I'm a linux noob. My coworkers, who aren't noobs, hacked my box in my first week on the job. Since then I have become a bit more security savvy, but the damage is done. I have found and cleaned out all the users and groups they created for themselves. And I got rid of a file they created that occupied all my harddrive space, but they claim to have a trapdoor into my machine (fedora core 1). The only thing I know about this software it is that it emails my coworkers when I boot or log into my machine. I don't see anything suspicious running when i do a ps -l but I don't really know what to look for.

Can I use the email notification thing they told me about to find the program that they have running on my system?

They also claim they can remotely control my computer. I have since modified my hosts file to block all hosts.

Any advice for cleaning this system up (or getting them back) would be appreciated.

thanks!

if they just know how to beat a "n00b" - first check:
- the startup scripts ( /etc/init.d, inittab, etc. )
- if they installed any services/backdoors ( inetd configuration, login scripts, etc )
- cron/at jobs
- strange suid/sgid files
- verify the checksums of your binaries/config files with your distribution
- password protect the bios (no floppy/cd/etc... boot), bootloader config etc.

if your coworkers are "really good" (TM) - reinstall everything from scratch :-)

http://home.earthlink.net/~milk4unme/
go here and d/l the 2 pdf files
linuxsecurity
linuxnewbieadminguide

they should help.

What kind of office do you work in where your coworkers are hacking into your box? This doesn't sound like a harmless prank to me, but rather that your colleagues either want to inappropriately keep tabs on you, or that they may be planning some kind of future sabotage. If I were you I'd have a discussion with my manager about this -- unless your office is pretty much the Wild West, random coworkers should have zero authority to install arbitrary software on your machine. Maybe they're just doing some friendly hazing of the new guy, but either way that's not how I'd treat a new employee during his first week on the job. -- J.W.

thanks AltF4,

- I checked the startup scripts: /etc/init.d, inittab, and my .bashrc, and .bash_profile
- I checked for services
- inetd configuration mentions
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps
- services looks like this
type = INTERNAL UNLISTED
port = 9098
socket_type = stream
protocol = tcp
wait = no
disable = yes
only_from = 127.0.0.1
-cron/at jobs seemed normal to me
- Didn't find any strange suid/sgid files
- haven't had time to verify checksums yet
- the bios/bootloader is protected and boots from HD

I was hoping that someone could tell me how to intercept or monitor any email activity that I might be sending. Perhaps that could lead to something... I had visions of changing whatever the intruder did so that instead of just one email my computer dumps a bunch of emails...

of course i have no Idea how. and i would want to remove the trapdoor before provoking these guys.

Thanks again... Oh and 320mb, thanks for the pdf links i'll give them a look. the linuxsecurity one looks good.

J.W.

My manager informed me that being a new guy meant that I would have to learn about securing a linux box. He said that I would be a 'target' for the first months. He wasn't kidding. Trial by fire. And it is true. I have learned more on this subject than I would have had I not have been hacked.

And I'm sure that hazing the new guy probably comes into play.

Cool. As long as it was announced up front that this sort of thing was part of your on the job training, then fair enough, and I'm sure that you are indeed learning way, way more this way than by attending some kind of dry lecture. Your original post didn't put things into that context though, so I figured that maybe you were being subjected to totally insane working conditions, and figured I'd just toss in my 2 cents.

Anyway best wishes with the trial by fire and good luck -- J.W.

There are several things to do.

1. Don't log on as root from the console or remotely, su or sudo are your friends.
2. Check which services are running. chkconfig --list will let you know. Turn just about everything. If you don't know what it does, man ${servicename} will give you some idea.
3. netstat -an will let you know if your system is "listening" for connections - find out what's running on those ports. You might have to use lsof to find out more details.
4. Run a firewall on your system. My workstation is behind the corporate firewalls and I STILL run shorewall! I can then notify our NT admins the IPs of those infected machines that are scanning my machine. (They cleaned it, but it got re-infected.)
5. Paranoid? You should be cause they're out to get you!! It keeps you on your toes.
6. Backups, patches and AIDE/Tripwire are your friends...

And I'm sure there's tons more things that you should do... read up (sounds like you're doing so...)

Enjoy your new found knowledge!

Patrick,

thanks for the help. I've installed tripwire although I wish i'd had it before I was compromised. I'll look into the firewall. It sounds like a good idea. Netstat is a very helpful resource, but there are so many connections on my machine! Everything that I see in netstat, chkconfig, and ps seems to be a legit. program. Most of them have man entries and the ones that don't I can find info about on google.

Is it possible that he has disguised his trapdoor program to look like a legit program? How is that done, and is there a way to detect such subterfuge?

I was looking through the system logs and I stumbled across lots of messages that seemed suspicious. It basically looks like xinet is trying to provide internet services for something. .. sgi_fam. when I google sgi_fam it seems to a legit program, but I thought I'd see if it looked suspicious to anyone else.

Mar 31 08:46:17 josh xinetd[2550]: warning: can't get client address: Transport endpoint is not connected
Mar 31 08:46:17 josh xinetd[2550]: libwrap refused connection to sgi_fam (libwrap=fam) from <no address>
Mar 31 08:46:17 josh xinetd[1588]: Deactivating service sgi_fam due to excessive incoming connections. Restarting in 30 seconds.
Mar 31 08:46:49 josh xinetd[1588]: Activating service sgi_fam


Similar log messages go on and on as this service tries to connect and fails. I have all hosts blocked in my hosts file if that has any bearing on this. Basically I can't trust any processes running on my system.

You might want to make sure that now kernel level rootkit has been installed. Check out http://www.chkrootkit.org/ for details on how to scan for one.

There's a lot of advice given here so for now I ain't gonna add any. Giving everyone an answer to each question could clear up a lot of stuff pretty fast. With all due respect, but in the end you've not helping yourself saying "I haven't got time to check out X or Y"). Ah. OK. A few loose ends tho. SGI_FAM is a regular service used primarily by DE apps. Installing a filesystem integrity checker *after* a compromise is useless. If someone asks to do something, posting the output is much better compared to saying "it looks legit" if you don't know what you're looking for. if your box wasn't rootkitted you should be able to find out relatively easy what's modified.


Any advice for cleaning this system up (or getting them back) would be appreciated.
Since you also wrote: "(...) being a new guy meant that I would have to learn about securing a linux box. He said that I would be a 'target' for the first months. (..) I have learned more on this subject than I would have had I not have been hacked (...)" your next stop would be to check out the LQ FAQ: Security references. Trying to get back at them at this point will only hurt yourself more.

next steps
- check for rootkits
- disable any services you don't need/use
- find a free machine and use "nmap" to portscan you box and check for unexpected TCP/UDP ports

If it is allowed I would take an old PI or PII machine and install a Smoothwall on it and put it between your computer and the local area network. Smoothwall turns your old PC into a hardware firewall. You will probably need a couple of network interface cards. That might stave off any attempts to hack your box for at least a little while, Maybe long enough to repair any damage that is already done.

Anyway, I'm just a nOOb too. These other guys seem to have way more advice than I can provide. So there are my 2cents.

*install chrootkit, tripwire

*nmap localhost

*netstat -an
*netstat -tap

*configure your gnome-lokkit firewall or install something more sophisticated like firestarter,guarddog,shorewall,etc...