Anatomy of a UNIX breach

From: Stephen Kraus 
------------------------------------------------------
Thought some of you would enjoy this, I know I did.

https://isc.sans.edu/diary.html?storyid=11290

=============================================================== From: Bobby ------------------------------------------------------ "Note how the bad guy uses Nano to edit the config file, which tells us that he isn't all that experienced on Unix. A real Unix hacker would most likely use "vi", because vi is present on all Unix flavors and versions." What? That's like saying that a real typist would use the row of numbers at the top of a keyboard because number pads aren't present on all keyboards. That comment seemed a bit out of place.

=============================================================== From: Joshua Estes ------------------------------------------------------ Anyone ever used Kippo? http://code.google.com/p/kippo/ Pretty neat to watch some of the logs, saw one some place where a user tried to install ruby and do a few other things. - Joshua Estes @JoshuaEstes "If you live periods of your life in misery, when you remember back to those times, all you'll remember is the misery. The misery robs you of great memories you could otherwise be making."

=============================================================== From: wes ------------------------------------------------------ the comment would be out of place if it referred to the number pad. alternatives to vi are SO uncommon that it really does make sense to use vi by default. that said, it would also have been interesting to see what the attacker did if nano wasn't available on the system he had just compromised. -wes

=============================================================== From: Rod-Lists ------------------------------------------------------ No it is snobbishness. Can't speak to red hat or modern slack, but nano is installed on debian and any debian based distro. Would the writer said the same if the attacker used joe, ed, or pico? And you can't say nano is the new kid as it was first released in 1999. http://en.wikipedia.org/wiki/Nano

=============================================================== From: Average SecurityGuy ------------------------------------------------------ I'm pretty sure most modern linux distros have nano by default, at least debian does. The attacker ran uname already if he found a linux distro it would make sense to try nano. If nano isn't available all you really need to know in "vi" is i to insert, esc, :w, :q or :q!. I realize that vi and emacs are the best thing since sliced bread but you really can't make an assumption about the attackers skills based on his use of nano. Maybe we should be commenting in the sysadmins "leet unix skills" since he allowed an external SSH attack to go unnoticed and was using a weak password.

=============================================================== From: Lynn Dixon ------------------------------------------------------ I can confirm nano is indeed in RHEL :)

=============================================================== From: Stephen Kraus ------------------------------------------------------ Vi is easiest to find on ALL Linux OS though, all my various boxen have it.

=============================================================== From: Average SecurityGuy ------------------------------------------------------ That is true but the implication was the attacker was unskilled because he chose not to use vi, which is not a safe assumption.

=============================================================== From: Stephen Kraus ------------------------------------------------------ True, and I agree there.

=============================================================== From: Rod-Lists ------------------------------------------------------ Someone has chimed in that it is on Red Hat. I think it may be on slack but I'm not sure if by default. It has been awhile since I did slack (alphabet disks bebe!). It is like saying the offender is not experienced because uses gnome instead of straight X & WM. I respect the unix grey beards but they can be a little like old testament prophets. If you don't use their fave tool or language then it an anathema and must be smitten from on high. . see emacs vs vi wars or c shell vs bash.. ----- Original Message ----- From: "Stephen Kraus" To: "CHUGALUG" Sent: Thursday, August 4, 2011 3:07:18 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Anatomy of a UNIX breach Vi is easiest to find on ALL Linux OS though, all my various boxen have it. I can confirm nano is indeed in RHEL :) No it is snobbishness. Can't speak to red hat or modern slack, but nano is installed on debian and any debian based distro. Would the writer said the same if the attacker used joe, ed, or pico? And you can't say nano is the new kid as it was first released in 1999. http://en.wikipedia.org/wiki/Nano

=============================================================== From: Stephen Kraus ------------------------------------------------------ Rod, that is probably the best way I've heard to describe old Unix beards

=============================================================== From: Christopher Rimondi ------------------------------------------------------ I don't know how specific the author of the blog was being, but he did say it was a *Unix *server. (vs. perhaps a *nix server to cover both Linux and Unix). I don't think there is any guarantee that nano would be installed on Solaris, HPUX, AIX, or others. The author of the blog probably knew what the OS was in question yet didn't share it in the blog. Therefore if it was a proprietary version of *Unix* and he still ran nano anyway, that could definitely indicate his skill level. Given that Daniel Wesemann is a pretty sharp guy I am going to give him the benefit of the doubt on this. The defense rests.

=============================================================== From: Rod-Lists ------------------------------------------------------ Point taken. But as someone else pointed out. The offender pulled a uname which told him what the system was running. And clued him in as to what was installed which apparently included nano. ----- Original Message ----- From: "Christopher Rimondi" To: "CHUGALUG" Sent: Thursday, August 4, 2011 3:36:27 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Anatomy of a UNIX breach I don't know how specific the author of the blog was being, but he did say it was a Unix server. (vs. perhaps a *nix server to cover both Linux and Unix). I don't think there is any guarantee that nano would be installed on Solaris, HPUX, AIX, or others. The author of the blog probably knew what the OS was in question yet didn't share it in the blog. Therefore if it was a proprietary version of Unix and he still ran nano anyway, that could definitely indicate his skill level. Given that Daniel Wesemann is a pretty sharp guy I am going to give him the benefit of the doubt on this. The defense rests. Rod, that is probably the best way I've heard to describe old Unix beards Someone has chimed in that it is on Red Hat. I think it may be on slack but I'm not sure if by default. It has been awhile since I did slack (alphabet disks bebe!). It is like saying the offender is not experienced because uses gnome instead of straight X & WM. I respect the unix grey beards but they can be a little like old testament prophets. If you don't use their fave tool or language then it an anathema and must be smitten from on high. . see emacs vs vi wars or c shell vs bash.. ----- Original Message ----- From: "Stephen Kraus" < ub3ratl4sf00@gmail.com > To: "CHUGALUG" < chugalug@chugalug.org > Sent: Thursday, August 4, 2011 3:07:18 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Anatomy of a UNIX breach Vi is easiest to find on ALL Linux OS though, all my various boxen have it. I can confirm nano is indeed in RHEL :) No it is snobbishness. Can't speak to red hat or modern slack, but nano is installed on debian and any debian based distro. Would the writer said the same if the attacker used joe, ed, or pico? And you can't say nano is the new kid as it was first released in 1999. http://en.wikipedia.org/wiki/Nano

=============================================================== From: James Nylen ------------------------------------------------------ Also, in an objective comparison of features between vi and nano, or emacs and nano... nano doesn't win either of those, by a long shot. So just on that basis there's some validity to the comment.

=============================================================== From: Lynn Dixon ------------------------------------------------------ Oh hell, did this just turn into a editor pissing contest? If so, heres my STDIN : Opinions are like buttholes, everyone has one, and they all stink except your own of course. :) Have a great weekend everyone!

=============================================================== From: Bobby ------------------------------------------------------ No -- That doesn't make the comment any more valid. If I drove a BMW and said anyone that drives a Toyota isn't a real driver, I would be called an elitist. Just as the author is being elitist by saying a real Unix hacker would use vi. Also: http://en.wikipedia.org/wiki/No

=============================================================== From: Stephen Kraus ------------------------------------------------------ Hey! I have that opinion about people that don't drive diesels!

=============================================================== From: Bobby ------------------------------------------------------ RE: Editor wars; I'm the only one in my office that uses Emacs, the rest use vi/nano. And I'm surprised Jason hasn't taken this opportunity to shame me publicly.

=============================================================== From: Benjamin Stewart ------------------------------------------------------ I don't think it's fair to say the attacker is inexperienced simply because he prefers nano. "More features" != "Doesn't get in my way," plus I have a lot of respect for many of the people on this list who have stated they prefer nano. Besides, I think he's probably tipped his hand that he knows vi anyway, based on the line 'crontab -e.' That would use whatever $EDITOR is set to, and we're not shown that he explicitly changes that. I don't know, perhaps nano gets set as the default editor on many distros now, but on FreeBSD, it's vi by default.

=============================================================== From: Tom Wilson ------------------------------------------------------ Not really. vi or some symlinked variation thereof is almost always available. By reflex, it's what I use on a strange machine and I certainly don't think of myself as a "Real Unix Hacker". Real Unix Hack...maybe.

=============================================================== From: Kenneth Ratliff ------------------------------------------------------

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ Unfortunately, for a growing number of distributions, nano is default $EDITOR,recent versions of Debian have it so, and I believe Red Hat is following suit as well. it's one of those annoying things I forget to change at install and tend to only remember to go change when I run visudo for the first time on that box.

=============================================================== From: Tom Wilson ------------------------------------------------------ She strikes me as a notepad.exe type of gal.

=============================================================== From: Bobby ------------------------------------------------------ Kenneth, what the heck are you talking about? No one is saying the attacker is a saint or anything. The problem is the way the author of the article points to his use of nano as a measuring stick for his *nix abilities.

=============================================================== From: Tom Wilson ------------------------------------------------------ I don't think his remark was intended in that way at all. He just refers to the fact that people who've used *nix systems, especially unfamiliar ones, for quite a while reflexively use vi because it is guaranteed to be there. # nano nano: command not found # emacs emacs: command not found # damnit anything but vi PLEASE damnit: command not found # vi *ding* It's just how it is.

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ My point is that the author is entitled to his opinion, and I happen to agree with him, for the same reasons. If you disagree with the author's pejorative point of view, that's your choice, but this guy sure as hell doesn't prove the author wrong. Cleaning up after yourself is a basic tenet of Ninja Hax0r 101. I'm sure everyone's got a cool story about how they know this badass hax0r guy who uses something other than vi. Exceptions are not the rule. The vast majority of skilled unix folks I know use vi because it's virtually guaranteed to be there.

=============================================================== From: Stephen Kraus ------------------------------------------------------ I feel bad now for posting this article... My point is that the author is entitled to his opinion, and I happen to agree with him, for the same reasons. If you disagree with the author's pejorative point of view, that's your choice, but this guy sure as hell doesn't prove the author wrong. Cleaning up after yourself is a basic tenet of Ninja Hax0r 101. I'm sure everyone's got a cool story about how they know this badass hax0r guy who uses something other than vi. Exceptions are not the rule. The vast majority of skilled unix folks I know use vi because it's virtually guaranteed to be there.

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ Exactly. A skilled penetration should set off no alarms. That means you get in and out quickly and leave as little trace as possible. Based that bash

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ It's not a real linux mailing list without a religious flame war involving software elitism, nothing to feel bad about, you were just contributing to the inevitable!

=============================================================== From: Bobby ------------------------------------------------------ That's the funny part. I feel like I started this flame war by trying to point out that the author shouldn't claim "No true Scotsman" because the attacker preferred one editor over another. Then everyone dog-piled nano vs. (insert editor here). And what it means to be a true "hax0r". WTF? Sometimes, when dealing with this list, I feel like the only sober person in a car full of drunks, and no one will let me drive.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm guessing something big and bloaty and pretty-making, word or powerpoint.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk47EF4ACgkQABP1RO+tr2QFuwCcDsjNT+DZTecMALjTBLgS7JWp ZZsAoIByi0EkL//tmyh+suYCqocbktmc =OQQE -----END PGP SIGNATURE-----

=============================================================== From: James Nylen ------------------------------------------------------ [OT]

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ Not having your handiwork showcased on SANS is a good start.

=============================================================== From: Mike Harrison ------------------------------------------------------ That explains the rant I had yesterday when some programmer wanted to use mod

=============================================================== From: Troy Melhase ------------------------------------------------------

=============================================================== From: Mike Harrison ------------------------------------------------------ Bingo. For a front end, it works nicely. Very common for websites. This was for the application server (API) that is intended for external use. The concept was approximately: https://foo.example.com/get/data/customer/1000100001/subitem/12345/subitem/98765 which returns XML Where "get" is a server redir is en epic bad idea for anything beyond a blog / website. Using positional spots for the data breaks quickly when the requests get more complicated, or something barfs and everything shifts up/down. It was on the whiteboard as I walked by and it upset me greatly to see such thoughts being considered. and I'm a bit more than an admin.. and while I claim to aspire to be a programmer, it's only because I know what a real programmer is capable of and have set very high goals.

=============================================================== From: Rod-Lists ------------------------------------------------------ don't it is your usual religious discussion in nix land. ----- Original Message ----- From: "Stephen Kraus" To: "CHUGALUG" Sent: Thursday, August 4, 2011 5:11:06 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Anatomy of a UNIX breach I feel bad now for posting this article... If you disagree with the author's pejorative point of view, that's your choice, but this guy sure as hell doesn't prove the author wrong. Cleaning up after yourself is a basic tenet of Ninja Hax0r 101. I'm sure everyone's got a cool story about how they know this badass hax0r guy who uses something other than vi. Exceptions are not the rule. The vast majority of skilled unix folks I know use vi because it's virtually guaranteed to be there.

=============================================================== From: Tom Wilson ------------------------------------------------------ How can you have religious wars in a field largely built on the concept of logic? After twenty-five years I still can't answer that question.

=============================================================== From: Ed King ------------------------------------------------------ subjective logic