Bug 72771 - standard install rh7.3 instantly breached, netbus installed
standard install rh7.3 instantly breached, netbus installed
Product: Red Hat Linux
Classification: Retired
Component: ipchains (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Mike A. Harris
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-08-27 14:07 EDT by mike ramstrom
Modified: 2007-03-26 23:56 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-08-27 14:07:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description mike ramstrom 2002-08-27 14:07:35 EDT
Description of Problem:

Our DNS server was breached, we rebuilt from scratch using shrink-wrapped 7.3
pro, standard server install with kde, nfs, samba, ftp, dns, webserving, and
ssh.  We were breached again within minutes of going runlevel 5.  The backdoor
NetBus is installed somehow, as recorded by nmap.  lsof does not show port 12345
so I assume a rootkit was installed as well.  We are going to re-install within
a couple of hours, with nothing but DNS, webservice, and ssh so if you want to
examine this machine email me.  

Version-Release number of selected component (if applicable):
rh 7.3 pro

How Reproducible:
you need our cracker

Steps to Reproduce:

Actual Results:

Expected Results:

Additional Information:
Comment 1 Mike A. Harris 2002-08-27 20:59:52 EDT
There have been many security updates of the software included in
Red Hat Linux 7.3 since it was originally released.  The first thing
that one should do after installing the operating system, is update
_all_ software to the latest versions which Red Hat has released
since the OS became available.

You should not put any system live online until it is updated with
security updates.  This is true for any Linux distribution, or
any other operating system.

If a system is not properly updated with security updates, then it
is quiet likely that it could be breached if connected to the Internet.

It is the responsibility of the end user to ensure that their system
is properly updated with our security updates before putting it online.

This is not a bug in the distribution, it is just common security

Since this was filed against ipchains, and is not an ipchains bug
report, I'll add a few additional comments pertaining to firewalling.

ipchains/iptables packet filtering is not at all 100% protection against
system intrusion.  ipchains and iptables can only protect the system
against intrusion if they are configured properly to block ports that
are to be isolated from external sources, etc.

Any ports that one allows through the packet filter, and which have
software listening on those ports for incoming connections, will
allow someone to connect to them by definition.  This is not a bug,
this is the way the software works, and is supposed to work.  If you
do not want people connecting to a given port, then you need to configure
ipchains/iptables to block that port.  If you do allow people to
connect to a given port, then it is your responsibility to ensure that
the software listening on that port, is updated to the latest security
and bugfix updates that have been released by Red Hat for your
distribution release.

Updates are available via Red Hat Network by using "up2date", or via
the web based Red Hat Network infrastructure, as well as via FTP
from:  ftp://updates.redhat.com

Red Hat regularly publishes security advisories to Bugtraq, and other
common security lists, as well as to redhat-watch-list@redhat.com, which
is archived.  We've got a section on our website dedicated to computer
security/advisories as well:


There are various guides, etc. available at the above URL with which
to learn how to properly secure your system and keep it secure.

Since this isn't really a bug report, and isn't a bug in ipchains,
I'm closing this bug as NOTABUG.

I hope that you may find this information useful to you in keeping
your systems properly secured and up2date, and raising the bar
against further system compromise.

Note You need to log in before you can comment on or make changes to this bug.