definitely being hacked---help!!!
 

hi,

My computer running linux CentOS 3.0 are defintely being hacked, I think he's got the root password, becuase some services, like telnet, klogin were turned on, which was previously off. sshd_conf file being changed to allow root login via ssh, XFree86_config has also been changed, all these are within the root privilige.

I have checked ssh, ftp, logs, and cann't find the trace of logins, maybe the logs being deleted before he exit.

please advise what else should I be looking for to trace who and when, what he's done to the system.

here is the information I know, on 26/11/2004 10:44am, he created a user called alakaza, and in group of alakaza, and home dir are also created in /home, this is the only trace I can find, but I need to know more, a lot more, why he could get my root passoword, how??? I've changed the root password already, but I need to know the reason, otherwise soon or later, he will use the same method to attack again

any help will be very appreciated!

Chong

hi there

firstly why don't u use a firewall and disallow all incoming traffic

also look out at /var/log/wtmp by
who /var/log/wtmp
and u can get the IP address/terminal from where the user had logged

regards

I'm sorry to say, but a full os-resinstall is the only way to be sure he's no longer on there.

what about changing the root passsowrd and working on a firewall as i mentioned earlier

regards

the firewall is already in place, but the /var/log/wtmp is not existed on my machine

hey if u have firewall in place then why have u allowed any accesss from outside
simply DROP/Reject any attempts from outside

also are u sure u do not have the wtmp file

run
locate wtmp
to see if it is there in some other location
i have FC2 and it is there in /var/log
u can also see ur /var/run/utmp file if u have not rebooted ur machine after that attack

regards

This bears repeating. Without a full OS re-install, you will never be sure that your machine is clean. Changing root's password isn't going to get you anywhere. Right now you need to do two things:
1) Unplug the machine from the network. Don't mess around with the firewall, just make it physically impossible to access from the network.
2) Re-install the OS from trusted media. Don't try to save anything from the compromised hard disk unless you can verify it is nothing but data.

You obviously are not enjoying being cracked, and you'll enjoy it even less the second time around. Do yourself a favor and fix this the right way.

I understand by reinstall the system is the best way, but that's not going to solve the acutal problem, he might have exploited on of the vulnerbility of my linux system, I need to find out how and what he's done, and why is this happening. I don't want to be hacked again if the system is just simply reinstalled.
but thanks for your advise, I hope more sugguestion on how to find out the trace of of attack will be very welcome.

Checking last -i for logins around the time period of the user creation is a start, also look through the system logs for any abnormal log messages (not just logins but things like kernel panics or application errors/failures). If you had poor passwords on the system (like user test with password test) then the ssh bruteforce/dictionary attack may be a likely culprit. I'd definitely download and run chkrootkit or rootkit hunter, which can help identify the presence of a rootkit and can detect log deletions. Running rpm -Va can also give you a list of altered or trojaned system packages. Take a closer look at the /etc/passwd file and look for any users other than root with uid 0. Check for any new SUID/SGID root files using:
find / -user root -perm -4000 -print
find / -user root -perm -2000 -print

Also, take a look at the bash_history files of root and alakaza in case they were sloppy (seems like they were). Also look for any abnormal files and dirs, especially in /tmp and for hidden files (those that are preceeded by a period like .file)

Keep in mind that if someone has compromised your systems security and gained root access to your system, then the only option is to format the drive and re-install from trusted media. Simply changing the root password and turning on iptables isn't going to do you much good if a half-way decent rootkit has been installed on your system.

hi there

last -i
uses wtmp and he has specified that his systen does not have any wtmp file

also can we avoid having a wtmp file???

regards

wtmp should be installed on Fedora Core systems and is part of the initscripts package. You could remove it after installing, but the only way it would be missing is if it was deleted (by accident or intentionally). The rpm -Va command should show the initscripts package as failing if it has been removed.