Whitepaper One

roothack.org

by Team One

Thanks for submitting this whitepaper guys.
Ok here it is what we did:

First off we change the root passwd to 6 letters/numbers minimum.
But we didnt shadow the passwords for the simple reason:
The server is running on a LAN and is using NIS to get or supply user
names and passwords to other machines on the network. [think]
Then any daemons that are old or have vulnerabilities, or that serve no
purpose were either shutdown or updated. [more info below]
In case of remote root compromise, we installed a trojan hidden as a fake
daemon,
it doesnt have a listening port until we send a certain packet to it. So we
feel this is a more secure trojan.
Checked for vulnerabilities, and holes of any kind system patched.
Telnetd banner helps a person identify the OS, here we changed it to RH7,
to make it seem we are running something we are not.
Then updated Wu-FTP 2.4.2 to Wu-FTP 2.6.1. (based on #chat logs)
To stop anonymous FTP users attempting a Denial of Service attacks
we created a special filesystem to receive their uploads. This separate
filesystem protects our server by limiting the total size of all uploaded
files while preventing those files from consuming all available space on
the server. i.e. /home/ftp/incoming
By default, the server will not allow uploads from anonymous FTP users.
Just to be safe, and so we don't forget, we add a line:

upload /home/ftp * no

What this says is, "For any user whose home directory is the anonymous FTP
area, /home/ftp, do not allow any uploads."

Also, we made a little perl script to deny certain packets:

#!/usr/bin/perl
# Packet death :P
# 
#
system("clear");
print "Sending Values...\n";
system("/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all");
system("/bin/ls /proc/sys/net/ipv4 | grep echo");
system("/bin/ls /proc/sys/net/ipv4 | grep echo");
system("/bin/ls /proc/sys/net/ipv4 | grep unreach");
system("/bin/cat /proc/sys/net/ipv4/icmp_destunreach_rate");
system("/bin/echo 999999999 > /proc/sys/net/ipv4/icmp_destunreach_rate");
system("/bin/echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses");
system("/bin/echo 1 > /proc/sys/net/ipv4/ip_masq_udp_dloose");
system("/bin/echo 1 > /proc/sys/net/ipv4/ipfrag_high_thresh");
system("/bin/echo 1 > /proc/sys/net/ipv4/tcp_syncookies");
system("/bin/echo 1 > /proc/sys/net/ipv4/tcp_max_syn_backlog");
print "\nValues Sent!\n\n\n";

This will block Syn, ICMP, UDP, and fragmented packets. HOPEFULLY works on
rh6

Loaded some fake daemons, which all get caught with a scan but deny ne host
that connects > 
We only have 3 daemons running for real, out of the 15 or so.
Changed root pass again

Ok this is basically what we have done in the system (the most important
things)

hope it keeps you updated of what u know
EREBUS team

A_D