LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-08-2013, 03:06 PM   #1
andi.ramesh
LQ Newbie
 
Registered: Mar 2013
Posts: 4

Rep: Reputation: Disabled
How to recover the hacked linux system?


Hi, one of our system(RHEL 5u8) got hacked it seems. We get error "unknown HZ value assuma 100" when we run the top command, ps-edf, etc.,.

I run the chkrootkit and found top, ifconfig, and some more are affected. The solution I have seen in the internet as delete the ps, top files and reinstall it.

Could any one guide how to uninstall a top, ps etc and reinstall the same?
 
Old 04-08-2013, 03:16 PM   #2
ozar
Member
 
Registered: May 2004
Location: USA
Distribution: Arch Linux
Posts: 390

Rep: Reputation: 75
Hello

If you know for sure that your system has been compromised, you need to reinstall from scratch, or restore a known to be good backup, then implement security steps to prevent the same from happening again.
 
Old 04-08-2013, 03:21 PM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Have you been through the CERT checklist? That would be a good first step. I haven't run 'chkrootkit', but a similar application (rkhunter) gives output that takes a bit of interpretation (that is, frequently gives some false positives which need a little intelligence to decode).

Can you post the command executed and the output so that we can look through that (...and when I say 'we', I really mean that portion of 'we' who have some more specific experience than I do...)?

Then there is the question of how they got in. It doesn't sound as if the apps that you mention (top, ps...) are exactly the most likely way to gain entry, so the chances are that something else was the way that they used to get in. In that case, if you don't do something about how they got in, likely they can do it again, and unless you really track down the exact mechanism used to get in, you are only guessing about what to do to cure it.
 
1 members found this post helpful.
Old 04-08-2013, 04:48 PM   #4
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 04-09-2013, 03:02 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,725
Blog Entries: 54

Rep: Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971Reputation: 2971
Quote:
Originally Posted by andi.ramesh View Post
We get error "unknown HZ value assuma 100" when we run the top command, ps-edf, etc.,.
Looks like evidence of a SHv4/5 rootkit.


Quote:
Originally Posted by andi.ramesh View Post
The solution I have seen in the internet as delete the ps, top files and reinstall it.
That is utter nonsense. Anyone writing that has no clue at all.


First of all this machine must not be used anymore by anyone:
- alert users the machine may be compromised,
- have them change all passwords related to this machine and
- investigate adjacent machines too.

If an investigation is required then preserving "evidence" is the next step:
- isolate the machine by bringing down its network interfaces or
- pulling out the network cable(s) and then
- follow the CERT link salasi posted.

If the machine needs to be used again then
- please do not restore a backup unless you are one hundred percent sure the backup isn't tainted.

Please follow up on replies Real Soon Now and please stay with this thread until completion.
 
3 members found this post helpful.
Old 04-21-2013, 04:14 AM   #6
andi.ramesh
LQ Newbie
 
Registered: Mar 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hello all,

Finally we re-installed the server from scratch as it is a commercial system. Thanks to all for your suggestions.
 
Old 04-21-2013, 07:20 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
So, if you have done the same thing that you did for the first installation, you have reproduced the same vulnerabilities, no? Is that really what you wanted to do?
 
1 members found this post helpful.
Old 04-21-2013, 10:42 AM   #8
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
Presumably this system will be immediately re-compromised in the same way as before, if this has not happened already. These sorts of things are usually automated.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Use Magic SysRq combination key to recover from a frozen system in Linux LXer Syndicated Linux News 1 10-19-2010 06:59 AM
DC linux based on-line voting system gets hacked. Dubious Dave Linux - News 0 10-05-2010 01:12 PM
Attempting to recover a windows file system with Linux live cd sgware Linux - Hardware 1 01-11-2007 02:06 PM
Linux System being hacked saravanan1979 Linux - Networking 5 06-13-2002 07:59 AM


All times are GMT -5. The time now is 11:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration