Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following. If you need other information give me the command I should run and I will update, I am no expert in this area and use the server to host my website and SVN. I am the only person that has access to the server.
should /etc/passwd and /etc/group really be accessible by nobody?
rkhunter showed the following warnings
Code:
# cat /var/log/rkhunter.log.old | grep Warning
[13:44:48] Warning: Checking for prerequisites [ Warning ]
[13:44:48] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[13:44:54] /usr/bin/ldd [ Warning ]
[13:44:54] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[13:44:57] /usr/bin/whatis [ Warning ]
[13:44:57] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
[13:44:58] /sbin/ifdown [ Warning ]
[13:44:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[13:44:58] /sbin/ifup [ Warning ]
[13:44:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[13:48:36] Checking loaded kernel modules [ Warning ]
[13:48:36] Warning: No output found from the lsmod command or the /proc/modules file:
[13:48:37] Warning: The kernel modules directory '/lib/modules' is missing or empty.
[13:49:27] Checking if SSH root access is allowed [ Warning ]
[13:49:27] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
[13:49:33] Checking for hidden files and directories [ Warning ]
[13:49:33] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[13:50:13] Checking version of GnuPG [ Warning ]
[13:50:13] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[13:50:13] Checking version of Apache [ Warning ]
[13:50:14] Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk.
[13:50:14] Checking version of Bind DNS [ Warning ]
[13:50:14] Warning: Application 'named', version '9.5.1-P3', is out of date, and possibly a security risk.
[13:50:14] Checking version of OpenSSL [ Warning ]
[13:50:14] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[13:50:14] Checking version of PHP [ Warning ]
[13:50:14] Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk.
[13:50:14] Checking version of OpenSSH [ Warning ]
[13:50:14] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
I am no expert myself but I think the rkhunter may suggest that you are using old packages and this may be because you are using an old unsupported version of Fedora. The latest is F13. Fedora release cycle is short and it attains end of life quite frequently. Not a good choice for server. Upgrading to F13 may remove the rkhunter warnings.
should /etc/passwd and /etc/group really be accessible by nobody?
Short answer: yes.
Quote:
Originally Posted by jax8
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following.
As said F10 is deprecated so no more security updates. Bad. Who was the file owned by? What were the access rights? What does 'stat' return when you run it on the PHP-file-with-usernames-and-passwords. What software is it part of? Are you running the latest version? Did you check your system and web server logs ('Logwatch') for anomalies?
If you have the hunch (it's good to follow those) you've got a potential compromise on your hands please read the Intruder Detection Checklist (CERT, archived): http://web.archive.org/web/200801092...checklist.html).
Quote:
Originally Posted by jax8
has been replaced by a script
Download version 1.3.6 and read the documentation, search the rkhunter-users mailing list archives and see the rkhunter.conf script whitelisting option. The fact you're only showing this now means you never (re-)configured Rootkit Hunter completely.
Quote:
Originally Posted by jax8
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
Read the documentation, search the rkhunter-users mailing list archives and see the rkhunter.conf dot-files whitelisting option.
Quote:
Originally Posted by jax8
Warning: Application X, version Y, is out of date, and possibly a security risk.
Read the documentation, search the rkhunter-users mailing list archives, see the rkhunter.conf application check version whitelisting option or disable the application version check.
This is the Linux Security forum. Members may post information about (potential) compromises here. Compromises are bad for the owner, bad for all connected to the same network (meaning all of us) and bad for the GNU/Linux image. This means it needs to be dealt with decisively, correctly and quick. So if you're not familiar with incident response then for you the best thing to do is to wait until somebody comes along who does. Because addressing secondary issues is makes the OP lose focus and is inefficient. If you want to post something then post the Intruder Detection Checklist link I posted in the previous reply. This enables the OP to at least gather more information.
Also upgrading to F13 will not remove the rkhunter warnings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.