Linux hacked

• Previous message: Young, Randy: "RE: Intro To Hacking"
• Next in thread: Casper the Friendly Ghost: "Re: Linux hacked"
• Reply: Casper the Friendly Ghost: "Re: Linux hacked"
• Reply: Jonathan Loh: "Re: Linux hacked"
• Maybe reply: xyberpix: "Re: Linux hacked"
• Reply: Barrie Dempster: "Re: Linux hacked"
• Maybe reply: Conlan Adams: "RE: Linux hacked"
• Reply: Miles Stevenson: "Re: Linux hacked"
• Maybe reply: Matt Arntsen: "RE: Linux hacked"
• Maybe reply: Nicholson, Dale: "RE: Linux hacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Wed, 20 Oct 2004 11:52:05 -0500

First let me say I'm a security novice. Please bear with me.

My home linux (gentoo) machine was hacked last Thursday. Installed active
on the box was ssh, apache, php 5, and a squirl mail. Iptables was set up
for a firewall. The box was set up as a web server with a number of
websites and about 35 email accounts (separate passwords for the mail than
the user accounts on the box).

I'm guessing it was some sort of script kiddie if the names taking credit
for the hack in the hidden folders I found are any indication. I did some
research on the person taking credit and found all kinds of information on
him, he's an 18yr old kid in Germany. I doubt he is very knowledgeable or
he would not have alerted me to the intrusion by somehow locking out all
accounts from the machine.

To get in I have to boot from cd and chroot in. Everything I've tried has
been unsuccessful in getting root back.

I found a hidden directory /var/tmp/.tmp that has a bunch of directories
under it with names like +_01_+++++++HaXorEd by ... and
+_05_++++++++++Movies++++++....

I unplugged the machine from the internet shortly after the hack and can
find no evidence of any uploads. I do see that the person somehow was able
to break root. I was only able to find the hidden directories because the
person forgot to clean up root's history file where I found the command used
to create the them. The box was set up to not allow remote login of root
via ssh but you could su in once logged in as one of three users.

I'm a novice at security and had been depending on my system admin to keep
the box up to date. He tells me he's been doing an emerge world every week
but I don't know how to tell.

Can someone help me with where to get a listing of everything I have
installed and the versions? I can't remember if the kernel is a 2.4 or 2.6
but I think it's 2.6. Plus I know there have been problems with ssh in the
past but I don't know which versions have problems and I'm not sure how to
find out what version I'm running. I'm kind of stuck as my sys-admin
normally handles these things but he cannot ssh in to the box without me
first fixing the problem since he lives 13 hours from me (the box is in my
basement).

Also, I need something that can detect root kits etc. on linux. I've heard
knoppix mentioned as having good tools on this list for an example, but I
wouldn't know what tools to use for this particular case.

This is what I tried so far:
I logged in using a boot CD, mounted the hard disks, chrooted in, blanked
out the root password in the /etc/shadow file, changed the root password,
rebooted and tried to log in normally. This did not work. I also checked
that the correct users were in both /etc/passwd and /etc/shadow.

Note that both the email and websites were still working despite not being
able to log in, although not now of course since I unplugged the ethernet
cable.

Any comments/assistance will be greatly appreciated.

• Previous message: Young, Randy: "RE: Intro To Hacking"
• Next in thread: Casper the Friendly Ghost: "Re: Linux hacked"
• Reply: Casper the Friendly Ghost: "Re: Linux hacked"
• Reply: Jonathan Loh: "Re: Linux hacked"
• Maybe reply: xyberpix: "Re: Linux hacked"
• Reply: Barrie Dempster: "Re: Linux hacked"
• Maybe reply: Conlan Adams: "RE: Linux hacked"
• Reply: Miles Stevenson: "Re: Linux hacked"
• Maybe reply: Matt Arntsen: "RE: Linux hacked"
• Maybe reply: Nicholson, Dale: "RE: Linux hacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Linux hacked ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics) Re: Linux hacked ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics) Re: X11Forwarding, ssh -X, and /bin/su ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ... (comp.security.ssh) RE: Linux hacked ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ... (Security-Basics) RE: Linux hacked ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... (Security-Basics)