/). These vulnerabilities caused a lot of damage and defacements :-(. I suggest you subscribe to NTBugTraq, which is a very good mailinglist with discussions, vulnerabilities (including exploit-code, if released), papers, etc. etc. related to windows-security.



Please read the next section VERY carefull. The magic word to secure your windows-box(es) is: PATCHING.



0x07 Patches

============



It's really really important you patch your systems, the trouble the 'code red' worm caused is due (lazy) system-administrators who didn't patched their systems and this way didn't only brought theirselves in trouble, but they also made it possible for the worm to spread itself and infect other systems. Now, is it really so hard to check on sites like securityfocus.com, neworder.box.sk, and on (NT)BugTraq or another security-related mailinglist, if your system is (possibly) affected for a new vulnerability and download a patch?! If a website under your responsibility gets defaced, you'll need to take more time to restore everything, than patching the system and don't give those damn scriptkiddies a chance to screw up your website!



linux:

If there's a vulnerability found in a daemon, application, driver, cgi-script, etc. etc. usually the vendor releases a patch as soon as possible. Just check the (ftp)site of the product-vendor or your linux-distribution for information and a patch/fix. It's also common that an exploit comes with a solution/work-a-round.



Note: In SuSE linux you can easily update packages with YaST (Yet another Setup Tool). YaST compares the installed version of a package with the version on the ftp-server and if they don't match it downloads the newest version [Thanks to DataWizard for pointing this out].



0x08 Conclusion

===============



I know this paper doesn't covers everything to stop attackers. But I think that a System-administrator who read this paper won't be "hacked" by clueless scriptkiddies scanning the internet for vulnerable boxes. It isn't very hard to stop scriptkiddies, just take the time to secure and patch(!!) your system(s). Subscribe yourself to (NT)BugTraq, and always be up to date (install the newest versions of daemons, aplications etc.). I'm satisfied when this paper makes system-administrators prevent scriptkiddies from intruding their systems and defacing their websites. Don't see securing a system as a pain in the ass, it's realy interesting and fun!



0x09 Final words

================



I hope you enjoyed this paper, if not, delete it :-)

For further questions, comments or critism please send me a mail: systm@exploder.nl (or shaolin123@hotmail.com), or catch me on IRC:

#p00rt @ nederwiet.wox.org/iznogood.wox.org.



Some security-related sites:



http://neworder.box.sk/                [News, Exploits, papers and tools archive]

http://blacksun.box.sk/                [Tutorials related to hacking/security/programming]

http://www.securityfocus.com/          [BugTraq mailinglist, great exploits and papers archive]

http://www.packetstormsecurity.org/    [Exploits, papers and tools archive]

http://www.thehackerschoice.com/       [Good (papers) archive]

http://www.nessus.org/                 [Nessus security scanner]

http://www.tripwire.org/               [Tripwire]

http://www.microsoft.com/security/     [Search for Patches, Security Bulletins and more info related to Microsoft products]



Greets to: DataWizard, NederWiet, KD, Reflex, DarkWhite, IzNoGood, Vetjuh, ssuzeJJ, div3rt3r, BBM, Syndr0me and all the others (you know who you are). I also want to greet the box.sk staff and all the members of the Blacksun Research Facility Team. ;-)



Special thanks to DataWizard, Reflex and Syndr0me for checking and correcting mistakes in the BETA versions.



Finally I want to say #wasrek sucks, those guys are too lame to understand the difference between a computer and a chair..



--"The net is my playground"



0x10 Copyright

==============



You may distribute this paper as much as you like, but please DO NOT change, add or remove anything without my permission. Feel free to mail me about this subject.



And Remember: KNOWLEDGE IS POWER!!



================================================================================================================

Stopping the Scriptkiddies v1.00 - Release date: 29.08.2001 - (C)opyright by POOL 2001 - systm@exploder.nl