2011-07-18

There have been multiple compromises as of noon on 2011-07-18. The security compromises have been (fundamentally) accomplished due to weak passwords and bad NFS configuration (sometimes followed various privilege escalation techniques.)

Please review and strengthen all of the passwords on your machines. You may now also change all of the drupal user passwords. Also, review your NFS setup to make sure that it is safe.

Check your machines for signs of compromise. If you find them, you should carefully consider all of the access methods to your system(s) and what exposures you might have.

Starting at noon on 2011-07-19, I will allow the same compromises to count for more points if they are still successful.

2011-07-19

Rules update: no more ARP poisoning (i.e., no more ettercap), and no more denial-of-service attacks.

The FAQ, so far

  1. Can I turn off iptables for my backdoor? Yes, you can turn off iptable blocking of up to four ports on a compromised host to allow incoming connections to your backdoor. However, this should not be a permanent change; use iptables -I to insert your temporary rules. (Added 2011-07-18)
  2. Can I use port knocking to obscure my backdoor? Yes, you may, but the port knocking needs to be incorporated in your backdoor program. Do not install a separate daemon like knockd to do your portknocking. (Added 2011-07-18)
  3. Can I use a kernel module rather than a userland process for the backdoor? Yes, you may, but you should insert the module by hand (for instance, with insmod), and it should not be automatically re-installed at reboot. This kernel module should be thoroughly tested before you install it on the target — and "thorough" means tested on the same kernel as the target. (Added 2011-07-18)
  4. Can I use a rootkit for the backdoor? Generally, no. However, as stated in 3, you can use a one-shot kernel module insertion. But you are not to change the target machine's kernel, shared libraries, or system binaries in any permanent fashion. (Added 2011-07-18)