Answer the question
In order to leave comments, you need to log in
Is it possible to find a backdoor in the left packages (ex. dotdeb)?
Good afternoon.
Under my control at the time of the events described, there were about 10 servers and vds-ok.
Three of them experimentally used dotdeb packages. Here with them after I became (in order to pump the iptables skill) on all machines to monitor the ports opened on LISTEN, problems began to arise.
How did I follow.
1) DROP on explicitly unresolved. Everything was almost normal. From time to time, monitoring bounces came that mysql was dumbing down just hell (backups on neighboring vds, I thought).
2) On two, my playful hands made available TARPIT instead of DROP.
And then it began.
From mysqld at some strange time about once every two weeks (the only regularity is that the minute is equal to the last_octet_IP%60) on the port of high randomness (about 10k-20k) forks and opens Xinetd connections.
mysqld does not show signs of life at this moment (it seems to be waiting for something).
Then after about 20 seconds xinetd dies, everything works.
I looked at this PPC and took the whole dotdeb to hell.
Fears were added by the fact that on GDD11 I casually heard such a piece of something of the dialogue “If your system administrator began to install packages from dotdeba and other leftists, drive him with pissing rags with the corresponding entry in the labor room away from the servers, he is incompetent.”
Since some time will be freed up soon, I think to continue digging.
Questions to the audience:
1) was access to the dotdeb reps compromised (and maybe I just [didn't] get in and wasted my keyboard resource)?
2) How uh... to look for a bookmark? (I will be glad to links and advice)
3) is it possible to speed up the system timer every 10 times (to try to repeat it all)?
4) Perhaps someone will be able to explain what is wrong with a system administrator who installs packages from reps and does not litter the make && make install system?
I don't see anything bad in this, only good. Who is to blame, that off. turnips are so slow-pokey.
In general, the worst-case scenario gives the ideal crime:
1) start collecting packages
2) collect the level of respect and response speed
3) make a backdoor into binaries, which opens at the time and on the port depending on the software, software version, server IP, server OS, moon phase, the number of medals of the Chinese team at the Beijing 2008 Olympics.
4)…
Thanks in advance!
Answer the question
In order to leave comments, you need to log in
And MySQL doesn't shine outside? By description, this is much more like exploiting a vulnerability in MySQL, for example e
Sorry, idiotic question, if “Xinetd forks and opens connections”, then maybe it’s worth looking at all its configs first? Maybe there you will find the culprit, who does it?
Well, plus, since you keep track of the moment when it starts, then lsof -i -n
at that moment netstat will help you or there
Well, all sorts of rkhunter to help you, maybe they will meet someone they know.
Packages must be installed exclusively from reps and only from the distribution's official reps, or reps (in rare cases, single packages) provided by the developers of the utility you need (for example, VirtualBox from Oracle or Proxmox having its own rep).
About make && make install read the article .
It’s an interesting question, I use dotdeb for personal purposes, I chased hackers once, but the vulnerability was in a nulled template for Joomla (let damn friends to my server), or in a hole in the script and uploading the shell to the server.
The shell was controlled through the IRC channel, in / tmp there was a folder with shell sorts and there was a config, appearances and passwords were registered, I sat on that channel pretending to be a bot, but then I spoke to the channel's op, he killed all the bots, and I stayed.
A separate muddy story about sending spam and selling ready-made clean servers for mailings.
Since then, some paranoia has been living in me, I started using dotdeb with the release of pohape 5.3
, in general, I haven’t noticed any activity yet, but maybe I just haven’t come across it yet ...
I’ll be watching more carefully ...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question