LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-10-2004, 01:35 AM   #1
kazjol
LQ Newbie
 
Registered: Oct 2004
Posts: 2

Rep: Reputation: 0
Is my server hacked?


Hi guys!
I am pretty new to Linux and I have a problem.
My computer is running as a web server with Plesk CP for a couple of month already and everything was OK until last week. Now I can not connect to the web through my browser or any other way, BUT websites that are hosted on this computer are accessible and I can connect to the server through FTP which looks weird to me.
Also when I go through my Security Log I can see a whole bunch of sshd and xinetd connection attempts couple of which are in fact successful (almost all IP’s are from China Taiwan or S. Korea, and I know for sure that none of the people who are supposed to connect to the server live in those countries). Does it mean that my server was hacked and those bad boys screwed up some settings or what? What should I do to protect my server and fix the connection problem?
I am running RH Enterprise Linux 3.
Any help is greatly appreciated.
Thanks.
 
Old 10-10-2004, 05:19 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Now I can not connect to the web through my browser or any other way
What error message do you get?
Did anything regarding your CP show up in the logs?
Are any new users added to the system authentication database?
Are there any (setuid) binaries in /tmp or /var/tmp (or any place where daemons/users have write access)?
Are there any unusual processes running?
Did you notify the hosting company (please do)?

when I go through my Security Log I can see a whole bunch of sshd and xinetd connection attempts couple of which are in fact successful
Xinetd is a superserver. It usually doesn't serve stuff for itself (on public interfaces) but acts like a broker for other services (first thing I regularly set up for myself is an IP ACL'ed OpenSSH on a high port). The question is what services those attempts where for, if those services where/are publicly accessable and what shows up in the logs (post, if any). Same for OpenSSH.
Please try to provide as much info as you can.

What should I do to protect my server and fix the connection problem? I am running RH Enterprise Linux 3.
Basically what you need to do is to define the purpose of the box (single purpose boxen are by nature relatively easier to harden and manage), minimise risks by deinstalling any daemon, system, config or helper apps (and dependancies) that are not linked directly to the purpose of the box, secure system and service access by using inert login shells for system service accounts, disallowing root (v)tty access, PAM access lists on unprivileged user accounts necessary for management, using separate (ie not using the system's auth db's) authentication databases for users that only need access to FTP (please consider ditching FTP in favour of SCP/SFTP) or POP/IMAP, remounting partitions like /usr read-only if you can, remounting /tmp, /var/tmp with noexec,nodev,nosuid flags (if available as separate partition, and might break some apps), denying access to management services by using TCP wrappers, daemon and Xinetd config option/user/IP ACL's and the firewall (not OR). This is not a full list, but it'll give you some idea what's involved. So. There you have it. Seems there's a lot to do, right? Maybe now is the time to first read up on securing your box: check out the LQ FAQ: Security references, post #1.

But for now you should concentrate on regaining access to the box. If the box was hacked, it'll probably be used for stashing warez or IRC mischief. Anyway the bandwidth bill will be yours. What you want is to regain control as fast as possible, and if you fail doing that by yourself with help from us, asking the hosting company to set things straight is your only I said ONLY option. And DO NOT put off that decision for too long (24hrs from when you discovered the problem would be my max). Letting the hosting company set things straight probably will cost you money, but (and this may sound bad, but we all got lessons to learn, right) think of it as the price you pay as a newbie for thinking you can securely run Linux w/o putting in effort to harden a box.

Please note: when you ask the hosting company to fix things for you, make sure that if it can be proven the box was hacked you should (have the hosting company) transfer your database, system and app configs, authentication files, system and application logs, shell history files off the box (no binaries or stuff you can't read outside database dumps or login records) and re-install from scratch first. There is no alternative for that, and it is no point asking for any. We're always willing to help you with stuff, but please do not waste time on forensics if you haven't got loads and loads of time and at least some experience.

Last edited by unSpawn; 10-10-2004 at 05:21 AM.
 
Old 10-10-2004, 10:57 AM   #3
kazjol
LQ Newbie
 
Registered: Oct 2004
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for your reply.
Problem is that I have no hosting company to ask to fix things for me; box itself is sitting on my desk. So, like I sad, I am a newbie, and I need your help to figure out where exactly all those “system and app configs, authentication files, system and application logs, shell history files etc.” are, or in another words, what folders should I back up to save all the CP’s and other useful settings but not the malicious ones?
Thanks much.
 
Old 10-10-2004, 12:09 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Problem is that I have no hosting company to ask to fix things for me; box itself is sitting on my desk.
OK. I probably did read too much into the Plesk thing. Doesn't mean you could've told us the box was on your desk. Right now it sounded like you had no other means of accessing/controlling the box. Just log in, su(do) to root, peruse the system logs and try to answer the questions first.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hacked cpanelskindepot Linux - Security 46 07-05-2004 06:19 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM


All times are GMT -5. The time now is 04:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration