RE: Linux hacked

From: Conlan Adams (conlan_at_mebtc.org)
Date: 10/21/04

  • Next message: Stephane Auger: "RE: Netopia Routers" 
    Date: Thu, 21 Oct 2004 09:29:04 -0400
To: "Nicholson, Dale" <DNicholson@APACMail.com>, <security-basics@securityfocus.com>

    My first suggestion to you is if you want to figure out what was done to
    hack the box, pull the drive and save it.

    To get the box up and going again, reinstall (I would suggest this no
    matter what) on a new drive (so you can keep the old info to diagnose
    the hack) and restore data from backups.

    Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail.

    Then get your admin back in. Use keys for your ssh logins, make sure
    every process is running under a setup acct for it, and do a full suid
    audit.

    That's a start, I have little experience in diagnosing root kits, but
    that's where you begin.

    -Conlan
    -----Original Message-----
    From: Nicholson, Dale [mailto:DNicholson@APACMail.com]
    Sent: Wednesday, October 20, 2004 12:52 PM
    To: security-basics@securityfocus.com
    Subject: Linux hacked

    First let me say I'm a security novice. Please bear with me.

    My home linux (gentoo) machine was hacked last Thursday. Installed
    active
    on the box was ssh, apache, php 5, and a squirl mail. Iptables was set
    up
    for a firewall. The box was set up as a web server with a number of
    websites and about 35 email accounts (separate passwords for the mail
    than
    the user accounts on the box).

    I'm guessing it was some sort of script kiddie if the names taking
    credit
    for the hack in the hidden folders I found are any indication. I did
    some
    research on the person taking credit and found all kinds of information
    on
    him, he's an 18yr old kid in Germany. I doubt he is very knowledgeable
    or
    he would not have alerted me to the intrusion by somehow locking out all
    accounts from the machine.

    To get in I have to boot from cd and chroot in. Everything I've tried
    has
    been unsuccessful in getting root back.

    I found a hidden directory /var/tmp/.tmp that has a bunch of directories
    under it with names like +_01_+++++++HaXorEd by ... and
    +_05_++++++++++Movies++++++....

    I unplugged the machine from the internet shortly after the hack and can
    find no evidence of any uploads. I do see that the person somehow was
    able
    to break root. I was only able to find the hidden directories because
    the
    person forgot to clean up root's history file where I found the command
    used
    to create the them. The box was set up to not allow remote login of
    root
    via ssh but you could su in once logged in as one of three users.

    I'm a novice at security and had been depending on my system admin to
    keep
    the box up to date. He tells me he's been doing an emerge world every
    week
    but I don't know how to tell.

    Can someone help me with where to get a listing of everything I have
    installed and the versions? I can't remember if the kernel is a 2.4 or
    2.6
    but I think it's 2.6. Plus I know there have been problems with ssh in
    the
    past but I don't know which versions have problems and I'm not sure how
    to
    find out what version I'm running. I'm kind of stuck as my sys-admin
    normally handles these things but he cannot ssh in to the box without me
    first fixing the problem since he lives 13 hours from me (the box is in
    my
    basement).

    Also, I need something that can detect root kits etc. on linux. I've
    heard
    knoppix mentioned as having good tools on this list for an example, but
    I
    wouldn't know what tools to use for this particular case.

    This is what I tried so far:
    I logged in using a boot CD, mounted the hard disks, chrooted in,
    blanked
    out the root password in the /etc/shadow file, changed the root
    password,
    rebooted and tried to log in normally. This did not work. I also
    checked
    that the correct users were in both /etc/passwd and /etc/shadow.

    Note that both the email and websites were still working despite not
    being
    able to log in, although not now of course since I unplugged the
    ethernet
    cable.

    Any comments/assistance will be greatly appreciated.

  • Next message: Stephane Auger: "RE: Netopia Routers"

    Relevant Pages

    • RE: Linux hacked
      ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
      (Security-Basics)
    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Linux hacked
      ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: X11Forwarding, ssh -X, and /bin/su
      ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
      (comp.security.ssh)
    • Re: More re: Mac OS X hacked under 30 minutes
      ... Being dismissive and complacent when it come to security is a sure way to ... It's just as likely that he was given root by the system's owners. ... It's amazing how an unsubstantiated rumor about a hack being perpetrated on OS X, which even admits that the perp already had an account, can cause such a stir. ...
      (comp.sys.mac.advocacy)