Hacked by Paul "Rusty" Russell
 

My webserver got hacked. All commands like LS were compromised. When I rebooted with boot diskette I got the following message:

"Sorry for the inconvenience, Paul "Russty" Russell ....
Netxt time floppy boot will be disabled ..."

Has anyone had this person do this to their server?

Also, how can I reverse the floppy disable boot issue?

thanks:scratch: :mad: :scratch: :mad: :scratch:

Once a system has been compromise the only ** true fix ** is to format the system and start from scratch.
I know it's a pain in the ... but there is no way to be absolutely sure that the cracker has not set up back doors. Hope you have done your due diligence with this system and have back ups of important data.
1. First thing to do is "pull the plug" and get the compromised machine off the network / web.
2. If you have the skills to do so, try to determine what was the "hole" that let the intruder in, so that you can block it from now on.
3. Format the HD and start again.

As per that other message about the floppy disk, the only way (that I know off) to disable it would be if your BIOS is not write protected. Check your motherboard data, it may point you to a jumper that "clears" the BIOS chip to it's defaults and then you place the jumper to "no write" so no one can alter your settings but you.

Hope this helps.

R

Until a security expert comes along, I would say that your first action should be to isolate the box - get it off the internet, get it off your network. Then try to work out how this person gained access to your box - check logs for activity, see who logged in around that time. Then take a deep breath - because your compromised box has become untrusted. The only way you can be sure that it is safe is to wipe it clean and start again.

FWIW, the only way I can think of to disable your floppy boot is via the bios. But then I'm not a security expert.

Edit - darn it, beaten to the post while typing :)

I'm sure the name is fake as well. Paul "Rusty" Russell is the author of ipchains and iptables (the linux firewalls) and has spent years contributing and maintaining code for linux. So you can be pretty sure that he hasn't hacked your box.

Also pulling the CMOS battery will often reset the BIOS.

I got all data backed up, data from last month and today. It's just a f..ing pain because of ColdFusion version and MySQL etc etc. I just got a new box going with Fedora C2.

I guess the "not boot from floppy again ..." is a bluff.

Manuel

Some more key things to remember and practice:

1. Use only strong passwords that mean nothing to you or anyone.
2. Don't login directly as root, setup sudo.
3. Keep your packages updated, mainly security related ones.
4. Try to eliminate any services running you don't need.
5. Setup a firewall to block ports you don't want outside access to access.

Regards.

Also:

do not use any of the same passwords as you did on the old box, ESPECIALLY ROOT. He may have grabbed your shadow file and then used john the ripper to brute force passwords. This would leave your new setup ripe for the picking if you use the same password. Hint: never use the same password as any compromised box.

May I add that in your ssh config do not alow root to login and drop ssh connection after 3 tries.

install tripwire to keep an eye on important files, (such as ls) tripwire will alert you if and what files have changed. (by email for example). It might not have prevented such attack, but it will give you enough information about who, what, when was changed to help you rescue your system. I would watch out on your box, he could have trojanized anything.

How does this improve security?

I have a question: let's say somene hacked me too...then I would only have to reformat the partition that was hacked or the whole drive?

Re-write the partition table and re-format the whole drive. You don't know how advanced the cracker was so you don't know what he might have planted elsewhere. You'd probably be ok just re-formatting the / and /usr partitions, but why take the chance?

Good point. Any help on the file / syntax would save me time googling.

The hack had to be via port 80. This was the only port open to this server (NAT, CISCO PIX). He (the f..ing jerk) got root access this way because LS and MANY other files in /etc were altered (different date stamp) and message was inserted at run level 5.

Strange thing is that after reboot with floppy (several time) , LS and other command worked fine, even without floppy boot ???

Anyway, I had another server up within hours, including all backups :)

m.

By allowing direct root logins, you've significantly reduced the complexity of a username-password combo (ie. you already have the username (root), all you need is a password and you have automatic root access). By disallowing root logins, you'd need to guess a valid username and the correct password, so that makes bruteforce techniques virtually impossible.

I hope that you've made sure that the backups are clean and free of any malicious code as well?