[Etherboot-developers] rom-o-matic.net offline temporarily

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

rom-o-matic.net will be offline for a day or two for a rebuild.  I 
apologize for any inconvenience.

Someone exploited a recently published stack overflow bug in xinetd to 
gain access.  They then installed a root kit, and attempted to go into 
stealth mode on the machine.  If you're using xinetd on a publicly 
accessible machine, I'd recommend you check securityfocus or your Linux 
vendor to get a patch/upddate.

The intrusion here was detected very quickly, and the machine is intact, 
including the root kit.  The rom-o-matic.net web site was unaffected. 

I was somewhat surprised by the complexity of the tools used.  Basically, 
they installed two kernel modules that attempted to hide files and 
network connections at the kernel level.  So if you did an "ls" or 
"netstat" you would simply not see files or unusual network connections.  
There are also tools that communicate with the modules and hidden 
processes to hide files with a particular owner, and certain ports on the 
machine.  They hacked rc.sysinit so that the modules would be reinstalled 
upon system reboot.  They installed an sshd running on particular port 
number as a back door.  They also changed the root password, and replaced 
some files in /usr/bin.

They then proceeded to attempt to use the server to do massive port 
scans, and ran tools to attempt to compromise other machines, using tools 
to scan large chunks of IP address space.  The names of machines that 
were found were logged in a hidden directory.

If you've never had a server cracked in this fashion, it's quite an 
educational experience.  I have the source of the tools that they used, 
and a .bash_history file of them port scanning and breaking into other 
machines, and using IRC to report successes, rather like a logging 
mechanism.  

What's annoys me about this is that some of the time I would spend 
preparing for LinuxWorld Expo and running my business now has to be used 
to rebuild this machine.  But I'm sure I was just part of some other 
massive port scan that indicated that I was running a vulnerable xinetd, 
and from there it was just a matter of stack-smashing and root-kitting, 
nothing personal.

Anyway, thanks a LOT to all the people who are contributing such 
excellent code and techniques to Etherboot.  I've been listening, even 
though lately I've been too busy to add much to the discussion.  You make 
it totally worthwhile to put up with the occasional bad moments.  It's 
just deeply satisfying and rewarding to be helping people all over the 
world build networks of network booting workstations using Free Software.

rom-o-matic.net will be back soon, and it's my pleasure to provide the 
service.

Marty

---
    Try: http://rom-o-matic.net/ to make Etherboot images instantly.

   Name: Marty Connor
US Mail: Entity Cyber, Inc.; P.O. Box 391827; Cambridge, MA 02139; USA
  Voice: (617) 491-6935, Fax: (617) 491-7046 
  Email: md...@th...
    Web: http://www.thinguin.org/