LinuxQuestions.org - my box has been hacked

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - my box has been hacked (https://www.linuxquestions.org/questions/linux-security-4/my-box-has-been-hacked-153091/)

my box has been hacked

my redhat 7.2 was hacked and the logs are deleted but the "hacker" forgot to delete the bash profile. I have no idea how he/she has gotten access to my box, may be via openssh, i had a 3.1-version installed. I already changed openssh to 3.5p1 and allowed only keyfile-based login. (had to strip all URLs to post this message)

Here what the guy did:

ls
cd irssi-0.8.9
ls
INSTALL
pico INSTALL
./configure
ls
make
make install
make
./configure
ls
pico INSTALL
./configure --whitout-terminfo
./configure --whitout
./configure --help
./configure --ncurses-dir
CPPFLAGS=-I/opt/openssl/include LDFLAGS=-L/opt/openssl/lib ./configure
ls
curses.m4
./curses.m4
ls
pico INSTALL
ls

cd ..
ls
cd ..
ls
cd sux
ls
cd irssi-0.8.9
ls
./configure --whit-ncurses-/home/sux/irssi-0.8.9
./configure --help
./configure --whit-ncurses=/home/sux/irssi-0.8.9
ls
./configure --whit-ncurses=/home/sux/irssi-0.8.9/curses.m4
pico INSTALL
./configure --without-terminfo
ls
./configure --without-terminfo.
./configure --without-ncurses
logout
exit
ls
pico sux.config
su sux
exit
ls
cd mail
ls
cd sux
ls
who
ls
cd iroffer1.2b26
ls
./iroffer -b sux.config
su sux
cd /home
ls
ssh 213.242.32.244
dns server2.netdiscount.de
host server2.netdiscount.de
ls
xmms
ls
host lnx.sw.internal
ls
cd ..
ls
cd home
ls
cd ftp
ls
cd ..
ls
cd ftp
ls
mkdir upload
ls
ftp ftp.microsoft.org
ftp ftp.microsoft.com
ftp ftp.microsoft.com
ftp ftp.microsoft.com
ls
cd ..
ls
cd creation1
ls
cd ..
ls
cd cm
ls
cd ..
ls
cd rootmail
ls
cd impa_folder
cd imap_folder/
ls
cd Maildir
ls
cd new
ls
pico 1076641765.32469.lnx.sw.internal
ls
cd ..
ls
cd ..
cd ..
ls
cd ..
ls
cd ..
ssh server2.netdiscount.de
ls
cd home
ls
cd /home
ls
cd sux
ls
cd irssi-0.8.9
ls
./configure
uname -a
rpm
uptime
rpm -q redhat-release
wget ftp://rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/ncurses-devel-5.2-26.i386.rpm
cd /home
ls
cd sux
ls
ftp rpmfind.net
cd /home
ls
cd sux
uname -a
ftp rpmfind.net
ftp rpmfind.net
cd /home
ls
cd sux
ls
ftp rpmfind.net
wget ncurses-devel-5.2-26.i386.html?hl=de&cx=591:N:0:331169:0:0:0
wget ncurses-devel-5.2-26.i386.rpm?hl=de&nid=809
wget ncurses-devel-5.2-26.i386.rpm?hl=de&nid=809
wget RPMS.7.3/ncurses-devel-5.2-26.i386.rp
wget RPMS.7.3/ncurses-devel-5.2-26.i386.rpm[B
ls
rpm -i ncurses-devel-5.2.-26.i386.rpm
rpm -i ncurses-devel-5.2.-26.i386.rpm
rpm
rpm --hel
rpm --help
rpm ncurses-devel-5.2.-26.i386.rpm
rpm -f ncurses-devel-5.2.-26.i386.rpm
rpm -f ncurses-devel-5.2.-26.i386.rpm
rpm -f ncurses-devel-5.2.-26.i386.rpm
rpm -q ncurses-devel-5.2.-26.i386.rpm[A
rpm -i ncurses-devel-5.2.-26.i386.rpm
ls
ls -al
cd BitchX
ls
./configure
d ..
cd ..
ls
wget catcrash.mpeg
ls

ls
rm ncurses-devel-5.2-26.i386.rpm
rm ncurses-devel-5.2-26.i386.rpm
ls
rm ncurses-devel-5.2-26.i386.rpm.1
rm ncurses-devel-5.2-26.i386.rpm\?hl\=de
rm ncurses-devel-5.2-26.i386.rpm\?hl\=de.1
ls
rpm 7.3/i386 os updates freshrpms
/etc/apt/sources.list
cd /etc/apt/sources.list
more /etc/apt/sources.list
wget RPMS/BitchX-1.0c17-6.i386.rpm
s
ls
rpm -i BitchX-1.0c17-6.i386.rpm
ls
rm -r BitchX
ls
rpm -i BitchX-1.0c17-6.i386.rpm
ls
cd BitchX
ls
cd ..
ls
rm -rf BitchX
ls
rpm -i BitchX-1.0c17-6.i386.rpm
ls
rpm
locate Bitchx
ls
uname -a
locate BitchX
df
rpm -qil BitchX
rpm -qil BitchX
rpm -qil BitchX
uname -a
rpm -qil BitchX | less
/usr/bin/BitchX -N
ls
/usr/BitchX
/usr/BitchX -N
/usr/bin/Bitchx
/usr/bin/BitchX
su sux
deluser
BitchX irc.azzurra.org
ls
su sux
ssh -l root 217.13.198.2
fs
iptable -F
iptables -F
logout
df
df
df
dev/shm
var
boot
none
dev/hda5
root/cd /var/log
df
rm messages*
ls
cd /var
cd log
rm messages*
df
df
logout
ls
uptime
ssh 213.242.32.244
who
ls
rm catcrash.mpeg
ls
cd mail
ls
cd sux
ls
dev/shm
cd log
ssh -l root 217.13.198.2
ls
ps -x
uname
uname --help
uname -m
uname -n
uname -a
ls
cd psybnc
ls
./psybnc
ps -x
ls
iptables
iptables -h
iptables -L
iptables -L |less
iptables -L INPUT
iptables -L FORWARD
iptables -F OUTPUT
df
var
sm /var
shm /var
df
mc
ls
ip tables -t net -A OUTPUT -p tcp --dport 33337 -j ACCEPT
iptables -t net -A OUTPUT -p tcp --dport 33337 -j ACCEPT
iptables --help
ip tables -t nat -A OUTPUT -p tcp --dport 33337 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 33337 -j ACCEPT
[root@lnx root]# iptables -t net -A OUTPUT -p tcp --dport 33337 -j ACCEPT
iptables v1.2.4: can't initialize iptables table `net': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables -t nat -A OUTPUT -p tcp --dport 33337 -j ACCEPT
uptime
iptables -t filter -A OUTPUT -p tcp --dport 33337 -j ACCEPT
ps -x
./psybnc
ls
cd mail
ls
cd sux
cd psybnc
ls
./psybnc
ps -x
man iptables
df
var /messages*
var /df
var
var/log
var /sm
var /mv
var /shm
logout
ls
iptables -F flusha
iptables -F flusha
iptables -F
ntsysv
ifconfig
cd /etc/init.d
ls
./pptpd start
ifconfig
./pptpd status
ifconfig

/.BitchX

......

cd BitchX
cd /usr/bin/BichX
cd home
cd /home
ls
cd sux
ls
cd ftp
ls
cd ftp
ls
cd ..
cd sux
rm catcrash.mpeg
wget catcrash.mpeg
wget catcrash.mpeg
wget catcrash.mpeg
df
uptime
ls
cd DEADJOE
ls
cd mail
ls
cd up
ls
ls
cd ..
iptables
iptables -h

...

iptables -L -n
iptables -L -n | less
ls
iptables -A INPUT -p tcp --dport 33337 -j ACCEPT
ls
cd /home
ls
cd mail
cd ..
ls
cd mail
cd home
ls
cd rootmail
ls
cd ..
ls
cd sux
ls
cd ..
ls
cd ..
ls
cd root
ls
cd mail
ls
cd sux
ls
cd psybnc
ls
pico psybnc.conf
ls
ps -x
./psybnc
whois <<--SNIP was.my.ip.address >>
./iroffer
./iroffer -u sux configfile sux.config
ls
./iroffer -u sux sux.config
ls
s
ps -x
kill -9 5820
kill -9 5864
ps
ps -x
ls
cd ..
cd ..
ls
dir
ls
info
ps -x
iptables -A INPUT -p tcp --dport 6667 -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ls
cd mail
ls
cd sux
ls
cd mp3
ls
cd ..
ls
/ps -x
ps -x
ip
ip addr
modprobe ipv6
ip addr
ip addr show dev eth0
whic BitchX
which BitchX
cd /usr/bin/BitchX
cd /usr/bin/BitchX
/usr/bin/BitchX
ls
adduser sux
su sux
pico alc.config
ls
cd mail
ls
cd sux
ls
cd iroffer.2b28
ls
cd iroffer1.2b28
ls
pico sux.config
ls
./iroffer
./iroffer sux.config
su sux
su sux
ls
pico alc.config
su
ls
pico alc.config
su sux
wget iroffer1.2b12.tgz
ls
tar xvfz iroffer1.2b12.tgz
cd iroffer1.2b12
ls
./Configure
make
lcd ..
cd ..
ls
cd iroffer1.2b26
ls
./Configure
cd ..
ls
cd iroffer1.2b12
ls
make
ls
ls
cd ..
wget iroffer-1.1.1-1.src.rpm
ls
rpm
rpm --help
ls
rpm -iv iroffer-1.1.1-1.src.rpm
rpm -i iroffer-1.1.1-1.src.rpm
wget iroffer-1.1.1-1rh62.i386.rpm
ls
rpm -i iroffer-1.1.1-1rh62.i386.rpm
ls
cd ..
ls
cd up
ls
wget iroffer-1.1.1-1rh62.i386.rpm
ls
rpm -i iroffer-1.1.1-1rh62.i386.rpm
ls
rpm -iv iroffer-1.1.1-1rh62.i386.rpm
ls
cd ..
ls
cd sux
ls
rpm -iv iroffer-1.1.1-1rh62.i386.rpm
which iroffer
/usr/local/bin/iroffer
cd /usr/local/bin/iroffer
/cd /usr/
cd /usr/
cd /loca
cd /local
ls
cd locale
cd /local
cd local/
ls
cd bin/
ls
cd iroffer
./iroffer
./iroffer -b sux.config
ls
ls
cd /home
ls
cd sux
ls
wget iroffer1.2b28.tgz
ls
tar -xvfz
tar -xvfz iroffer1.2b28.tgz
tar xvfz iroffer1.2b28.tgz
cd iroffer1.2b28
ls
./Configure
make
ls
pico sample.config
ls
s7 sux
su sux
ls
pico sux.config
pico sample.config
su sux
ls
pico sux.config
su sux
ls
make
cd ..
ls
wget iroffer1.2b28.tgz
ls
tar xvf iroffer1.2b28.tgz
tar xvfz iroffer1.2b28.tgz
ls
cd iroffer1.2b28
ls
./Configure
make
ls
pico sample.config
ls
su sux
pico sux.config
su sux
ls
cd /home
ls
cd ...
cd ..
ls
cd root
ls
cd mail
ls
cd /home
ls
cd root
cd ..
ls
cd home
ls
cd sux
ls
mkdir up
ls
cd ..
ls
cd ..
ls
cd root
ls
cd mail
ls
cd sux
ls
cd iroffer1.2b26
ls
pico sux.config
su sux
cd ..
cd ..
cd ..
cd ..
cd root
cd mail
cd sux
ls
cd iroffer1.2b26
pico sux.config
ls
cd ..
ls
cd ..
ls
cd sux
ls
su sux
ps -x
ls
cd mail
ls
cd sux
ls
cd ..
ls
cd ..
ls
cd ..
ls
cd /home
ls
cd sux
ls
cd ..
ls
cd ..
ls
cd root
ls
cd mai
cd mail
ls
cd up
ls
rm iroffer-1.1.1-1rh62.i386.rpm
wget eggdrop1.6.15.tar.gz
ls
tar -xvfz eggdrop1.6.15.tar.gz
tar xvfz eggdrop1.6.15.tar.gz
ls
cd eggdrop1.6.15
ls
./configure
make config
make
make install
ls
pico eggdrop.conf
ls
./eggdrop
su sux
ps -x
ls
cd mail
ls
cd sux
ls
cd ..
ls
cd up
ls
cd eggdrop1.6.15
ls
pico jes.conf
ls
./eggdrop
su sux
cd ..
ls
mkdir sux1
ls
cd suxls
cd sux1
ls
wget eggdrop1.6.13.tar.gz
ls
wget eggdrop1.6.13.tar.gz
uptime
ls
cd eggdrop
‗s
ls
cd ..
ls
px -x
ps -x
ls
cd mail
ls
cd sux1
ls
ls
cd ..
ls
cd ..
dir
ls
ls
cd eggdrop/
ls
make
df
uname -a
uptime
s
ls
cd ..
ls
cd home
ls
cd nw
l
sls
ls
cd ..
ls
cd sux
ls
cd /usr/bin/local
cd /usr/bin/local/BitchX
which
which BitchX
cs /usr/bin/BitchX
cd /usr/bin/BitchX
cd /usr/bin/BitchX/
/usr/bin/BitchX/
ls
cd ..
ls
cd usr/
cd /usr/bin/BitchX
cd /usr/bin/BitchX/
cd ..
l
ls
cd usr/
cd local
cd BitchX
ls
cd bin
ls
cd ..
cd ..
ls
cd bin
ls
cd BitchX
./BitchX
uname -a
etho
eth0
telnet 0x00.hacker.la
ssh 0x00.hacker.la
ssh x00.hacker.la
ssh 0x00.hacker.la
cd /home
ls
cd mt
ls
cd ..
cd sux
ls
df
sux
uoi rikiedere il comando se nn ogni 10 secondi
[20:03] <TuNz`TuNz> assi? :D

exit
exit
ls
cd ..
ls
cd home/
l
ls
cd sux
ls
mkdir eggy
ls
cd eggy
ls
dir
wget com_remository_startdown.php?id=1&chk=cc1665e8ce3f48f74dfe0e42a4ae0d7c
ls
ls
rm com_remository_startdown.php\?id\=1
wget 'index.php?option=com_remository&Itemid=40&func=download&filecatid=1'
ls
tar -zxvf PTlink6.16.2.tar.gz
ls
cd PTlink6.16.2
ls
./configure
ls
cd /root/ircd
cd ..
ls
cd ..
ls
cd ..
ls
ccd ..
cd ..
ls
cd root
ls
cd /home/sux/eggy
ls
cd PTlink6.16.2
make all
make install
cd /root/ircd/bin/ircd
cd /root/ircd/bin/ircd
cd /root
ls
cd irc
cd ircd/
ls
cd bin
ls
cd ircd
ls
ircd
./ircd

that sucks d00d ...
i am not sure what else you wanna hear ...
other than that sucks :(
was there much "damage" done ?

no damage at all, the only think i want to now is how the hell they got access to the box.

its not that hard if you are running an explotable version of ssh some other service.
a while ago, i searched google for the name of some explotable http ftp ssh servers,
and delibratly installed them on an old box.

i then downloaded some exploits found on google (had to compile myself)
and just like they said they would, they connect to the server,
send data usually causing some kind of buffer overflow.
then boom, you have a terminal that runs with whatever privilages the server is runnning.

a good way to protect yourself, is create a new user for example
useradd serveruser
add a password.

then, change your /etc/rc.d scripts so that instead of just executing server (which will then run as root)

run them with su serveruser -c "program_to_run"

make sure serveruser has bare minimal rights that it needs.
that serverely restrics possible hacks.

I saw a lot of eggdrop bot and IRC (BitchX client) in there. Is there a new bot sitting there ready to DDOS?

Man, that has to be the dumbest hacker ever... what kind of "l33+ h@x0r" uses pico!?!?!? Looks like (s)he had a lot of problems with dependencies and config options, too... The software being installed was mostly IRC and IRSSI (encrypted IRC-like chat), which is often used as a command channel for zombie hosts (rooted boxes that they control). I'm not sure if the "iroffer" stuff is some type of spam software, or possible a fileserv for IRC? catcrash.mepg might be to cause a buffer overflow by "cat'ing" the file.

At this point you need to wipe and reinstall, because there's no telling what else (s)he might have done that they actually did remember to clean up. Man, nuked /var/log/message* is about the dumbest way to "cover your tracks". It's going to be painfully obvious that someone tampered with your system if you're missing half your logs.

I like the uname --help , how priceless is that. There are ways to "resurrect" your deleted log files, but you can be pretty sure it was a point-and-click canned exploit against some unpatched service you had running. I guess it serves as a good illustration of how easy it can be to hack a Linux box.

---EDIT---
Hey chort, congrats on becoming a mod. Jeremy made a smart choice, welcome aboard.

Hey, thanks C_C! I was trying to play it all low-key and such. I've been deputized by BSDville.

Hey chort, congrats on becoming a mod. Jeremy made a smart choice, welcome aboard.
Yes, yes, congrats Chort! Welcome aboard, and thanks again for also patrolling the Linux - Security forum.

I've been deputized by BSDville.
Does that mean you got the blessing from Christos personally? :-]

Ok, thanks all for the informations.

>run them with su serveruser -c "program_to_run"

>make sure serveruser has bare minimal rights that it needs.
>that serverely restrics possible hacks.

I only had apache, courier-imap, ssh, qmail, squid, proftp and named running. Named and apache are running as a non root user. I think qmail is secure and for courier i could not find any problems regarding security. Squid was not reachable from outside.
For proftpd i could also not find any security problems. I will try to search for problems regarding ssh. What would be the best source for security relaited information ?
Currently i have ssh 3.5p1 (with ssh2 only) running and configured for keybased login only. Are there any security problems known with that version ?

I'm not sure if the "iroffer" stuff is some type of spam software, or possible a fileserv for IRC?
Fileserver.

Man, nuked /var/log/message* is about the dumbest way to "cover your tracks".
Yes, it's a flunked "italian job". She didn't even list or try to zap login records or other logs.

Below isn't complete w/o versions.
I only had apache, courier-imap, ssh, qmail, squid, proftp and named running. Named and apache are running as a non root user.
Sometimes the applications you run off of it matter too, for instance botchy CGI scripts and Apache. If you're not an authoritative NS for a domain you don't need to run named. If you run named as caching nameserver there's no need to run it publicly accessable.

I think qmail is secure and for courier i could not find any problems regarding security. Squid was not reachable from outside. For proftpd i could also not find any security problems.
Post version info?

I will try to search for problems regarding ssh.
Don't. Upgrade.

What would be the best source for security relaited information ?
Check out the LQ FAQ: Security references, post #1.

Currently i have ssh 3.5p1 (with ssh2 only) running and configured for keybased login only. Are there any security problems known with that version ?
Yes. OpenSSH-3.7.1-p2 is the lowest clean version AFAIK. There's no reason to NOT upgrade.

Quote:

Man, that has to be the dumbest hacker ever... what kind of "l33+ h@x0r" uses pico!?!?!?

hah, i was thinking the same think ...
i kinda laughed when i seen pico there ..

OpenSSH 3.8p1 is the most current (check www.openssh.org). Linux requires the "portable" version of OpenSSH (hence the 'p', for portable).

Red Hat back-ports security patches to previous versions, and they don't bump the version number when they do a security patch. This makes it really annoying to try to figure out if your setup is vulnerable. I think Nessus with "safe checks" turned off may be able to determine if it's really vulnerable.

Still, I would remove all traces of OpenSSH and build from the www.openssh.org source. A lot of stuff has changed since 3.5.x.

Some people also chroot Apache. This can provide some protection against mistakes made the Web designers.

You might want to off load some of your logs to a separate computer.

I read of a script kiddy who broke into a unix machine, and proceeded to try to execute MSDOS commands!

Try downloading nessus from Here and scanning your own computer to see what easily exploitable vulnerabilities you may have. Then be sure to patch them.