[hobbit] SSL Certificate checking

Larry.Barber at usda.gov Larry.Barber at usda.gov
Tue May 17 15:50:52 CEST 2005


Aide (an open source version of tripwire) could detect the changed
files, and there is an script for monitoring aide from BigBrother on
deadcat. 

Thanks,
Larry Barber

On Mon, 2005-05-16 at 22:23 -0500, adam at websitemanagers.com.au wrote:
> I understand that hobbit (and bbgen) will check the validity of SSL 
> certificates on a HTTPS site, but I was wondering if hobbit (or
> bbgen) 
> would also check that a ssh certificate does NOT change?
> 
> Note, all the rest of this email is off-topic, so please don't
> respond 
> to it on the list. Feel free to send your comments offlist.
> 
> Reason being, this morning one of my servers was hacked, I found out 
> because: 
> *) BB noticed /var/log/messages was truncated 
> *) BB noticed sshd wasn't running any longer
> 
> I then noticed, because the SSH key had been changed, and basically 
> someone had compiled a new ssh and in the process changed the key. It 
> would have been nice had BB detected that as well (since a hacker
> might 
> not always truncate log files, nor change the process name of ssh,
> even 
> though it is still running).
> 
> For those that are interested, and I'd be keen to hear from people 
> (probably off-list) regarding their thoughts/suggestions.
> 
> This machine is running debian testing, and I have a BB ext which
> alerts 
> me if updates are available but not installed, so I install them
> daily, 
> so it is always up to date. 
> The machine runs a kernel which likely to have a local exploitable
> bug 
> (2.4.25) 
> The machine has open services to the internet of: 
> *) apache-perl (from debian) 
> *) DJB's tinydns (from debian source package) 
> *) DJB's qmail (from debian source package) 
> *) ssh (from debian)
> 
> apache-perl is serving up RT (from debian) and no other CGI/etc
> 
> qmail calls qmail-scanner-queue.pl which calls spamassassin + clamav 
> which are also both from debian.
> 
> The machine is listed as secondary MX for a load of domains, and also 
> primary NS for a load of domains.
> 
> The machine had 4 users with a password set (root + 3 admin users)
> all 
> the rest were disabled in /etc/shadow.
> 
> As for password brute-force, I've had john running for over an hour,
> and 
> it hasn't found anything yet, at 1221 attempts per second, I think
> that 
> comes to 1025640 passwords it has tried..... 
> guesses: 0  time: 0:01:10:13 (3)  c/s: 1221  trying: agig1
> 
> ie, the password for the 4 users are not easily guessable....
> password 
> are never sent in cleartext either...
> 
> Basically, so far as I can tell, the person has set a password for
> user 
> games, compiled/installed openssh (into /usr/local/), and that's all
> I 
> can see so far.
> 
> The thing that bothers me most is that this is a debian (testing) 
> machine, with all the patches/updates etc, and yet it was still
> hacked.
> 
> My suspicion is that they gained access via ssh, since they went to
> the 
> trouble of replacing that....
> 
> My fear is that I won't find HOW they got in, and therefore can't put 
> the machine back online with any degree of confidence that it won't 
> happen again....
> 
> As above, please send comments/suggestions to me offline.
> 
> Regards, 
> Adam
> 
> --  
>  --  
> Adam Goryachev 
> Website Managers 
> Ph:  +61 2 8304 0000
> adam at websitemanagers.com.au 
> Fax: +61 2 8304 0001                        www.websitemanagers.com.au
> 
> 
> To unsubscribe from the hobbit list, send an e-mail to 
> hobbit-unsubscribe at hswn.dk
> 
> 
> 





More information about the Xymon mailing list