Topic: e-smith user gets hacked

[Stewart Midwinter]

I feel like I just came home and found my home gone through.  When I started up a new X session with gdm this evening, I find a new user's face in the login screen!  Let me say that I am the only user on my home workstation, which sits behind an e-smith gateway box.  

Upon perusal of some of my logs, I see signs that someone has logged in remotely to X, and has apparently been playing some games on my machine, and has poked around a number of directories.  Since I have never used any of the games that get installed with Mandrake Linux 8.2, it's clear that it wasn't me.

I am gravely concerned and would like to know how to prevent this from re-occurring.  I'm tempted to just wipe e-smith off the gateway and install some other product, but this may erase any evidence that could be useful in debugging this hole.

How can my e-smith firewall allow this to happen?

Any ideas?  Am I even reporting this in the right place?

PS. I see two potential holes:
1. I was allowing remote ssh access in the e-smith manager, with normal passwords (now turned off).
2. in the gdm expert settings configuration, I had allowed remote logins (as I was going to try a remote connection from my office with VNC).  I've turned that off as well.

[guestHH]

Hi,

Try to send a report to security@e-smith.com alog with your e-smoth log files

Regards,
guestHH

[Gordon Rowell]

Never report security incidents to open forums. In the case of
Mitel SME Servers, provide a detailed report to
security@e-smith.com

Password based SSH is as strong as your passwords, so if your
password can easily be guessed/compromised, you have a risk.

Remote X sessions are a clear and obvious risk. X is not a
secure protocol and there are many probes and exploits.

[stewart]

thanks for the address to send the report to.  I had taken a good look around the e-smith site, but I was unable to find a contact there for this type of report.

[Lloyd Keen]

It doesn't really appear to be an e-smith issue anyway. Have a look at this mandrake security advisory: http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-025.php

[Stewart]

Please correct me if I'm wrong, but the Mandrake vulnerability would only affect workstations directly connected to the internet.  My assumption would be that if I am behind an unmodified SME, then intruders should not be able to see or get into my internal workstation's desktop.  If port forwarding is not enabled, how can an intruder get into my workstation?    And if they can see in, what is the point of a firewall?

[Rich Lafferty]

Having investigated the configuration of his SME Server and his
workstation, both we and Stewart have concluded that there was no
intrusion.

All of the symptoms were found to have mundane explanations; what
appeared at first to be an intruder turned out to be misinterpretation of
the configuration on his internal workstation.

All the best,

Rich Lafferty
Network Server Solutions Group
Mitel Networks

[SniperG]

Which is pretty much what we have come to expect.

Your as secure as you make yourself, and as paranoid as you wanna be ....


Think b4 you shout people.

[Andrei]

Amen to that Sniper!