Re: My Linux server got hacked last night -- please help!

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 11/30/04

• Next message: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Previous message: B H: "Problems with ftp"
• In reply to: sarah chang: "My Linux server got hacked last night -- please help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 30 Nov 2004 09:50:21 GMT

In article <24d1fc75.0411291116.57cfad5b@posting.google.com>,
sarah chang <sarahd00d@yahoo.co.uk> wrote:
>It looks as though my Linux server (running RedHat Fedora Core 3) was
>hacked last night.
>
>I see the following files in my /lib directory (note modification
>times, permissions and sizes)
>
>?---rwS--T 2200 4249291143 4170711954 4253155062 Dec 20 1974
>libc-2.3.3.so
[...]

This looks to me like a failing disk or filesystem corruption rather
than, er, enemy action.

>Nov 29 04:55:02 andromeda sshd[32300]: Invalid user admin from
>::ffff:210.212.85.11

These look like the characteristic failures from the password-guessing
ssh worm that's going around (it was mentioned on full-disclosure
a while back). I've captured some of these attempts and the look to
me like vanilla password auth attempts. There appears to be at least
2 variants, the most prolific tries user/password pairs of root/root,
admin/admins, user/user and test/test.

The fact that it apparently has a non-zero success rate makes me wonder
sometimes... I mean if your internet-accessible box has a root password
of "root" then connecting with strong crypto isn't going to help much.

>I'd appreciate any advice on
>1) How to cleanse my system

Either way, you can't trust what's on the disk. Perform a clean install,
preferably on a new disk and restore what you need from backup.

>2) How to avoid this type of attack in future.

Not enough info to comment.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

• Next message: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Previous message: B H: "Problems with ftp"
• In reply to: sarah chang: "My Linux server got hacked last night -- please help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: My Linux server got hacked last night -- please help! ... This looks to me like a failing disk or filesystem corruption rather ... I mean if your internet-accessible box has a root password ... you can't trust what's on the disk. ... Good judgement comes with experience. ... (comp.security.ssh) 652 meg cd? ... Heh. ... judgement on that? ... But 5.2.1-RC disk 1 is a 652 meg ISO. ... (freebsd-current) Re: ten buck fedora ... >> Sure and you forgot how to reset a local root password which is ... >> more or less the same procedure in any unix, boot from some ... run your own kernel and access the disk any which way you like that way ... cooling fans. ... (comp.os.linux.misc) Re: No Root password ... > find or reset the root password to have access to the box. ... > original install CD or disk, and all of my other computers are MS ... You may be able to gain root access via the service diagnostics if the ... at the "DIAGNOSTIC OPERATING INSTRUCTIONS" prompt press ... (comp.unix.aix) Re: lighting---hacked! ... >> to change the root password then installed a program called ... Take one last backup and/or forensics copy, wipe, ... A 'data only' backup is not enough. ... to replace the disk physically, ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint