LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-29-2004, 07:53 AM   #1
geo_serban
LQ Newbie
 
Registered: Jul 2004
Posts: 1

Rep: Reputation: 0
Unhappy help! i've been hacked


Can anyone help me?

I'm hosting a website and i use e-smith (now known as sme server) 4.1.1 (i also tried 4.1.2, 5.0, 5.1.2, 5.6) since 2000 i think. It worked fine until the other day when i've noticed it is down. Ok! i rebooted the machine and when it goes to "Finding module dependencies" it freezes.
Got to save my data and reinstall.
It worked for about two days and i've noticed some commands in .bash_history. I am the only one hwo knows the root password. I also find a .bash_history in / and some files (suckit and psybnc) meticulosly hidden in /usr/somewhere...

Can anyone tell me how the h*** this kid (i think) got in?
How can i shut his door (whatever that is)?
Can he gain acces through smtp?
Anyone care to look at my logs? If yes: geo_serban@yahoo.com.

Thank You.
 
Old 07-29-2004, 08:11 AM   #2
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
...about knowing if and how someone got in and what they did: the logfiles could help - but if you where broken into by someone, who was really knowing what he/she was doing, these way have been forged / cleaned of evidence.
I'd update the distribution you are using - preferrably first saving important data and then reinstall from ground up - if you do not know how they came in and what exactly they did, this is the safeest thing to do.
Then get a firewall running - its included in the kernel and information on how to set it up you can find through Google and in your docs...
Then get familiar with tripwire - install it and check _regularly_ against the data it produced when it was running over your _clean_ system.
Close all services your machine may be offering to the outside, exept those you will need to provide the services you want to provide - and know about setting up these services safely before you expose your System to the internet.
Thera are websites like http://www.grc.com which you can use to test your machine/firewall.
Check regularly for needed security-updates of programms you run on your machine.

Jochen

Last edited by jomen; 07-29-2004 at 08:14 AM.
 
Old 07-29-2004, 08:20 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
you're gonna have to re-install from scratch...

but this time make sure your firewall is tight, and all your packages are updated before you go online... you'll also obviously wanna review your configurations and methodologies... for example, using harder passwords, etc...

if you wanna check your system for more damage before you re-install, run rootkit hunter:

http://www.rootkit.nl/


one thing you wanna make sure is that you don't allow root logins via ssh (common mistake)...

you do that with a PermitRootLogin no in your /etc/ssh/sshd_config


Last edited by win32sux; 07-29-2004 at 08:23 AM.
 
Old 07-29-2004, 08:24 AM   #4
RolledOat
Member
 
Registered: Feb 2003
Location: San Antonio
Distribution: Suse 9.0 Professional
Posts: 843

Rep: Reputation: 30
Everything win32sux said, plus here is a useful tool...

http://www.chkrootkit.org/

RO
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 08:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 02:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 04:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 09:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 07:00 PM


All times are GMT -5. The time now is 06:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration