Red Hat Bugzilla – Bug 72771
standard install rh7.3 instantly breached, netbus installed
Last modified: 2007-03-26 23:56:29 EDT
Description of Problem: Our DNS server was breached, we rebuilt from scratch using shrink-wrapped 7.3 pro, standard server install with kde, nfs, samba, ftp, dns, webserving, and ssh. We were breached again within minutes of going runlevel 5. The backdoor NetBus is installed somehow, as recorded by nmap. lsof does not show port 12345 so I assume a rootkit was installed as well. We are going to re-install within a couple of hours, with nothing but DNS, webservice, and ssh so if you want to examine this machine email me. Version-Release number of selected component (if applicable): rh 7.3 pro How Reproducible: you need our cracker Steps to Reproduce: 1. 2. 3. Actual Results: Expected Results: Additional Information:
There have been many security updates of the software included in Red Hat Linux 7.3 since it was originally released. The first thing that one should do after installing the operating system, is update _all_ software to the latest versions which Red Hat has released since the OS became available. You should not put any system live online until it is updated with security updates. This is true for any Linux distribution, or any other operating system. If a system is not properly updated with security updates, then it is quiet likely that it could be breached if connected to the Internet. It is the responsibility of the end user to ensure that their system is properly updated with our security updates before putting it online. This is not a bug in the distribution, it is just common security practice. Since this was filed against ipchains, and is not an ipchains bug report, I'll add a few additional comments pertaining to firewalling. ipchains/iptables packet filtering is not at all 100% protection against system intrusion. ipchains and iptables can only protect the system against intrusion if they are configured properly to block ports that are to be isolated from external sources, etc. Any ports that one allows through the packet filter, and which have software listening on those ports for incoming connections, will allow someone to connect to them by definition. This is not a bug, this is the way the software works, and is supposed to work. If you do not want people connecting to a given port, then you need to configure ipchains/iptables to block that port. If you do allow people to connect to a given port, then it is your responsibility to ensure that the software listening on that port, is updated to the latest security and bugfix updates that have been released by Red Hat for your distribution release. Updates are available via Red Hat Network by using "up2date", or via the web based Red Hat Network infrastructure, as well as via FTP from: ftp://updates.redhat.com Red Hat regularly publishes security advisories to Bugtraq, and other common security lists, as well as to redhat-watch-list@redhat.com, which is archived. We've got a section on our website dedicated to computer security/advisories as well: http://www.redhat.com/support/alerts There are various guides, etc. available at the above URL with which to learn how to properly secure your system and keep it secure. Since this isn't really a bug report, and isn't a bug in ipchains, I'm closing this bug as NOTABUG. I hope that you may find this information useful to you in keeping your systems properly secured and up2date, and raising the bar against further system compromise.