log system hacked?

mikechao · 09-10-2005, 09:43 AM

I found some illegal sshd entrances from unknow hosts.
I kill those connections, and try to evaluate my Fedora 4 box.

I found something strange...
First, I found the syslog daemon was stopped. So, I try to start it, and all those logs files seems well.

But I found the "/var/log/secure" was empty!!
Even I revise the setting in "/etc/syslog.conf", and the ssh connections still can't be logged into the "/var/log/secure" file.

Can anybody help me how to fix it??

Half_Elf · 09-10-2005, 01:14 PM

Well... right now if you found illegal SSH connection, the first rule is SHUT DOWN SSHD. Like don't restart it again. The second rule would be to DISCONNECT the box from the network/internet. You have no idea what the intruder might have installed in the box so far.

Before fixing your logs, it would be very important to make sure there isn't any rootkit (modified binary) on your system or any trojans running. Install rkhunter or any rootkit finding tools and scan yourself. Then make sure no other system files ( starting by /etc/passwd ) have been modified.
But actually, if the attacker already modified your logging, you are probably fried already, it would probably be REALLY safer to reinstall the whole thing. Keeping a rooted box on the internet will only get you hacked again.

vireshwali · 09-14-2005, 08:40 AM

well
i agree with post2 above.
but i think you can fix this up again.
Before anything you need to check for rootkits and trojans on your box. Use rkhunter for that.
If damage is not much then try installing a port scanner on your box and a notifier also.
Copy the default config file for syslogd in your box (you can get it from net or some one else box)

change sshd port , root pass, disable root login, change pass for all users on your box.

if the damage is big its better to go off network and take a backup of your work and do a fresh install.

But before that make a log of all the files (can be just a find and grep) that were added or modified after the time the attack occured (or after the time you noticed the attack) and analyse the log for the users who modified these.

Its better to learn from this than to just run away from it......

Capt_Caveman · 09-14-2005, 10:46 PM

If the system was cracked and a rootkit installed on the system, then the *ONLY* way you can be reasonably sure that the system is secure is to do a full reinstall from trusted media. It can be extremely hard to track down all modifications that have been made to the system, especially without the aid of a file integrity scanner. A few relatively minor changes can completely compromise a system and it's even harder when someone is trying to hide their presence. I'd agree that doing some basic forensic analysis is probably a good idea.