Yesterday, a hacker broke into our Linux server and trashed the system. Even with full tape backups, it has proved difficult to restore the server. Right now, the data is all recovered from the tape, but the server is still down and will not be up until tomorrow!

It appears that the intruder somehow gained root access through Sendmail. We are upgrading our Sendmail and Bind to the latest versions before bringing the machine back online.

Please, anyone who maintains a server, upgrade your Sendmail and DNS server! I do not want anyone to have to go through the nightmarish recovery process we are in.

Best regards,
Frank Rietta

What versions of Sendmail and Bind were you running?

geez - im just learning and he comes out with this?... lol

Howd i upgrade sendmail? i dont use my own dns so that shouldnt cause me a problem?

Thats why the people who don't want to be hacked run qmail instead of sendmail.

Hear, hear. (Not to mention djbdns - upgrade to bind 8.2.3 IMMEDIATELY if you're running bind.)

Stupids that make it just put the glammour into it to make it better, and overlook thesecurity aspect of things. They have done this for years, you'd think they would have done something by now. A website my friend is working on will walk you through security and holes in both Windows 2000 and Linux stuff. http://www.shryke.org

There isn't much there yet, because he is working more on another project at the moment with IRC stuff. But he will soon have some good and usefull content up.

I'd say within the month, in fact.

what is the place to download new sendmail and bind?

bind is available from http://www.isc.org

sendmail.org for sendmail and you can find bind at freshmeat.net

are they against like that hacker attack or just new features?

We were using the versions of sendmail and bind that shipped with Red Hat 6.2. I am looking at an article about chrooting bind. You may find it interesting:

http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html

We are looking at many security enhancements. I would love to get suggestions from anyone with security experience.

We may have lost this round, but the fight is not over yet!

Best regards,
Frank Rietta

Update is complete. Thanks for the info Frank!

There is several bugs in BIND which was released yesterday but to my knowledge there is no actual exploit out. One of the bugs is remotely exploitable. The old version sendmail is rootable but anyhow sendmail is just KNOWN to always have bugs. You should run qmail and vpopmail. They are much more customizable and are very secure.


James R. Clark II
Nethosters Inc.
http://www.nethosters.com

Originally posted by jayglate
Thats why the people who don't want to be hacked run qmail instead of sendmail.

Do you have any experience setting up QMail? How difficult is the transition to it from sendmail? The gz file linked by qmail.org and its mirrors appears to be corrupted.

Best regards,
Frank Rietta

According to the nice people at sendmail.org, the problem is not in sendmail, but in the Linux kernal. Sendmail can be used to exploit the bug. Full details:

http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt

Maxine

Actually my sysadmin is the one who does it all. He has installed it on all of our machines and it works fine. I am sure he can help you just email him

adam@nethosters.com

James R. Clark II
Nethosters Inc.
http://www.nethosters.com

Actually, QMail isn't more secure, it's just easier to secure. Sendmail is great, but it's also much more complex than programs such as QMail. The issue lies, as with most software, of knowledge. It takes more time to become familiar enough with Sendmail, to make it secure. If you have the knowledge, it can certainly be just as secure (if not more), than QMail. However, most people don't have the interest (or time, possibly) to get familiar enough.

There's many, many, many things on Unix and Windows variants that are security issues. A high amount that I wouldn't dare to even start to list. There are usually alternatives, sure. QMail is good too though, but don't completely dismiss Sendmail either. Personally, I believe if someone doesn't have enough desire to obtain the knowledge required to run certain software packages, they likely should not only *not* run that program/software, but they likely have the same attitude about other aspects. Don't use this, because this other is easier to set up to be secure. A fine policy -- better then doing nothing, but often enough your services can suffer from not offering the features and tools you otherwise could be.

There's just so very many issues, and Sendmail is surely one of them, but there's so many others. I just think more people should spend more time and genuinely research these things, learn how it works and why, so they don't have to wait for security alerts to come out or wait to be attacked to only decide to use another program to solve the issue. QMail can't do *everything* Sendmail can, although it's close. QMail is a fine alternative, but I don't think people should confuse the issue at hand. Sendmail is not insecure; it's simply more difficult for a novice to secure it properly. Most things come down to configuration, although I too would certainly suggest someone use QMail in place of Sendmail, if they weren't familiar enough with Sendmail. It's better than opening yourself up to be attacked. You can't very well say Apache or Linux are not secure and to suggest Windows NT, because Apache or the Linux system wasn't configured properly, the proper things weren't denied access to or the permissions set properly -- or even from choosing a horribly poor password.

Finally, I would like to make mention of the fact that these people didn't "hack" and they are not "hackers". They broke into the system, they gained unauthorized access, the compromised the system and vandalized, etc. This is "cracking". "Hacking" is programming, modification of code, improving things, and having a carnal understanding of certain aspects of things you work with, on or build. That's all it is. I'm a "hacker", not a "cracker". The media already distorts it enough. Not a big issue, but if I say I'm a "Perl Hacker", I don't want people thinking I break into site's using Perl code or generally commit crimes of some nature. :-)
--
Regards,
Tim Greer: chatmaster@c-zone.net | Tel: (530) 247-1749
Programming: CGI, Perl, C/C++, ASP, SQL, PHP and more.
Server & network administration, security, consulting,
Installation & configuration. Unix/Linux/FreeBSD & NT.

If you install Plesk (very, very easy to do) it installs and configures Qmail for you.

And yes, please, everyone, hacker = programmer, cracker = criminal. You really have to get them straight. :D