My Linux server got hacked last night -- please help!

From: sarah chang (sarahd00d_at_yahoo.co.uk)
Date: 11/29/04 

Date: 29 Nov 2004 11:16:29 -0800

It looks as though my Linux server (running RedHat Fedora Core 3) was
hacked last night.

I see the following files in my /lib directory (note modification
times, permissions and sizes)

?---rwS--T 2200 4249291143 4170711954 4253155062 Dec 20 1974
libc-2.3.3.so
?--x-wx--T 1467 4252107961 4180869466 84017700 Jan 6 1973
libnss_nis-2.3.3.so
?--xr-s-w- 809 4223534637 4167107119 99548634 Jun 9 1972 libblkid.so.1
?-wx--x--- 666 65210227 4197645536 114950169 May 10 1972
libnss_nis.so.2
?rw-rw-rwT 1088 4200988799 4227794193 3080127 Aug 30 1971
libdevmapper.a.1.00
?--SrwSrwT 228 43058577 4228381127 2593258783 May 20 1971
libcidn-2.3.3.so
?---rwxr-x 282 42925887 4284678677 4287692964 Apr 25 1970
libNoVersion-2.3.3.so
?r-srwsrwT 65486 4286578997 4270783980 17891147 Mar 20 1970
libdevmapper.a
?rwxrw-rwt 439 4223794553 4277798468 2687893457 Mar 12 1970
libdevmapper.so.1.00
?-wSr-s-wT 64569 102040035 17627963 15990883 Jan 1 1969
libblkid.so.1.0
?-wS--S--x 64693 42663644 62192531 4269276205 Jul 21 1968
libnss_hesiod-2.3.3.so
?rwSrwS-wT 64087 38338406 60292326 4270063399 Nov 3 1967
libnss1_dns-2.3.3.so
?-wS-wsr-T 64295 4286970048 112657123 52232677 Nov 2 1966
libdevmapper.so
?-wS-wSrwT 64115 32897306 144572815 4179361569 Aug 15 1966 libe2p.so.2
l-w-r----t 63784 112655096 150224719 38339193 Jul 7 1966
libSegFault.so

I can't chmod or chown these files, even as root.

The following is in my /var/log/secure from last night:

Nov 29 04:55:02 andromeda sshd[32300]: Invalid user admin from
::ffff:210.212.85.11
Nov 29 04:55:02 andromeda sshd[32300]: error: Could not get shadow
information
for NOUSER
Nov 29 04:55:02 andromeda sshd[32300]: Failed password for invalid
user admin
from ::ffff:210.212.85.11 port 58496 ssh2
Nov 29 04:55:09 andromeda sshd[32304]: Invalid user admin from
::ffff:210.212.85.11
Nov 29 04:55:09 andromeda sshd[32304]: error: Could not get shadow
information
for NOUSER
Nov 29 04:55:09 andromeda sshd[32304]: Failed password for invalid
user admin
from ::ffff:210.212.85.11 port 58599 ssh2
Nov 29 04:55:19 andromeda sshd[32306]: Invalid user user from
::ffff:210.212.85.11
Nov 29 04:55:19 andromeda sshd[32306]: error: Could not get shadow
information
for NOUSER
Nov 29 04:55:19 andromeda sshd[32306]: Failed password for invalid
user user
from ::ffff:210.212.85.11 port 58726 ssh2

I'd appreciate any advice on
1) How to cleanse my system
2) How to avoid this type of attack in future.

Right now I've powered off the server. I'll reboot using a RedHat
install CD in rescue mode. Does anyone know how to force RedHat to
reinstall all packages without repartitioning my hard drive?

Thanks,

S

Relevant Pages

  • My Linux server got hacked last night -- please help!
    ... It looks as though my Linux server was ... Nov 29 04:55:02 andromeda sshd: Failed password for invalid ... I'll reboot using a RedHat ...
    (comp.os.linux.security)
  • User names in FC2
    ... I need to add user names with the general form. ... but I receive an error like 'Invalid ... previous versions (Redhat 7.x) there is no problem. ... To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list ...
    (Fedora)