Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After years of Windows I finally decided to try a UNIX system, so far I have been really impressed and have wondered why I havent done it before.
But.......
Today I got an email from my ISP saying :
Your server's switchport has been de-rated to 10 Mb/s because your server
began generating an out-bound storm of packets. This type of event usually
indicates a compromise in security.
It does seem completely out of the ordinary as the max I have ever seem off this server is 1gig a day for photo swap with a balanced inbound and outbound. None of the site get visited much at the moment.
Yesterday was 10 gig inbound and 64 meg out!
I am running IPchains with a tight level of security, none of the websites have a high level of traffic and telnet is not enabled. I think I made one mistake in making one single dir 777.
The problem is I cant find any large files on the system that relate to this inbound traffic and I cant find anything looking amiss! IS there any possible way that this traffic which must be some sort of hack attempt might not have got past the firewall... explaining why I can see any odd files. Alternatively can anyone provide me with any guidance and show me where I should look for more info on what might have happend to the server!!!
It's personal, set-up for my wife's business, allows me to create a site for her unlce too! Seems a good deal at $80 a month and it gave me the chance to try out a few things on a cheap box. There are 5 domains pointing to it at the moment.
We need the mail server running on that machine but it only allows relay from a couple of sites.
I have only ever developed windows boxes through my job, so I am a newbi to Linux, but I would have thought the same security features apply. It's been running for 2 months withno problems.
Not sure why Bind is running I am using the ISP's system.
I was looking for a straight forward install as the ISP specified and setup, using enim to manage everything (including the webserver). The only linux I changed was the ipchains to secure it more thoroughly.
One very strange thing it is doing now is that if I try to view one of the websites unless the html dir has permissions for other set too execute I cant view the webpages.
Your ISP says its a large amount of outbound traffic and since you have proftp running i would think you are being used as a FTP server. You could also be being used to flood someone else in a DoS attack. But you said you're getting a lot of inbound traffic which makes me think its a DoS attack against you... It sounds more likely that they would be using you as a FTP server or to launch a DoS attack against someone else, are you sure you're getting a lot of inbound traffic, and its not outbound?
Distribution: Ubuntu 10.04 (I'd rather use Gentoo)
Posts: 23
Rep:
Detecting the compromise
Replace /bin/ls from CD, or put a copy from CD (or ftp, or some safe source, like another identical system) somewhere and use it (try "alias ls /wherever/you/put/it/ls" for instance) instead of the one in /bin (for now).
Then, go check out find. Make sure it's original. Check the timestamp on it. If it's been modified in the past day or two (or three or four, etc) replace it.
Then, do something like:
find / -mtime -# -print
where # is the number of days back to when you know the system was safe. This will produce a listing of files that have been modified in the last # days. The further you go back, the longer the list is likely to be, but if you don't go back far enough, you might miss the intrusion (assuming there was one). In any case, the listing could be long, so you might want to direct the output to a file (by tacking "> /tmp/list.txt" to the end of the command line). The just open the file in a text editor.
If the system was compromised, this will be a VERY effective way to find out, not because it is technically rigorous (you can manually change the timestamps on files with a single command), but because most ppl are just too lazy to cover their tracks by updating timestamps.
The list SHOULD include a bunch of files in /var and wherever your webserver logfiles are.
Things it should definitely NOT include:
any directory whose filename starts with a dot (like /var/tmp/.whatever)
anything in /etc /usr /bin /sbin or anything in /dev that isn't an actual device
This is NOT a complete plan-of-attack, but it's a start.
Actually, you do need the html dirs other's perms set to execute. Otherwise, the httpd process won't be able to change to it, to serve out pages. This is true especially if the httpd process and the html directory have different owner/group permissions.
I. Get rid of the FTP server. For a number of reasons:
1) its insecure.
2) you said this server is for web.
3) you are already running sshd. It can handle secure ftp transfers.
II. If it exists, get rid of the telnet entry in your inetd.conf file. Same reasons for FTP, you don't need clear text telnet sessions if you are already running sshd.
III. Double check your sendmail settings. They are probably using your server as a relay for spam.
I'd just like to point out you seem to have postgres running as well as mysql.
Also, ocwhttpd as well as apache's httpd processes.
You could try downloading www.chkrootkit.org and running that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.