RE: Linux hacked

[mike () genxweb net]

Was any of the sites running a php nuke or another portal or system that is vuln
to xss. There are some xss that allow file upload and execution. They may of
been able to use that with a locla root exploit to gain root on the machine.

That is my two cents.


Quoting Conlan Adams <conlan () mebtc org>:

> My first suggestion to you is if you want to figure out what was done to
> hack the box, pull the drive and save it.
>
> To get the box up and going again, reinstall (I would suggest this no
> matter what) on a new drive (so you can keep the old info to diagnose
> the hack) and restore data from backups.
>
> Use the newest versions of Gentoo,  Apache, SSH, PHP and Squirl Mail.
>
> Then get your admin back in.  Use keys for your ssh logins, make sure
> every process is running under a setup acct for it, and do a full suid
> audit.
>
> That's a start, I have little experience in diagnosing root kits, but
> that's where you begin.
>
>
> -Conlan
> -----Original Message-----
> From: Nicholson, Dale [mailto:DNicholson () APACMail com]
> Sent: Wednesday, October 20, 2004 12:52 PM
> To: security-basics () securityfocus com
> Subject: Linux hacked
>
> First let me say I'm a security novice.  Please bear with me.
>
> My home linux (gentoo) machine was hacked last Thursday.  Installed
> active
> on the box was ssh, apache, php 5, and a squirl mail.  Iptables was set
> up
> for a firewall.  The box was set up as a web server with a number of
> websites and about 35 email accounts (separate passwords for the mail
> than
> the user accounts on the box).
>
> I'm guessing it was some sort of script kiddie if the names taking
> credit
> for the hack in the hidden folders I found are any indication.  I did
> some
> research on the person taking credit and found all kinds of information
> on
> him, he's an 18yr old kid in Germany.  I doubt he is very knowledgeable
> or
> he would not have alerted me to the intrusion by somehow locking out all
> accounts from the machine.
>
> To get in I have to boot from cd and chroot in.  Everything I've tried
> has
> been unsuccessful in getting root back.
>
> I found a hidden directory /var/tmp/.tmp that has a bunch of directories
> under it with names like +_01_+++++++HaXorEd by ... and
> +_05_++++++++++Movies++++++....
>
> I unplugged the machine from the internet shortly after the hack and can
> find no evidence of any uploads.  I do see that the person somehow was
> able
> to break root.  I was only able to find the hidden directories because
> the
> person forgot to clean up root's history file where I found the command
> used
> to create the them.  The box was set up to not allow remote login of
> root
> via ssh but you could su in once logged in as one of three users.
>
> I'm a novice at security and had been depending on my system admin to
> keep
> the box up to date.  He tells me he's been doing an emerge world every
> week
> but I don't know how to tell.
>
> Can someone help me with where to get a listing of everything I have
> installed and the versions?  I can't remember if the kernel is a 2.4 or
> 2.6
> but I think it's 2.6.  Plus I know there have been problems with ssh in
> the
> past but I don't know which versions have problems and I'm not sure how
> to
> find out what version I'm running.  I'm kind of stuck as my sys-admin
> normally handles these things but he cannot ssh in to the box without me
> first fixing the problem since he lives 13 hours from me (the box is in
> my
> basement).
>
> Also, I need something that can detect root kits etc. on linux.  I've
> heard
> knoppix mentioned as having good tools on this list for an example, but
> I
> wouldn't know what tools to use for this particular case.
>
> This is what I tried so far:
> I logged in using a boot CD, mounted the hard disks, chrooted in,
> blanked
> out the root password in the /etc/shadow file, changed the root
> password,
> rebooted and tried to log in normally.  This did not work.  I also
> checked
> that the correct users were in both /etc/passwd and /etc/shadow.
>
> Note that both the email and websites were still working despite not
> being
> able to log in, although not now of course since I unplugged the
> ethernet
> cable.
>
> Any comments/assistance will be greatly appreciated.