Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- From: no@xxxxxxxxxx
- Date: Sat, 11 Nov 2006 11:29:28 GMT
On 10 Nov 2006 21:34:25 -0800, "jg" <juangarcia@xxxxxxxxxxxxxx> wrote:
rkhunter found nothing out of the ordinary. Just got a couple of
warning regarding
/etc/.java
/etc/.pwd.lock
/dev/.udev.tdb
That's reassuring ... ir doesn't mean that it wasn't hacked in some
way but, like you I'd be thinking that there is some other reason why
it has been rebooting. The ssh script attacks are fairly normal on a
server that is using a default sshd configuration.
If nothing else you should have learned that your sshd should be
protected a bit better that it has been. For starters just change
sshd.conf to: move the listening port to something non-standard and
deny direct root access; then investigate how to use the 'recent'
iptables module to block IPs that connet more than 3 times in 60
seconds. Those measures will be easy to instigate and will cut your
chances of being scripted in the future.
To be on the safe side though, I'm taking this server off line and
replacing it with another one for the time being until I figure out
what is going on. As of now it is still rebooting at 9:00 AM.
That's a good precaution anyway. One of the first things I'd try is to
set the time of the server back by 1 hour and see if it reboots next
time at the real 09:00 or the server's 09:00... then you will know if
it is something being triggered on the server of an external force,
perhaps linked to the power supply etc.
Chris R.
no@xxxxxxxxxx wrote:.
On 10 Nov 2006 11:57:01 -0800, "jg" <juangarcia@xxxxxxxxxxxxxx> wrote:
At any rate, since then, my box reboots every morning at 9:00 AM! Not
sure how this is being done. crontab shows nothing. Does anyone have
any ideas what I can do to find out which program is causing the
rebooting? Anything I should be looking for?
Like the other poster, I think you should be preparing for the worst
by considering a full wipe and reinstall. At any rate I would
immediately disconnect it from the internet as you have no idea what
the machine is being told to do, if it has been hijacked.
For your own personal interest I'd install something like rkhunter
(http://sourceforge.net/projects/rkhunter/) and look to see if it has
been "rootkitted" (the standard way of hijacking a server). Rootkits
are usually very devious and they cover their tracks - like showing
you a ps list but without the processes associated with the rootkit!
Even your check of crontab might have been intercepted and chances are
you have been shown rubbish.
So, before you trash it use this opportunity to learn from your
mistake - find out how they got in and which kit they might have used.
Also, try checking it with an anti-viral like antivir
(http://www.free-av.com/). It won't fix anything but at least you
might get a handle on what happened.
If these products don't find anything you might be barking up the
wrong tree ... but either way a reinstall might be on the cards.
Good luck!
Chris R.
- Follow-Ups:
- Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- From: Peter Pearson
- Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- References:
- Prev by Date: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- Next by Date: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- Previous by thread: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- Next by thread: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
- Index(es):
Relevant Pages
|
