Re: Writes to mounted devices containing file-systems.

Alexander Viro (viro@math.psu.edu)
Fri, 10 Aug 2001 15:18:09 -0400 (EDT)


On Fri, 10 Aug 2001, Richard B. Johnson wrote:

> One of my file-servers was destroyed by an in-house hacker,
> (consultant) rented by our alleged Chief Information Officer,
> to destroy Linux systems and thereby show that they can't
> be used in a "professional" environment.

Adminned by clueless luser? I have to agree.

> I have about 20 megabytes of logs showing the machine being
> attacked from inside our firewall. Each time an attack occurred,
> I would firewall-out its phony IP address (ipchains). A few hours
> later the cycle repeated with another phony IP address.

Instead of trying to see WTF was going on and fixing the problem instead
of symptoms? _Real_ smart... Or, at least, block everything except the boxen
that have any business accessing it? You know, with explicit "accept" rules
in the beginning of the chain with catch-all "reject" after them...

> The exploit used multiple calls to get the system time, followed
> by an attempt to mount a file-system. Apparently the exploit
> eventually works because the system went down and the result was
> that the root file-system device, /dev/sda, was completely written
> with:
>
> "S E C U R I T Y "
>
> 8 Gb written with this 16-bytes pattern.

Secure your box and stop whining. If attacker can gain root on a box
you admin - it's your bloody responsibility to fix the thing, firewalls
or not. Sheesh...

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/