LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-30-2004, 12:01 PM   #1
chongluo
Member
 
Registered: Mar 2004
Location: uk
Distribution: fedora2, slackware10
Posts: 54

Rep: Reputation: 15
definitely being hacked---help!!!


hi,

My computer running linux CentOS 3.0 are defintely being hacked, I think he's got the root password, becuase some services, like telnet, klogin were turned on, which was previously off. sshd_conf file being changed to allow root login via ssh, XFree86_config has also been changed, all these are within the root privilige.

I have checked ssh, ftp, logs, and cann't find the trace of logins, maybe the logs being deleted before he exit.

please advise what else should I be looking for to trace who and when, what he's done to the system.

here is the information I know, on 26/11/2004 10:44am, he created a user called alakaza, and in group of alakaza, and home dir are also created in /home, this is the only trace I can find, but I need to know more, a lot more, why he could get my root passoword, how??? I've changed the root password already, but I need to know the reason, otherwise soon or later, he will use the same method to attack again

any help will be very appreciated!

Chong
 
Old 11-30-2004, 01:13 PM   #2
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 69
hi there

firstly why don't u use a firewall and disallow all incoming traffic

also look out at /var/log/wtmp by
who /var/log/wtmp
and u can get the IP address/terminal from where the user had logged

regards
 
Old 11-30-2004, 02:00 PM   #3
hostprotect
Member
 
Registered: Nov 2004
Posts: 56

Rep: Reputation: 15
I'm sorry to say, but a full os-resinstall is the only way to be sure he's no longer on there.
 
Old 11-30-2004, 02:02 PM   #4
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 69
Quote:
Originally posted by hostprotect
I'm sorry to say, but a full os-resinstall is the only way to be sure he's no longer on there.
what about changing the root passsowrd and working on a firewall as i mentioned earlier

regards
 
Old 11-30-2004, 02:18 PM   #5
chongluo
Member
 
Registered: Mar 2004
Location: uk
Distribution: fedora2, slackware10
Posts: 54

Original Poster
Rep: Reputation: 15
the firewall is already in place, but the /var/log/wtmp is not existed on my machine
 
Old 11-30-2004, 02:35 PM   #6
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 69
hey if u have firewall in place then why have u allowed any accesss from outside
simply DROP/Reject any attempts from outside

also are u sure u do not have the wtmp file

run
locate wtmp
to see if it is there in some other location
i have FC2 and it is there in /var/log
u can also see ur /var/run/utmp file if u have not rebooted ur machine after that attack

regards
 
Old 11-30-2004, 03:38 PM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally posted by hostprotect
I'm sorry to say, but a full os-resinstall is the only way to be sure he's no longer on there.
This bears repeating. Without a full OS re-install, you will never be sure that your machine is clean. Changing root's password isn't going to get you anywhere. Right now you need to do two things:
1) Unplug the machine from the network. Don't mess around with the firewall, just make it physically impossible to access from the network.
2) Re-install the OS from trusted media. Don't try to save anything from the compromised hard disk unless you can verify it is nothing but data.

You obviously are not enjoying being cracked, and you'll enjoy it even less the second time around. Do yourself a favor and fix this the right way.
 
Old 11-30-2004, 06:12 PM   #8
chongluo
Member
 
Registered: Mar 2004
Location: uk
Distribution: fedora2, slackware10
Posts: 54

Original Poster
Rep: Reputation: 15
I understand by reinstall the system is the best way, but that's not going to solve the acutal problem, he might have exploited on of the vulnerbility of my linux system, I need to find out how and what he's done, and why is this happening. I don't want to be hacked again if the system is just simply reinstalled.
but thanks for your advise, I hope more sugguestion on how to find out the trace of of attack will be very welcome.
 
Old 11-30-2004, 07:35 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Checking last -i for logins around the time period of the user creation is a start, also look through the system logs for any abnormal log messages (not just logins but things like kernel panics or application errors/failures). If you had poor passwords on the system (like user test with password test) then the ssh bruteforce/dictionary attack may be a likely culprit. I'd definitely download and run chkrootkit or rootkit hunter, which can help identify the presence of a rootkit and can detect log deletions. Running rpm -Va can also give you a list of altered or trojaned system packages. Take a closer look at the /etc/passwd file and look for any users other than root with uid 0. Check for any new SUID/SGID root files using:
find / -user root -perm -4000 -print
find / -user root -perm -2000 -print

Also, take a look at the bash_history files of root and alakaza in case they were sloppy (seems like they were). Also look for any abnormal files and dirs, especially in /tmp and for hidden files (those that are preceeded by a period like .file)

Keep in mind that if someone has compromised your systems security and gained root access to your system, then the only option is to format the drive and re-install from trusted media. Simply changing the root password and turning on iptables isn't going to do you much good if a half-way decent rootkit has been installed on your system.
 
Old 11-30-2004, 09:25 PM   #10
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 69
hi there

last -i
uses wtmp and he has specified that his systen does not have any wtmp file

also can we avoid having a wtmp file???

regards
 
Old 12-01-2004, 07:32 AM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
wtmp should be installed on Fedora Core systems and is part of the initscripts package. You could remove it after installing, but the only way it would be missing is if it was deleted (by accident or intentionally). The rpm -Va command should show the initscripts package as failing if it has been removed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration