Hey folks. I am absolutely stealing this idea from barrebas :)
This is my first weekly roundup. In an effort to post more, once a week I will post something here with some interesting things I have found throughout the week. Some will be infosec related, others will just be technology or other things that I'm interested in.
Of course we have to start off talking about the GHOST vulnerability!
Basically this is a buffer overflow vulnerability in
glibc, you know, that thing that contains the libraries for almost all C programs running in your Linux machine? Yeah, not too good to have a known exploit available for that.
Basically, we have two functions:
gethostbyname2(). These two functions are used for DNS resolving. If an attacker has a program, and gives an invalid hostname, they could control program flow and run unwanted code as the user running the program. Very nasty stuff!
Now the embarassing part for me...
This server got hacked... Yep. It did. I don't think it had anything to do with GHOST though :P
Right after I had moved SSH back to port 22 (now some obscure port) I had noticed I had been disconnected from weechat. Out of DefSec habbit, I ran
w to see if anyone was connected, not expecting much, but to my surprise I found a user logged in (wwwdata, not to be confused with www-data, the apache user) running the command
ssh-scan 300! I also checked
/etc/passwd and found two users that I didn't know about,
wwwdata. So, I immediately shutdown their processes, removed the accounts, reset passwords, and rebooted.
Of course, I couldn't keep a comprimised system and as this is simply a Digital Ocean droplet, I was easily able to restore my blog and everything to a new droplet. Unfortuantely I didn't think to take a snapshot of the comprimised machine to examine further; I just deleted it. How dumb of me! I did howerver find a folder
/gosh which a quick google search lead me to this site: http://www.shellperson.net/hacked-ssh-bruteforce/
Although this article is from 2010, it seems to be what happened. Weird thing is, all my passwords were very secure! Not exactly sure how they got in, but I assume it was some sort of automated attack. The good part about this, is that I was able to clean up my server, and now while restoring I have put great effort into security! Stuff like 4096 keys, HTTPS, stuff like that. Should be all secured now. It is pretty embarassing since I am a competitor (and team captain) of CyberPatriot, which is the "National High School Cyber Defense Competition". Upsetting that I got hacked.
g0tmi1k has this awesome post-install kali script which I have been using lately. It does things like install ZSH and XFCE, as well as various tools useful in pentests.
The original can be found here: https://github.com/g0tmi1k/os-scripts
or you can look at my changes here: https://github.com/cquick97/os-scripts
(Note: I have some stuff configured in my script, like my name in .gitconfig, etc. Make sure to change that stuff when you use it unless you want to be me!)