my box has been hacked
my redhat 7.2 was hacked and the logs are deleted but the "hacker" forgot to delete the bash profile. I have no idea how he/she has gotten access to my box, may be via openssh, i had a 3.1-version installed. I already changed openssh to 3.5p1 and allowed only keyfile-based login. (had to strip all URLs to post this message)
Here what the guy did: ls cd irssi-0.8.9 ls INSTALL pico INSTALL ./configure ls make make install make ./configure ls pico INSTALL ./configure --whitout-terminfo ./configure --whitout ./configure --help ./configure --ncurses-dir CPPFLAGS=-I/opt/openssl/include LDFLAGS=-L/opt/openssl/lib ./configure ls curses.m4 ./curses.m4 ls pico INSTALL ls cd .. ls cd .. ls cd sux ls cd irssi-0.8.9 ls ./configure --whit-ncurses-/home/sux/irssi-0.8.9 ./configure --help ./configure --whit-ncurses=/home/sux/irssi-0.8.9 ls ./configure --whit-ncurses=/home/sux/irssi-0.8.9/curses.m4 pico INSTALL ./configure --without-terminfo ls ./configure --without-terminfo. ./configure --without-ncurses logout exit ls pico sux.config su sux exit ls cd mail ls cd sux ls who ls cd iroffer1.2b26 ls ./iroffer -b sux.config su sux cd /home ls ssh 213.242.32.244 dns server2.netdiscount.de host server2.netdiscount.de ls xmms ls host lnx.sw.internal ls cd .. ls cd home ls cd ftp ls cd .. ls cd ftp ls mkdir upload ls ftp ftp.microsoft.org ftp ftp.microsoft.com ftp ftp.microsoft.com ftp ftp.microsoft.com ls cd .. ls cd creation1 ls cd .. ls cd cm ls cd .. ls cd rootmail ls cd impa_folder cd imap_folder/ ls cd Maildir ls cd new ls pico 1076641765.32469.lnx.sw.internal ls cd .. ls cd .. cd .. ls cd .. ls cd .. ssh server2.netdiscount.de ls cd home ls cd /home ls cd sux ls cd irssi-0.8.9 ls ./configure uname -a rpm uptime rpm -q redhat-release wget ftp://rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/ncurses-devel-5.2-26.i386.rpm cd /home ls cd sux ls ftp rpmfind.net cd /home ls cd sux uname -a ftp rpmfind.net ftp rpmfind.net cd /home ls cd sux ls ftp rpmfind.net wget ncurses-devel-5.2-26.i386.html?hl=de&cx=591:N:0:331169:0:0:0 wget ncurses-devel-5.2-26.i386.rpm?hl=de&nid=809 wget ncurses-devel-5.2-26.i386.rpm?hl=de&nid=809 wget RPMS.7.3/ncurses-devel-5.2-26.i386.rp wget RPMS.7.3/ncurses-devel-5.2-26.i386.rpm[B ls rpm -i ncurses-devel-5.2.-26.i386.rpm rpm -i ncurses-devel-5.2.-26.i386.rpm rpm rpm --hel rpm --help rpm ncurses-devel-5.2.-26.i386.rpm rpm -f ncurses-devel-5.2.-26.i386.rpm rpm -f ncurses-devel-5.2.-26.i386.rpm rpm -f ncurses-devel-5.2.-26.i386.rpm rpm -q ncurses-devel-5.2.-26.i386.rpm[A rpm -i ncurses-devel-5.2.-26.i386.rpm ls ls -al cd BitchX ls ./configure d .. cd .. ls wget catcrash.mpeg ls ls rm ncurses-devel-5.2-26.i386.rpm rm ncurses-devel-5.2-26.i386.rpm ls rm ncurses-devel-5.2-26.i386.rpm.1 rm ncurses-devel-5.2-26.i386.rpm\?hl\=de rm ncurses-devel-5.2-26.i386.rpm\?hl\=de.1 ls rpm 7.3/i386 os updates freshrpms /etc/apt/sources.list cd /etc/apt/sources.list more /etc/apt/sources.list wget RPMS/BitchX-1.0c17-6.i386.rpm s ls rpm -i BitchX-1.0c17-6.i386.rpm ls rm -r BitchX ls rpm -i BitchX-1.0c17-6.i386.rpm ls cd BitchX ls cd .. ls rm -rf BitchX ls rpm -i BitchX-1.0c17-6.i386.rpm ls rpm locate Bitchx ls uname -a locate BitchX df rpm -qil BitchX rpm -qil BitchX rpm -qil BitchX uname -a rpm -qil BitchX | less /usr/bin/BitchX -N ls /usr/BitchX /usr/BitchX -N /usr/bin/Bitchx /usr/bin/BitchX su sux deluser BitchX irc.azzurra.org ls su sux ssh -l root 217.13.198.2 fs iptable -F iptables -F logout df df df dev/shm var boot none dev/hda5 root/cd /var/log df rm messages* ls cd /var cd log rm messages* df df logout ls uptime ssh 213.242.32.244 who ls rm catcrash.mpeg ls cd mail ls cd sux ls dev/shm cd log ssh -l root 217.13.198.2 ls ps -x uname uname --help uname -m uname -n uname -a ls cd psybnc ls ./psybnc ps -x ls iptables iptables -h iptables -L iptables -L |less iptables -L INPUT iptables -L FORWARD iptables -F OUTPUT df var sm /var shm /var df mc ls ip tables -t net -A OUTPUT -p tcp --dport 33337 -j ACCEPT iptables -t net -A OUTPUT -p tcp --dport 33337 -j ACCEPT iptables --help ip tables -t nat -A OUTPUT -p tcp --dport 33337 -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 33337 -j ACCEPT [root@lnx root]# iptables -t net -A OUTPUT -p tcp --dport 33337 -j ACCEPT iptables v1.2.4: can't initialize iptables table `net': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. iptables -t nat -A OUTPUT -p tcp --dport 33337 -j ACCEPT uptime iptables -t filter -A OUTPUT -p tcp --dport 33337 -j ACCEPT ps -x ./psybnc ls cd mail ls cd sux cd psybnc ls ./psybnc ps -x man iptables df var /messages* var /df var var/log var /sm var /mv var /shm logout ls iptables -F flusha iptables -F flusha iptables -F ntsysv ifconfig cd /etc/init.d ls ./pptpd start ifconfig ./pptpd status ifconfig /.BitchX ...... cd BitchX cd /usr/bin/BichX cd home cd /home ls cd sux ls cd ftp ls cd ftp ls cd .. cd sux rm catcrash.mpeg wget catcrash.mpeg wget catcrash.mpeg wget catcrash.mpeg df uptime ls cd DEADJOE ls cd mail ls cd up ls ls cd .. iptables iptables -h ... iptables -L -n iptables -L -n | less ls iptables -A INPUT -p tcp --dport 33337 -j ACCEPT ls cd /home ls cd mail cd .. ls cd mail cd home ls cd rootmail ls cd .. ls cd sux ls cd .. ls cd .. ls cd root ls cd mail ls cd sux ls cd psybnc ls pico psybnc.conf ls ps -x ./psybnc whois <<--SNIP was.my.ip.address >> ./iroffer ./iroffer -u sux configfile sux.config ls ./iroffer -u sux sux.config ls s ps -x kill -9 5820 kill -9 5864 ps ps -x ls cd .. cd .. ls dir ls info ps -x iptables -A INPUT -p tcp --dport 6667 -j ACCEPT iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT ls cd mail ls cd sux ls cd mp3 ls cd .. ls /ps -x ps -x ip ip addr modprobe ipv6 ip addr ip addr show dev eth0 whic BitchX which BitchX cd /usr/bin/BitchX cd /usr/bin/BitchX /usr/bin/BitchX ls adduser sux su sux pico alc.config ls cd mail ls cd sux ls cd iroffer.2b28 ls cd iroffer1.2b28 ls pico sux.config ls ./iroffer ./iroffer sux.config su sux su sux ls pico alc.config su ls pico alc.config su sux wget iroffer1.2b12.tgz ls tar xvfz iroffer1.2b12.tgz cd iroffer1.2b12 ls ./Configure make lcd .. cd .. ls cd iroffer1.2b26 ls ./Configure cd .. ls cd iroffer1.2b12 ls make ls ls cd .. wget iroffer-1.1.1-1.src.rpm ls rpm rpm --help ls rpm -iv iroffer-1.1.1-1.src.rpm rpm -i iroffer-1.1.1-1.src.rpm wget iroffer-1.1.1-1rh62.i386.rpm ls rpm -i iroffer-1.1.1-1rh62.i386.rpm ls cd .. ls cd up ls wget iroffer-1.1.1-1rh62.i386.rpm ls rpm -i iroffer-1.1.1-1rh62.i386.rpm ls rpm -iv iroffer-1.1.1-1rh62.i386.rpm ls cd .. ls cd sux ls rpm -iv iroffer-1.1.1-1rh62.i386.rpm which iroffer /usr/local/bin/iroffer cd /usr/local/bin/iroffer /cd /usr/ cd /usr/ cd /loca cd /local ls cd locale cd /local cd local/ ls cd bin/ ls cd iroffer ./iroffer ./iroffer -b sux.config ls ls cd /home ls cd sux ls wget iroffer1.2b28.tgz ls tar -xvfz tar -xvfz iroffer1.2b28.tgz tar xvfz iroffer1.2b28.tgz cd iroffer1.2b28 ls ./Configure make ls pico sample.config ls s7 sux su sux ls pico sux.config pico sample.config su sux ls pico sux.config su sux ls make cd .. ls wget iroffer1.2b28.tgz ls tar xvf iroffer1.2b28.tgz tar xvfz iroffer1.2b28.tgz ls cd iroffer1.2b28 ls ./Configure make ls pico sample.config ls su sux pico sux.config su sux ls cd /home ls cd ... cd .. ls cd root ls cd mail ls cd /home ls cd root cd .. ls cd home ls cd sux ls mkdir up ls cd .. ls cd .. ls cd root ls cd mail ls cd sux ls cd iroffer1.2b26 ls pico sux.config su sux cd .. cd .. cd .. cd .. cd root cd mail cd sux ls cd iroffer1.2b26 pico sux.config ls cd .. ls cd .. ls cd sux ls su sux ps -x ls cd mail ls cd sux ls cd .. ls cd .. ls cd .. ls cd /home ls cd sux ls cd .. ls cd .. ls cd root ls cd mai cd mail ls cd up ls rm iroffer-1.1.1-1rh62.i386.rpm wget eggdrop1.6.15.tar.gz ls tar -xvfz eggdrop1.6.15.tar.gz tar xvfz eggdrop1.6.15.tar.gz ls cd eggdrop1.6.15 ls ./configure make config make make install ls pico eggdrop.conf ls ./eggdrop su sux ps -x ls cd mail ls cd sux ls cd .. ls cd up ls cd eggdrop1.6.15 ls pico jes.conf ls ./eggdrop su sux cd .. ls mkdir sux1 ls cd suxls cd sux1 ls wget eggdrop1.6.13.tar.gz ls wget eggdrop1.6.13.tar.gz uptime ls cd eggdrop ‗s ls cd .. ls px -x ps -x ls cd mail ls cd sux1 ls ls cd .. ls cd .. dir ls ls cd eggdrop/ ls make df uname -a uptime s ls cd .. ls cd home ls cd nw l sls ls cd .. ls cd sux ls cd /usr/bin/local cd /usr/bin/local/BitchX which which BitchX cs /usr/bin/BitchX cd /usr/bin/BitchX cd /usr/bin/BitchX/ /usr/bin/BitchX/ ls cd .. ls cd usr/ cd /usr/bin/BitchX cd /usr/bin/BitchX/ cd .. l ls cd usr/ cd local cd BitchX ls cd bin ls cd .. cd .. ls cd bin ls cd BitchX ./BitchX uname -a etho eth0 telnet 0x00.hacker.la ssh 0x00.hacker.la ssh x00.hacker.la ssh 0x00.hacker.la cd /home ls cd mt ls cd .. cd sux ls df sux uoi rikiedere il comando se nn ogni 10 secondi [20:03] <TuNz`TuNz> assi? :D exit exit ls cd .. ls cd home/ l ls cd sux ls mkdir eggy ls cd eggy ls dir wget com_remository_startdown.php?id=1&chk=cc1665e8ce3f48f74dfe0e42a4ae0d7c ls ls rm com_remository_startdown.php\?id\=1 wget 'index.php?option=com_remository&Itemid=40&func=download&filecatid=1' ls tar -zxvf PTlink6.16.2.tar.gz ls cd PTlink6.16.2 ls ./configure ls cd /root/ircd cd .. ls cd .. ls cd .. ls ccd .. cd .. ls cd root ls cd /home/sux/eggy ls cd PTlink6.16.2 make all make install cd /root/ircd/bin/ircd cd /root/ircd/bin/ircd cd /root ls cd irc cd ircd/ ls cd bin ls cd ircd ls ircd ./ircd |
that sucks d00d ...
i am not sure what else you wanna hear ... other than that sucks :( was there much "damage" done ? |
no damage at all, the only think i want to now is how the hell they got access to the box.
|
its not that hard if you are running an explotable version of ssh some other service.
a while ago, i searched google for the name of some explotable http ftp ssh servers, and delibratly installed them on an old box. i then downloaded some exploits found on google (had to compile myself) and just like they said they would, they connect to the server, send data usually causing some kind of buffer overflow. then boom, you have a terminal that runs with whatever privilages the server is runnning. a good way to protect yourself, is create a new user for example useradd serveruser add a password. then, change your /etc/rc.d scripts so that instead of just executing server (which will then run as root) run them with su serveruser -c "program_to_run" make sure serveruser has bare minimal rights that it needs. that serverely restrics possible hacks. |
I saw a lot of eggdrop bot and IRC (BitchX client) in there. Is there a new bot sitting there ready to DDOS?
|
Man, that has to be the dumbest hacker ever... what kind of "l33+ h@x0r" uses pico!?!?!? Looks like (s)he had a lot of problems with dependencies and config options, too... The software being installed was mostly IRC and IRSSI (encrypted IRC-like chat), which is often used as a command channel for zombie hosts (rooted boxes that they control). I'm not sure if the "iroffer" stuff is some type of spam software, or possible a fileserv for IRC? catcrash.mepg might be to cause a buffer overflow by "cat'ing" the file.
At this point you need to wipe and reinstall, because there's no telling what else (s)he might have done that they actually did remember to clean up. Man, nuked /var/log/message* is about the dumbest way to "cover your tracks". It's going to be painfully obvious that someone tampered with your system if you're missing half your logs. |
I like the uname --help , how priceless is that. There are ways to "resurrect" your deleted log files, but you can be pretty sure it was a point-and-click canned exploit against some unpatched service you had running. I guess it serves as a good illustration of how easy it can be to hack a Linux box.
---EDIT--- Hey chort, congrats on becoming a mod. Jeremy made a smart choice, welcome aboard. |
Hey, thanks C_C! I was trying to play it all low-key and such. I've been deputized by BSDville.
|
OT
Hey chort, congrats on becoming a mod. Jeremy made a smart choice, welcome aboard.
Yes, yes, congrats Chort! Welcome aboard, and thanks again for also patrolling the Linux - Security forum. I've been deputized by BSDville. Does that mean you got the blessing from Christos personally? :-] |
Ok, thanks all for the informations.
>run them with su serveruser -c "program_to_run" >make sure serveruser has bare minimal rights that it needs. >that serverely restrics possible hacks. I only had apache, courier-imap, ssh, qmail, squid, proftp and named running. Named and apache are running as a non root user. I think qmail is secure and for courier i could not find any problems regarding security. Squid was not reachable from outside. For proftpd i could also not find any security problems. I will try to search for problems regarding ssh. What would be the best source for security relaited information ? Currently i have ssh 3.5p1 (with ssh2 only) running and configured for keybased login only. Are there any security problems known with that version ? |
I'm not sure if the "iroffer" stuff is some type of spam software, or possible a fileserv for IRC?
Fileserver. Man, nuked /var/log/message* is about the dumbest way to "cover your tracks". Yes, it's a flunked "italian job". She didn't even list or try to zap login records or other logs. Below isn't complete w/o versions. I only had apache, courier-imap, ssh, qmail, squid, proftp and named running. Named and apache are running as a non root user. Sometimes the applications you run off of it matter too, for instance botchy CGI scripts and Apache. If you're not an authoritative NS for a domain you don't need to run named. If you run named as caching nameserver there's no need to run it publicly accessable. I think qmail is secure and for courier i could not find any problems regarding security. Squid was not reachable from outside. For proftpd i could also not find any security problems. Post version info? I will try to search for problems regarding ssh. Don't. Upgrade. What would be the best source for security relaited information ? Check out the LQ FAQ: Security references, post #1. Currently i have ssh 3.5p1 (with ssh2 only) running and configured for keybased login only. Are there any security problems known with that version ? Yes. OpenSSH-3.7.1-p2 is the lowest clean version AFAIK. There's no reason to NOT upgrade. |
Quote:
i kinda laughed when i seen pico there .. |
OpenSSH 3.8p1 is the most current (check www.openssh.org). Linux requires the "portable" version of OpenSSH (hence the 'p', for portable).
Red Hat back-ports security patches to previous versions, and they don't bump the version number when they do a security patch. This makes it really annoying to try to figure out if your setup is vulnerable. I think Nessus with "safe checks" turned off may be able to determine if it's really vulnerable. Still, I would remove all traces of OpenSSH and build from the www.openssh.org source. A lot of stuff has changed since 3.5.x. |
Some people also chroot Apache. This can provide some protection against mistakes made the Web designers.
You might want to off load some of your logs to a separate computer. I read of a script kiddy who broke into a unix machine, and proceeded to try to execute MSDOS commands! |
Try downloading nessus from Here and scanning your own computer to see what easily exploitable vulnerabilities you may have. Then be sure to patch them.
|
All times are GMT -5. The time now is 06:23 PM. |