Security Basics mailing list archives
RE: Linux hacked
From: Jonathan Loh <kj6loh () yahoo com>
Date: Thu, 21 Oct 2004 22:47:01 -0700 (PDT)
Both AIDE and Tripwire will do that for you. The advantage of this is that you do not have to rely on your own code especially if you do not know how to program. Even if you know how to program this will prevent you from having to reinvent the wheel. But as with all security programs KNOW what they do before using them. --- Matt Arntsen <Matt.Arntsen () FranklinCovey com> wrote:
I would also suggest using a simple script in the future that alerts when a file is changed, like passwd or shadow. I just wrote a simple script that performs an MD5 hash on certain files and then compares the hash every few minutes to a master hash and alerts me via page or email when the two hashes don't match. The important thing to remember when doing this is to have the master MD5 hash results on a read-only medium, like a cd and have it in your cd drive where, when the scripts is run, is mounted, hashes compared and then unmounted. This may draw some criticism from more advanced users but it is a good start in ensuring you know when something has changed. It does not prevent things from changing. Maybe setting the immutable bit might slow them down a bit. Good luck. matt -----Original Message----- From: Casper the Friendly Ghost [mailto:casper () camelot homelinux com] Sent: Wednesday, October 20, 2004 9:05 PM To: security-basics () securityfocus com Subject: Re: Linux hacked To get back into your account you want to use, at the boot manager prompt (lilo/grub) init=/bin/bash For example, if you use lilo and have 'lin' as the name to access your linux you would have to press ESC and then write at the prompt lin init=/bin/bash In grub you would have to edit the command and add init=/bin/bash after the kernel option After it boots up (it will be really fast - no services) you want to do mount -o remount,rw /dev/hd* (whichever your / partition is) then you can just do passwd root enter the new password confirm do umount /dev/hd* (the one you just mounted above) hit the 3 magic buttons (Ctrl+Alt+Del) boot normally and you should be able to login as root with your new password My suggestion for a good rootkit finder is chkrootkit. It's the one I used for testing different rootkits and it found ~90% of them As for what else he changed, there's no easy way to see. First thing you could do is a netstat -ap -A inet this will show you all your open ports and the daemons listening to them. If you see anything suspicious do some more research. Also, make copies of your logs, preferably on a different machine, and look into them deeply. Also do a lastlog and last -20 (or more) root to see if you find anybody connected from a supsicious place or anything else suspicious. Make sure you do an emerge sync and emerge -avuU world to be up-to-date with all the packages (chances of a script kiddie to get in would be less likely with newer/patched software). Also since you have more than a few users make sure your system wasn't compromised through THEM. A lot of times users have weak password and crackers break in their account and from there they do more damage. Good luck! -cos P.S. To find out which kernel you're running do uname -r On Wednesday 20 October 2004 12:52, Nicholson, Dale wrote:First let me say I'm a security novice. Please bear with me. My home linux (gentoo) machine was hacked last Thursday. Installedactiveon the box was ssh, apache, php 5, and a squirl mail. Iptables wasset upfor a firewall. The box was set up as a web server with a number of websites and about 35 email accounts (separate passwords for the mailthanthe user accounts on the box). I'm guessing it was some sort of script kiddie if the names takingcreditfor the hack in the hidden folders I found are any indication. I didsomeresearch on the person taking credit and found all kinds ofinformation onhim, he's an 18yr old kid in Germany. I doubt he is veryknowledgeable orhe would not have alerted me to the intrusion by somehow locking outallaccounts from the machine. To get in I have to boot from cd and chroot in. Everything I've triedhasbeen unsuccessful in getting root back. I found a hidden directory /var/tmp/.tmp that has a bunch ofdirectoriesunder it with names like +_01_+++++++HaXorEd by ... and +_05_++++++++++Movies++++++.... I unplugged the machine from the internet shortly after the hack andcanfind no evidence of any uploads. I do see that the person somehow wasableto break root. I was only able to find the hidden directories becausetheperson forgot to clean up root's history file where I found thecommandused to create the them. The box was set up to not allow remote loginofroot via ssh but you could su in once logged in as one of three users. I'm a novice at security and had been depending on my system admin tokeepthe box up to date. He tells me he's been doing an emerge world everyweekbut I don't know how to tell. Can someone help me with where to get a listing of everything I have installed and the versions? I can't remember if the kernel is a 2.4or 2.6but I think it's 2.6. Plus I know there have been problems with sshin thepast but I don't know which versions have problems and I'm not surehow tofind out what version I'm running. I'm kind of stuck as my sys-admin normally handles these things but he cannot ssh in to the box withoutmefirst fixing the problem since he lives 13 hours from me (the box isin mybasement). Also, I need something that can detect root kits etc. on linux. I'veheardknoppix mentioned as having good tools on this list for an example,but Iwouldn't know what tools to use for this particular case. This is what I tried so far: I logged in using a boot CD, mounted the hard disks, chrooted in,blankedout the root password in the /etc/shadow file, changed the rootpassword,rebooted and tried to log in normally. This did not work. I alsocheckedthat the correct users were in both /etc/passwd and /etc/shadow. Note that both the email and websites were still working despite notbeingable to log in, although not now of course since I unplugged theethernetcable. Any comments/assistance will be greatly appreciated.-- In Linux We TrUsT !
_______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Current thread:
- Re: Linux hacked, (continued)
- Re: Linux hacked Casper the Friendly Ghost (Oct 21)
- Re: Linux hacked Jonathan Loh (Oct 21)
- Message not available
- Re: Linux hacked xyberpix (Oct 21)
- RE: Linux hacked Randori (Oct 21)
- Re: Linux hacked xyberpix (Oct 21)
- Re: Linux hacked Barrie Dempster (Oct 21)
- Re: Linux hacked Miles Stevenson (Oct 21)
- Re: Linux hacked xyberpix (Oct 25)
- RE: Linux hacked Conlan Adams (Oct 21)
- RE: Linux hacked mike (Oct 21)
- RE: Linux hacked Matt Arntsen (Oct 21)
- RE: Linux hacked Jonathan Loh (Oct 22)
- RE: Linux hacked xyberpix (Oct 25)
- RE: Linux hacked Nicholson, Dale (Oct 25)
- RE: Linux hacked Leif Ericksen (Oct 25)
- RE: Linux hacked Randori (Oct 25)
- RSA SecurID Training in Tokyo ? momotaro (Oct 26)
- Re: Linux hacked Andy Paton (Oct 27)
- Re: Linux hacked Shyam Mani (Oct 27)