Ack! I've Been Hacked!
cat /var/log/secure | more
and was shocked at what I saw.
Oct 26 01:19:03 ulysses in.fingerd[10953]: connection from 12.13.129.56
Oct 26 01:19:04 ulysses in.imapd[10954]: connection from 12.13.129.56
Oct 26 01:19:06 ulysses in.ipop3d[10955]: connection from 12.13.129.56
"Who is this? (12.13.129.56)" I thought. I did a traceroute to see where this person was coming from, but it didn't reveal much information other than somewhere in America.
I knew that the Finger Daemon (fingerd--an old UNIX program that allows people to get information such as User Name, date of last login, plan file, etc. about a user) has a history of security problems, I was shocked that I failed to turn off this daemon (a very stupid error). Imapd and ipop3d are the daemons that allow users to download mail messages to a remote machine via the imap and pop3 protocols. I had not heard of security holes in these programs.
So I panicked, changed my passwords, and looked at the /etc/passwd file (where encrypted passwords for UNIX machines are stored) and noticed another stupid error--I had forgotten to activate Shadow Passwording on my machine. I had done it earlier; however, my kernel went bad after an upgrade, and I had to reinstall Linux. After the reinstallation, I forgot to reactivate Shadow Passwording.
I had previously (long before this hacker attack) installed the Secure Shell and turned off telnet, rlogin, rsh, etc. Now, I reactivated Shadow Passwording, turned off fingerd, imapd and ipop3d (there is only one other user on the machine, and he uses a "dumb" terminal to connect--i.e., he doesn't need to, and actually cannot, download mail to his machine), but I still had another weak point FTP. I love to use FTP to transfer files from my Windoze machine (which has a scanner) to my Linux computer. Usually these are scanned pictures that I put on WWW-pages. To fix this security hole, I've downloaded the files and documents for the Secure Socket Layer (SSL) for Linux. However, I'm still trying to figure out how to install the files. Note: To see how to "turn off" these daemons in Linux, see the Security HOWTO.
Nothing had happened yet, my machine appeared to be working normally. Perhaps, RH Linux 5.1's version of fingerd has fixed the latest security hole (or the hacker wan't very good). I breathed a sigh of relief and thought, "Why would somebody try to hack my computer." It's a purely educational machine that acts as a WWW-server, and LISTSERVer and will perform as a CU-SeeMe reflector for Video Conferences with my students and students from other countries (more on this at a later date). It made no sense.
Then later in the week, I was checking the /var/log/httpd/access_log to see how many students have been using my WWW-pages (I work very hard on them, the students had better use the pages!) when I saw these entries:
12.13.129.56 - - [26/Oct/1998:01:19:05 +0100] "GET /cgi-bin/phf" 302 -CGI's also have terrible security holes in them. I liked seeing the "404" error code by the last two, but the first one scared me a bit. So I moved to the cgi-bin directory and looked to see what was inside it. Only one file and not phf. Whew! Again, it looks like I survived. However, not through skill, but because I was lucky (the hacker wasn't very good and didn't seem to be that interested).
12.13.129.56 - - [26/Oct/1998:01:19:06 +0100] "GET /cgi-bin/test-cgi" 404 -
12.13.129.56 - - [26/Oct/1998:01:19:06 +0100] "GET /cgi-bin/handler" 404 -
I visited the Netscape Developer site to read about CGI security problems. I was particularly disturbed to hear that the Apache WWW-server (my server) was mentioned as using the phf file. Hmm, . . . they have removed that from their installations by now, right?
Well, I still don't think that the hacker received root's (or else they would have tried to login as root by now) password (the Gold Medal of any UNIX hack). However, I'm going to be reading as much about network security as possible. Here's a good place to start for me and for any of you who run computers hooked to the Internet (i.e., pretty much all of you): Yahoo's Security and Encryption WWW-page.
Twenty years ago, my parents never locked the garage door and our car's doors; however, now (even in their extremely rural area) they must do such things, and they even have an alarm system hooked up to the house. A few years ago, hacking was not as big a deal; however, as more computers are being connected to the Internet and more users use the 'Net, hacking and other forms of 'Net crime will increase. Every Internet user should become more aware of the security problems of their O/S. Also, the makers of the O/S should (and are) increase their efforts to make security a feature of the O/S (so we don't have to think about it as much). Who knows, in a few years, we might only use encrypted data and all aspects of an O/S might be encrypted ("The Secure O/S").
Well, it's time to check those log files again.