LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-30-2003, 12:52 AM   #1
safil
Member
 
Registered: Aug 2003
Location: nyc
Distribution: RH 9
Posts: 55

Rep: Reputation: 15
i think i've been hacked!


I'm a newbie at linux for about 2 months now (RH9)! But somethings not right. CPU usage is high when I'm idle, and when I go to the RH user manager, how come there are so many system users and groups. I think my problem is that I almost always log in as root. I do that in order to install apps. and programs and also to set settings. Is there any way I can find out if I have been hacked (preferrably gui) and how to get rid of it and keep it from happening again. Thanks! Please keep in mind that I'm still a noob and only know some commandline. I appreciate in advance any advice and help!
 
Old 10-30-2003, 09:52 AM   #2
guygriffiths
Member
 
Registered: Jun 2003
Location: Reading, UK
Distribution: Debian 3.0, LFS
Posts: 524

Rep: Reputation: 35
There are loads of users and groups for various tasks on RedHat. Don't worry about that. The high CPU usage seems strange - go into a terminal and type "top". That'll tell you what's eating the CPU. Post the output if you can't figure what's going on.
Guy
 
Old 10-30-2003, 09:57 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
All commands should be entered, as root, without the outer double quotes and in a xterm, Kterm, gnome-terminal or whatever it's called. The " | tee -a /tmp/log" part dumps the output of the commands in a file called /tmp/log for easy reading and posting.
Note this isn't a complete audit in any way, but unless the system was subverted using a rootkit it should tell us some basic details.

But somethings not right. CPU usage is high when I'm idle,
1. Tell us which processes you have running.
"chkconfig --list 2>&1| awk '{print $1, $7}' | grep :on | tee -a /tmp/log".
This example is for runlevel 5 and should give you a list of services that are supposed to be running. If you're in another runlevel (if you have to start X from the commandline) change the "$7" (runlevel + 2). To find out the runlevel, type "/sbin/runlevel". The second number is the current runlevel.

2. Show us what the top 10 CPU time consuming apps are:
"\ps axhwww -eo %C -eo priority,pid,user,args 2>&1|sort -nr -S1| head -10 | tee -a /tmp/log"

From what your say I can't conclude your box is cracked. If you want to do some minimal investigation, check points 3 to 7 yourself and report anything you think weird:
3. Internet connections in use:
"netstat -anp -A inet 2>&1| tee -a /tmp/log".

4. Interface settings:
"/sbin/ip link show 2>&1| grep -ie PROM | tee -a /tmp/log" or
"/sbin/ifconfig -a 2>&1| grep -ie PROM | tee -a /tmp/log"

5. Passwd logname, home and shell, group groupname and members:
"cat /etc/group 2>&1| cut -d ":" -f 1,4- | tee -a /tmp/log" and
"cat /etc/passwd 2>&1| cut -d ":" -f 1,6- | tee -a /tmp/log"
Last 30 login records:
"last -30 2>&1 | tee -a /tmp/log"
Last 30 login failures:
"lastb -30 2>&1 | tee -a /tmp/log"
System accounts have an UID below a certain number, human accounts and other uprivileged accounts have a higher number. To find out the number, run "grep /etc/login.defs -e ^UID_MIN|awk '{print $2}'". The default is 500.
Logins that should not occur if system account:
"lastlog 2>&1 | grep -v Never | tee -a /tmp/log"

6. System logs.
Find the logs by running "cat /etc/syslog.conf | egrep "^(\*|[a-z])" | awk '{print $2}'" (or look in your system's logdir: /var/log) and inspect the contents for errors or things you cannot understand.

7. Tell us
- if you're running a firewall,
- if you have done some hardening on your box using for instance "Bastille-linux", and
- if you audit your system and system logs using
-- "rpm -Va" to check the state of the files installed by the package manager,
-- a filesystem checker like Aide, Samhain or tripwire,
-- a system checker like Tiger or LSAT or COPS,
-- a log reporter like logwatch, swatch, logsentry.
Anything else. Think applications behaving different, segmentation faults, files disappearing or appearing, etc etc.

how come there are so many system users and groups.
Because a lot of processes do not need to be run with root account privileges.


I think my problem is that I almost always log in as root.
Apart from installing apps and changing settings you must not login as root.
If you need root account access for specific commands, set up "sudo".
 
Old 10-31-2003, 11:13 AM   #4
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
>I think my problem is that I almost always log in as root.
If you have been hacked the problem is more likly to be that you are running a default install of redhat without installing security patches often and disabling unneeded services that can be reached from the internet
 
Old 10-31-2003, 05:07 PM   #5
safil
Member
 
Registered: Aug 2003
Location: nyc
Distribution: RH 9
Posts: 55

Original Poster
Rep: Reputation: 15
PHP Code:
kudzu 5:on
syslog 5
:on
netfs 5
:on
network 5
:on
random 5
:on
rawdevices 5
:on
pcmcia 5
:on
keytable 5
:on
apmd 5
:on
atd 5
:on
gpm 5
:on
autofs 5
:on
iptables 5
:on
isdn 5
:on
sshd 5
:on
portmap 5
:on
nfslock 5
:on
sendmail 5
:on
rhnsd 5
:on
crond 5
:on
anacron 5
:on
xfs 5
:on
xinetd 5
:on
cups 5
:on 
 
Old 11-01-2003, 08:31 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I'm assuming you didn't plan for your post to look like that and what you posted was supposed to be chkconfig output of 5: on instead.

As a general rule, you should turn off anything that you don't need. For example, if you're not mounting remote NFS shares you won't need netfs, nfslock, autofs. If you don't need portmap and sendmail turn them off, as they both have bad security histories. If you don't have an ISDN connection, then shockingly you don't ISDN. You get the picture. I would leave kudzu, syslog, network, random, keytable, iptables, crond, anacron, xfs on. You can argue that some of them should be off, but I think the good outways the bad with those services.

Also, if you want us to help you out, you'll need to answer the questions that others have posted. It's hard to help when you don't have all the pieces to the puzzle, plus it comes off as rude and inconsiderate when someone has taken the time to respond to your post and you neglect to answer their questions.
 
Old 11-02-2003, 08:15 AM   #7
safil
Member
 
Registered: Aug 2003
Location: nyc
Distribution: RH 9
Posts: 55

Original Poster
Rep: Reputation: 15
RELAX!

Don't have a stroke! I tried cutting and pasting from my terminal and my tmp/log and when I did I had difficulties. If I had known my reply would look like that then I would rather not have posted! But anyway, thanks for your help!! Just put down the "Jolt Cola" or "Red Bull"!
 
Old 11-02-2003, 10:16 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I wasn't trying to jump all over you, it's just that your post looked like a bunch of jibberish until I figured out what was going on. BTW, in the future you can make use of the edit button to make changes to your post if you need to.

But you should definitely try and go through the list of things that unSpawn listed in his post. It might not be all that clear what they do, but the results will go a long way in helping us find out if your machine has been compromised or if what you saw is normal. I saw that you did at least check what was turned on with chkconfig , which is good, but there are a lot more things you need to take a look at before you can be at least semi-sure that your system is ok.

Quote:
Just put down the "Jolt Cola" or "Red Bull"!
That stuff is for sissies. Anything less than a 16oz coffee with a boat-load of sugar in it is small-time in my book.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM


All times are GMT -5. The time now is 02:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration