rmarshall

We were hacked today at work. The systems guy opened the firewall this morning to allow a potential client in to demo some software on our system. We usually only allow access via the Cisco VPN.

At 10:12AM, somebody managed to login as one of our users. He did a wget to get a file from some computer on the web and un-tarred it to run his own programs. After about 49 minutes, he had the root password. As root, he created his own user account. He was logged in this account for about 22 minutes before the system guy noticed and started to kill the guys processes. He then changed the root password, the original users password and deleted some files before the system guy killed him and closed the port at about 11:45AM.

He managed to get back in on another port at 2:03pm while the system guy was in a meeting. I killed his shell and then we pulled the plug on the Nortel switch, effectively killing the internet for the whole office.

We had the Bell forensic guy in and I left at about 3:00pm as they brought down the Linux servers and I had nothing to do. I think they were going to find all the info they could and then scrub the disk and restore a backup.

I don't know if they could be able to find the guy with his IP address. He created a user "usher" and got a file called team2.tgz from http://usherul.0catch.com/team2.tgz . He then did a tar -xfzv team2.tgz and then he cd'd the the team2 directory he created and started running programs there. Apparently, 0catch.com is an ISP, so either usherul is the hacker's account or one of his victims.

I don't know if the guy got any of our files. There was alot of text files there with some client info. The machine is used for conversion of data to an Oracle database. The production database runs on another machine and was not touched.

It was kindof scary. He got kind of pissed when he was discovered and deleted some files on the development box and changed passwords. I don't think that's a usual way of hacking.

We'll have to find another way of running a demo, probably by using VPN.

Bummer.

Dilbert1234567

Sorry dude, that sucks. We’ve never had anything that bad happens at my work.

Have a tough root password, if it is simple some one can brute force it quickly if they can get a hold of the password hash. At my work, all accounts that have admin access have passwords longer then 10 char's, including at least 5 special char's. If you need help with ideas for passwords, let me know, I wont post any of my tricks but if you PM me, I’ll send you some ideas.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

hober

Wonder if the guy got in via the potential client who came in innocently? Perhaps the client was already comprimised?

Cynthetiq

damn... reminds me of the time we got a keylogger sent to an admin and it ended with the FBI coming in an going up everyone's ass...

sorry bro...

ALWAYS practice safe computing, not even for a few minutes should you let your guard down.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

WillyPete

tbh, I think that noticing the guy within 22 minutes was good.
The majority of admins wouldn't have anything set to alert them.

I know a LOT of the places I've worked haven't had it.
Security and IDS just aren't seen as valid expenditures for a lot of companies.

Pity.

ratbastid

Yep. I read somewhere that an unpatched Windows box sitting bare on the Internet gets hacked and zombied in an average of 20 minutes. You should NEVER open ports unless there's an extremely good reason.

We had a similar thing happen at my company a few years back. Turned out my admin had left an old version of sshd on ALL the servers, and they ALL got thoroughly pwned. It was a total nightmare trying to deliver on the custom programming I'd sold that month--all my developer time went into rebuilding boxes, and our SLA was totally shot, which means big refunds for our customers. I didn't get paid that month because of those bastards.

EDIT: My journal entry about it is <a href="http://www.tfproject.org/tfp/journal.php?do=showentry&e=3328">HERE</a>, just so you don't feel too alone.

bendsley

How come the client couldn't just come in over the VPN? It's easy enough to setup a user on a VPN Concentrator or Pix. How is the VPN authenticating users (LDAP/AD, PAM, local)?

Could your company not have setup an L2TP connection with the client and have him connect that way? That way he wouldn't have to install the Cisco VPN client if he didn't have it already (install requires a reboot because it makes a virtual network adapter).

If you're going to open your firewall for any reason, you want to section off what is going to be needed to a different VLAN, so as not to allow access to other machines.

I guess I don't see why your "systems guy" didn't think about some of this before just opening your firewall to the outside world. Hence, the purpose of firewalls.

Just my $0.02.

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."