Re: HELP! I've been had! Someone hacked into my Linux box. What now?



On 10 Nov 2006 21:34:25 -0800, "jg" <juangarcia@xxxxxxxxxxxxxx> wrote:
rkhunter found nothing out of the ordinary. Just got a couple of
warning regarding
/etc/.java
/etc/.pwd.lock
/dev/.udev.tdb

That's reassuring ... ir doesn't mean that it wasn't hacked in some
way but, like you I'd be thinking that there is some other reason why
it has been rebooting. The ssh script attacks are fairly normal on a
server that is using a default sshd configuration.

If nothing else you should have learned that your sshd should be
protected a bit better that it has been. For starters just change
sshd.conf to: move the listening port to something non-standard and
deny direct root access; then investigate how to use the 'recent'
iptables module to block IPs that connet more than 3 times in 60
seconds. Those measures will be easy to instigate and will cut your
chances of being scripted in the future.

To be on the safe side though, I'm taking this server off line and
replacing it with another one for the time being until I figure out
what is going on. As of now it is still rebooting at 9:00 AM.

That's a good precaution anyway. One of the first things I'd try is to
set the time of the server back by 1 hour and see if it reboots next
time at the real 09:00 or the server's 09:00... then you will know if
it is something being triggered on the server of an external force,
perhaps linked to the power supply etc.

Chris R.

no@xxxxxxxxxx wrote:
On 10 Nov 2006 11:57:01 -0800, "jg" <juangarcia@xxxxxxxxxxxxxx> wrote:
At any rate, since then, my box reboots every morning at 9:00 AM! Not
sure how this is being done. crontab shows nothing. Does anyone have
any ideas what I can do to find out which program is causing the
rebooting? Anything I should be looking for?

Like the other poster, I think you should be preparing for the worst
by considering a full wipe and reinstall. At any rate I would
immediately disconnect it from the internet as you have no idea what
the machine is being told to do, if it has been hijacked.

For your own personal interest I'd install something like rkhunter
(http://sourceforge.net/projects/rkhunter/) and look to see if it has
been "rootkitted" (the standard way of hijacking a server). Rootkits
are usually very devious and they cover their tracks - like showing
you a ps list but without the processes associated with the rootkit!
Even your check of crontab might have been intercepted and chances are
you have been shown rubbish.

So, before you trash it use this opportunity to learn from your
mistake - find out how they got in and which kit they might have used.
Also, try checking it with an anti-viral like antivir
(http://www.free-av.com/). It won't fix anything but at least you
might get a handle on what happened.

If these products don't find anything you might be barking up the
wrong tree ... but either way a reinstall might be on the cards.

Good luck!
Chris R.
.



Relevant Pages

  • Re: [Full-disclosure] one of my servers has been compromized
    ... it has zero effect on kernel rootkits. ... since the bot was so easy to find in the first ... It's a Ubuntu 10.04 server with all security patches ...
    (Full-Disclosure)
  • Re: Troubleshoot Failing Clients Internet Connection
    ... rebooting no problems with clients connecting to the interner on Tuesday and ... I plan to remove the card this weekend. ... How many nics in your SBS server? ... Internet when they first logon in the morning. ...
    (microsoft.public.windows.server.sbs)
  • Re: Whats the easiest way to CHANGE my (otherwise static) IP address?
    ... that every nntp server, every ftp server, every torrent server, etc., has ... If your ISP gives you a static IP number, no amount of rebooting things ... But if your internet connection is ...
    (alt.os.linux)
  • Re: POSTPONING REBOOT AFTER INSTALLING UPDATES
    ... server should be restarted immediately after applying an update. ... himself in a position as IT director of a law firm employing over 300 people. ... applying updates without rebooting is ok. ... immediately after installing updates. ...
    (microsoft.public.windowsupdate)
  • Re: save and sound operating system
    ... One is a short-term solution. ... totally automatically, just rebooting a workstation ... but a stand-alone server (especially Web ... operating system. ...
    (microsoft.public.windowsxp.security_admin)