1 |
On Mon, Aug 9, 2010 at 2:09 PM, Mick <michaelkintzios@×××××.com> wrote: |
2 |
> On Monday 09 August 2010 17:25:56 Paul Hartman wrote: |
3 |
>> My user account has sudo-without-password rights to any command. |
4 |
> |
5 |
> Ouch! |
6 |
> |
7 |
|
8 |
Having still not physically touched the machine yet, I don't know if |
9 |
sudo had anything to do with it at all at this point. But I'll assume |
10 |
for a moment that its use was perhaps involved... |
11 |
|
12 |
> There have been discussions on this list why sudo is a bad idea and sudo on |
13 |
> *any* command is an even worse idea. You might as well be running everything |
14 |
> as root, right? |
15 |
|
16 |
Essentially. I did not think it through from an internally-defensive |
17 |
standpoint. I only thought of sudo as "I am deciding whether to run |
18 |
this command as user or as root". Assuming *I* would be the only one |
19 |
running a program on my computer. My thinking was clearly flawed |
20 |
there... The idea of an attacker being in my system didn't really |
21 |
enter my mind. Or an untrusted program shelling out and running "sudo |
22 |
some-bad-stuff" without my knowing. Every sudo command is logged, |
23 |
sure, but as Bill pointed out that only works for as long as it takes |
24 |
someone to sudo himself into a root shell (or delete the logs). I |
25 |
don't really audit the sudo logs regularly because of the stupid |
26 |
assumption that I was the only one running any sudo commands. |
27 |
|
28 |
> You have decided wisely to reinstall because you can't be sure of this OS |
29 |
> anymore. |
30 |
|
31 |
I'm most concerned about learning how this happened because I don't |
32 |
want to reinstall everything only to be compromised again, and with |
33 |
the hope that perhaps any info I find can help others avoid finding |
34 |
themselves in this same situation. If I'm only going to re-create the |
35 |
exact same set-up, I don't know if I can be sure of it then even after |
36 |
reinstalling... |
37 |
|
38 |
> Please keep us updated on what you find from the forensic analysis. |
39 |
|
40 |
Sudo was one of the first things that popped into my head. sshd is |
41 |
really the only service open to the outside. Some other ports are open |
42 |
for specific apps, like bittorrent traffic, which is what I was |
43 |
monitoring when I noticed the suspicious activity -- and I was |
44 |
downloading a Linux ISO, I swear. My original plans for tonight were |
45 |
to install Sabayon on an old laptop that is becoming unmanageable from |
46 |
a Gentoo standpoint due to infrequent use and days-long update |
47 |
sessions. I'll put that little project on hold for now... |
48 |
|
49 |
My sshd setup is pubkey only, no root logins, and I use denyhosts to |
50 |
block after 3 failed logins, and it syncs its blocklist from the |
51 |
denyhosts master server many times a day. I use NX Server, but not |
52 |
with the default key, and I don't think there have been any (publicly |
53 |
disclosed) remotely-exploitable opensshd vulnerabilities that would |
54 |
allow an attacker direct entry into a system. I haven't noticed |
55 |
anything out of place on my system, no unusual files or missing items. |
56 |
I take infrequent peeks at my ssh logs, w/who/last and network traffic |
57 |
(as I did today when I discovered it), but I am not religious about |
58 |
reading every log. Life has been quite busy lately and I haven't had |
59 |
as much time to dedicate to that sort of stuff. I has been more like |
60 |
log on, check my email, pay my bills, log off. |
61 |
|
62 |
So, from that outside-entry standpoint I was certainly lulled into a |
63 |
false sense of security about my system. My root account has a very |
64 |
long and complicated password, and my user account was surely |
65 |
"impenetrable" since I was using pubkey-only SSH logins, right... I |
66 |
have encrypted partitions, but they are mounted when the system is up |
67 |
and running, so they are really pointless against an "online" |
68 |
attack... |
69 |
|
70 |
Typing that long password into sudo every time I ran a command was a |
71 |
hassle, and clearly I thought myself too intelligent to ever run a |
72 |
malicious piece of code on my own computer. I mean, that's the kind of |
73 |
thing I would never do. I'm careful. I usually look at things before I |
74 |
run them, scan them with clamscan (not that I run outside |
75 |
scripts/binaries very often at all). Right? And what if a |
76 |
seemingly-safe program decided to download and run malware on its own? |
77 |
What if there was a vulnerability that was exploited before it was |
78 |
discovered & patched by the community (and my Gentoo update cycle)? |
79 |
What if there was a rogue Firefox add-on stealing passwords or running |
80 |
shell scripts? That would probably never happen, surely someone else |
81 |
would have noticed it and put a stop to it before it got to me, or I |
82 |
would have read a warning about it in the tech news someplace. Yeah, |
83 |
I'm being a bit sarcastic here. ;) |
84 |
|
85 |
I do hope I can find some evidence that leads me to the point of |
86 |
entry. It would set my mind at ease. |