| 1 |
On Mon, Aug 9, 2010 at 2:09 PM, Mick <michaelkintzios@×××××.com> wrote: |
| 2 |
> On Monday 09 August 2010 17:25:56 Paul Hartman wrote: |
| 3 |
>> My user account has sudo-without-password rights to any command. |
| 4 |
> |
| 5 |
> Ouch! |
| 6 |
> |
| 7 |
|
| 8 |
Having still not physically touched the machine yet, I don't know if |
| 9 |
sudo had anything to do with it at all at this point. But I'll assume |
| 10 |
for a moment that its use was perhaps involved... |
| 11 |
|
| 12 |
> There have been discussions on this list why sudo is a bad idea and sudo on |
| 13 |
> *any* command is an even worse idea. You might as well be running everything |
| 14 |
> as root, right? |
| 15 |
|
| 16 |
Essentially. I did not think it through from an internally-defensive |
| 17 |
standpoint. I only thought of sudo as "I am deciding whether to run |
| 18 |
this command as user or as root". Assuming *I* would be the only one |
| 19 |
running a program on my computer. My thinking was clearly flawed |
| 20 |
there... The idea of an attacker being in my system didn't really |
| 21 |
enter my mind. Or an untrusted program shelling out and running "sudo |
| 22 |
some-bad-stuff" without my knowing. Every sudo command is logged, |
| 23 |
sure, but as Bill pointed out that only works for as long as it takes |
| 24 |
someone to sudo himself into a root shell (or delete the logs). I |
| 25 |
don't really audit the sudo logs regularly because of the stupid |
| 26 |
assumption that I was the only one running any sudo commands. |
| 27 |
|
| 28 |
> You have decided wisely to reinstall because you can't be sure of this OS |
| 29 |
> anymore. |
| 30 |
|
| 31 |
I'm most concerned about learning how this happened because I don't |
| 32 |
want to reinstall everything only to be compromised again, and with |
| 33 |
the hope that perhaps any info I find can help others avoid finding |
| 34 |
themselves in this same situation. If I'm only going to re-create the |
| 35 |
exact same set-up, I don't know if I can be sure of it then even after |
| 36 |
reinstalling... |
| 37 |
|
| 38 |
> Please keep us updated on what you find from the forensic analysis. |
| 39 |
|
| 40 |
Sudo was one of the first things that popped into my head. sshd is |
| 41 |
really the only service open to the outside. Some other ports are open |
| 42 |
for specific apps, like bittorrent traffic, which is what I was |
| 43 |
monitoring when I noticed the suspicious activity -- and I was |
| 44 |
downloading a Linux ISO, I swear. My original plans for tonight were |
| 45 |
to install Sabayon on an old laptop that is becoming unmanageable from |
| 46 |
a Gentoo standpoint due to infrequent use and days-long update |
| 47 |
sessions. I'll put that little project on hold for now... |
| 48 |
|
| 49 |
My sshd setup is pubkey only, no root logins, and I use denyhosts to |
| 50 |
block after 3 failed logins, and it syncs its blocklist from the |
| 51 |
denyhosts master server many times a day. I use NX Server, but not |
| 52 |
with the default key, and I don't think there have been any (publicly |
| 53 |
disclosed) remotely-exploitable opensshd vulnerabilities that would |
| 54 |
allow an attacker direct entry into a system. I haven't noticed |
| 55 |
anything out of place on my system, no unusual files or missing items. |
| 56 |
I take infrequent peeks at my ssh logs, w/who/last and network traffic |
| 57 |
(as I did today when I discovered it), but I am not religious about |
| 58 |
reading every log. Life has been quite busy lately and I haven't had |
| 59 |
as much time to dedicate to that sort of stuff. I has been more like |
| 60 |
log on, check my email, pay my bills, log off. |
| 61 |
|
| 62 |
So, from that outside-entry standpoint I was certainly lulled into a |
| 63 |
false sense of security about my system. My root account has a very |
| 64 |
long and complicated password, and my user account was surely |
| 65 |
"impenetrable" since I was using pubkey-only SSH logins, right... I |
| 66 |
have encrypted partitions, but they are mounted when the system is up |
| 67 |
and running, so they are really pointless against an "online" |
| 68 |
attack... |
| 69 |
|
| 70 |
Typing that long password into sudo every time I ran a command was a |
| 71 |
hassle, and clearly I thought myself too intelligent to ever run a |
| 72 |
malicious piece of code on my own computer. I mean, that's the kind of |
| 73 |
thing I would never do. I'm careful. I usually look at things before I |
| 74 |
run them, scan them with clamscan (not that I run outside |
| 75 |
scripts/binaries very often at all). Right? And what if a |
| 76 |
seemingly-safe program decided to download and run malware on its own? |
| 77 |
What if there was a vulnerability that was exploited before it was |
| 78 |
discovered & patched by the community (and my Gentoo update cycle)? |
| 79 |
What if there was a rogue Firefox add-on stealing passwords or running |
| 80 |
shell scripts? That would probably never happen, surely someone else |
| 81 |
would have noticed it and put a stop to it before it got to me, or I |
| 82 |
would have read a warning about it in the tech news someplace. Yeah, |
| 83 |
I'm being a bit sarcastic here. ;) |
| 84 |
|
| 85 |
I do hope I can find some evidence that leads me to the point of |
| 86 |
entry. It would set my mind at ease. |
Archives