Red Hat Bugzilla – Bug 72771
standard install rh7.3 instantly breached, netbus installed
Last modified: 2007-03-26 23:56:29 EDT
Description of Problem:
Our DNS server was breached, we rebuilt from scratch using shrink-wrapped 7.3
pro, standard server install with kde, nfs, samba, ftp, dns, webserving, and
ssh. We were breached again within minutes of going runlevel 5. The backdoor
NetBus is installed somehow, as recorded by nmap. lsof does not show port 12345
so I assume a rootkit was installed as well. We are going to re-install within
a couple of hours, with nothing but DNS, webservice, and ssh so if you want to
examine this machine email me.
Version-Release number of selected component (if applicable):
rh 7.3 pro
you need our cracker
Steps to Reproduce:
There have been many security updates of the software included in
Red Hat Linux 7.3 since it was originally released. The first thing
that one should do after installing the operating system, is update
_all_ software to the latest versions which Red Hat has released
since the OS became available.
You should not put any system live online until it is updated with
security updates. This is true for any Linux distribution, or
any other operating system.
If a system is not properly updated with security updates, then it
is quiet likely that it could be breached if connected to the Internet.
It is the responsibility of the end user to ensure that their system
is properly updated with our security updates before putting it online.
This is not a bug in the distribution, it is just common security
Since this was filed against ipchains, and is not an ipchains bug
report, I'll add a few additional comments pertaining to firewalling.
ipchains/iptables packet filtering is not at all 100% protection against
system intrusion. ipchains and iptables can only protect the system
against intrusion if they are configured properly to block ports that
are to be isolated from external sources, etc.
Any ports that one allows through the packet filter, and which have
software listening on those ports for incoming connections, will
allow someone to connect to them by definition. This is not a bug,
this is the way the software works, and is supposed to work. If you
do not want people connecting to a given port, then you need to configure
ipchains/iptables to block that port. If you do allow people to
connect to a given port, then it is your responsibility to ensure that
the software listening on that port, is updated to the latest security
and bugfix updates that have been released by Red Hat for your
Updates are available via Red Hat Network by using "up2date", or via
the web based Red Hat Network infrastructure, as well as via FTP
Red Hat regularly publishes security advisories to Bugtraq, and other
common security lists, as well as to firstname.lastname@example.org, which
is archived. We've got a section on our website dedicated to computer
security/advisories as well:
There are various guides, etc. available at the above URL with which
to learn how to properly secure your system and keep it secure.
Since this isn't really a bug report, and isn't a bug in ipchains,
I'm closing this bug as NOTABUG.
I hope that you may find this information useful to you in keeping
your systems properly secured and up2date, and raising the bar
against further system compromise.