Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: e-smith box hacked
« previous next »
Pages: [1]   Go Down

e-smith box hacked

  • 2 Replies
  • 996 Views

Richard

e-smith box hacked
« on: June 10, 2001, 07:13:27 PM »
We had an e-smith 4.12 box running for 2 weeks without problems, but 2 hours after forwarding port 22 through the hardware router and turning on ssh we were no longer able to login as root or admin.

Booting from the rescue floppy allowed us to check a few things out. The admin password had been changed, the log files tampered with - /var/log/secure and lastlog started from the time of our most recent attempts to log in. There was nothing showing in the command history for root - deleted too, we think.

It is extremely unlikely that anyone had physical access to the box to fiddle with it in the 2 hours, but then it's hard to believe that ssh could be breached so quickly. We did attempt a remote login over the net, so the password must have been sent. All a bit of a mystery at the moment. We took the box offline and will reformat.

Richard
Logged

Geoff Halprin

Re: e-smith box hacked
« Reply #1 on: June 11, 2001, 11:05:40 PM »
Thanks for bringing this to our attention. e-smith takes security very seriously, and for that reason we're following up with Richard to determine what exactly happened in this case. As soon as our investigation is complete, we'll post the results here. Meantime, we'd like to stress that we do not believe there are any vulnerabilities in the current version of e-smith. Previous reports of security compromises have been found to have been due to local modifications and not a weakness in the e-smith product as shipped.

We also want to reiterate that any potential security concerns should be reported directly to rather than being posted in a public forum. This is standard security practice -- see, for example http://www.apache.org/security_report.html or the recovery procedures recommended by CERT (http://www.cert.org/nav/recovering.html).

To assist our investigations, we ask that users not reformat any e-smith box that they suspect has been the target of a security breach. Instead, disconnect that box from the network immediately, and report the issue as above, and someone from e-smith support will contact you with further instructions. We appreciate your co-operation in helping ensure e-smith products remain secure.

Users who want to know more about e-smith's security provisions should refer to our security whitepaper at http://www.e-smith.org/docs/papers/.

Warm regards,

Geoff Halprin
Chief Information Officer, e-smith
Logged

Ross Laver

Machine not compromised (was:Re: e-smith box hacked)
« Reply #2 on: July 07, 2001, 08:45:07 AM »
We have completed our investigation of this incident and have found no evidence that the server was compromised, and significant evidence to the contrary. Log files indicate that the password was changed at one point from the admin console, quite possibly when the machine was on the customer's site. One possibility is operator error; another is hardware failure of some sort. In any event, there is no sign of any tampering.

Ross Laver
e-smith, inc.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: e-smith box hacked