January 31st, 2003, 12:45 PM
How do hackers...
How do hackers...
Iím still pretty new the whole ďServer AdminĒ thing, and I was wondering...
-allow me to explain:
What are the most common techniques that hackers use today?
Iíd like to see some of the Admins(Any Admin, Win - *nix) on AO explain/list the more common attacks they see in their logs. Oh yeah, Iíd rather not see any script kiddies post exploits, thatís not the point of this thread, I really want to get a clear grasp of the problems / issues / signs I should be looking for, protecting against, etc...
Hopefully this thread will be informative ;-)
yeah, I\'m gonna need that by friday...
January 31st, 2003, 01:46 PM
In my experience (logfiles, and yes, i have been hacked before)have shown me that alot of "intruders" scan your machines, finding out information like OS, servers (version), open ports and then look for ways to exploit them, ie. The apache 1.3 is exploitable via ....com/cgi/... etc.. giving them access to the entire contents (bypassing .htaccess) and getting information like /etc/shadow, etc/passwd, /etc/httpd/apache.config etc... That replies for ftp servers too. Best way to protect that is to always be upto date, try running services NOT as root, if you can, then even jail them. Also weak passwords are major threats, and also avoid remote root logins (login as a normal user and su to root if you have too), Also avoid going in as user root unless you absolutely have too, and no chatting/browsing as root. Keep scanning yourself to see if your patched and upto date on every service (open ssh 1 is exploitable, so get the newest version <---- that was an example, im not saying thats your ssh ). So the techniques are :
1 - exploits (check your versions of everything)
2 - virii (keylogging/trojan)
3 - Looking for weak or no passwords at all (i once guessed like 10 mail account passwords depending on the information i got on the users, like where they come from, relationships, dates, adresses, pets, etc......
4 - man in the middle attacks (your clients are compromised, which contain information on logging into your servers such as rsa keys, usernames, passwords might be the same on clients and servers
5 - DOS to bring down badly configured firewalls
6 - KIS (google it, i will not explain that one)
7 - sniffers (avoid using non-encrypted services such as telnet, or ftp. Instead use sftp and ssh)
Thats just a few of the possibilities (im no expert) that i have encountered over the years, and my logfiles have shown similar things.
Hope this helps you, although there are many many more ways.
just one more thing. You know the main rule on a firewall. Allow nothing, then start to allow what you really want. Same for the services and applications. Only install the things that you really need, eg.
Try to run everything in standalone, no inetd or other super daemons. If you know how to use a certain editor (like vi) then dont install pico, joe, emacs etc..., dont install things you dont really need like portmappers, telnet servers, finger servers, news servers, time servers (they are mostly setup by default, so get rid of them asap) etc...
Ubuntu-: Means in African : "Im too dumb to use Slackware"
January 31st, 2003, 02:45 PM
mine was someone trying to check out all the users or objects in the Domain Tree. da person was scanning around da domain tree looking for an account he can use dat doesnt require passwords or has default passwords on.
January 31st, 2003, 02:59 PM
By far the most common thing you see in logs is automated http attacks from "zombie" machines infected with various worms (CodeRed & Nimda mostly)
The next most common thing in logs is port scans. A site I used to admin got port scanned several times per day.
After that it could be almost anything. Generally speaking, nearly all the attacks you will see are entirely automated, done either by skiddie tools, or much more commonly worms.
As far as successful attacks are concerned, I think the most common kind is people going into systems that are entirely unprotected - system with default passwords, or no password at all.
Then they usually plant some mal-ware - usually off-the-shelf back doors like BackOrrifice etc. Although virus scanners will detect some of these, they can easily be modified to evade detection (although I've never seen a modified one in the wild)
Lastly, if you leave an FTP server open with any writeable directories in it (even if they are several levels deep, and non-obvious, if they have been left open by accident), warez kiddies will rapidly fill them up with ripped games, etc, ultimately producing DoS when your disc becomes full and wasting your bandwidth.
January 31st, 2003, 06:59 PM
If there's nothing else, bruteforce
Well, script kiddies are not really clever, and they follow roughly these procedures:
1) Scan host for vulnerabilities, using a tool like SSS, etc. Use of stealth scanning techniques, as well as slow scan via multiple hosts,bouncing, innocent connections with great time gaps... well, all of this is too much to our little skiddies.. However, a skilled attacker will be much harder to notice. I am glad most of them aren't exactly skilled. You may notice several connections being attempted, to different ports. Packets with strange flags, and stuff like that. A good firewall can catch them for you, and having an IDS will make you aware of scanning attempts.
2) Funny part: tons of them now start asking in foruns, irc channels, icq, and wherever they can: "I scanned xxx.xxx.xxx.xxx , and I got these results.. what do I do next?" *Sigh*. After downloading the exploit, some of them might need help to compile it.
3) Ok, they managed to compile the damn exploit. A good part of them are shellcodes which explore buffer overflows. Very large strings, followed by code and a /bin/sh. Even when compiled, you may use the program strings to get the /bin/sh string, and this can also be caught by an IDS. Encrypted shellcodes are a problem, however. But it is in a more sophisticated level, since the kiddies don't write their own exploits.
Sure, all of you have already dissecated scan, exploits, impersonation attacks, sniffing.. very well, I must say. Just to add something, there are 2 things that have been quite "fashionable": PHP and lots of cgi attacks, and when nothing else works (or even as the first thing), bruteforce cracking. Several message boards have been attacked through some PHP bug.. :/
Just how easy it will be to spot the attack will depend on attackers skills, of course. I personally think I would be scratching my head quite often while looking at logs.. and perhaps drinking a lot of coffe.. hehe