LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-01-2002, 03:31 PM   #1
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Rep: Reputation: 15
Question pacpac has hacked my server. Help!


I have a RH 7.1 webserver and I am unable to log in as root.

I checked the /etc/passwd file and found a mysterious user, pacpac.

I have disconected the server from the network.

How can I get root back?
Or what should I do?

Thanks
 
Old 04-02-2002, 03:26 AM   #2
Eternal
Member
 
Registered: Feb 2002
Location: Austria
Distribution: LFS based opon debian or course
Posts: 38

Rep: Reputation: 15
Easy Work.

Hi there, if he corrupted your security do not delete any of the system, do not re-install everything befor you have found the precise hole he used, and report it to where you can. (Specialy the owner(s) of the software) You should also retrace the malicious user because it well know what comes, goes, and comes back. IF he deleted all thelogs no worrie put the system back up as it is corrupted but stay 100% of the day and night tailing all logs and tcpdump (or sniffit -i).

Now to get your password back, ive install a late version of red-hat (erreta i think) and it came will a Grub (i had the choise) hopfully ull have LiLo running.

Un Plug Your box, or reboot it used the Magic Sys Keys (kernel hacking must be enabled) and shut down your system.

At the boot up, you get lilo press tab / cap whatever to get the lilo:

and type lilo :"linux init=/bin/sh rw" i think else you must look up on google. When you succeed simple run passwd and change the root password.

YOu should also install aide, bastille, and all other defense and intrusion detection software.
 
Old 04-06-2002, 04:53 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Re: Easy Work.

Quote:
Originally posted by Eternal
()YOu should also install aide, bastille, and all other defense and intrusion detection software.
In addition to this, if you can't establish a probable cause of compromise by using Aide, Tripwire and chkrootkit, please reinstall from scratch and use different passwords. Leaving a backdoor is quite simple, and if the passwords are cracked access is even simpler.
 
Old 04-06-2002, 07:13 AM   #4
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
I am going to re-install with RH7.2 and start using IPtables and tripwire.

I'm also going to try and send some of the log files to my other box.

Thanks for all the help.
 
Old 04-06-2002, 04:27 PM   #5
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
if you are remote logging, you may want to look into hacking syslog to read the syslog.conf file from somewhere else, then place the normal conf file there. that way the hacker doesn't know that you are remote logging and may not look for them.
 
Old 04-06-2002, 07:38 PM   #6
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,533

Rep: Reputation: 148Reputation: 148

When you use remote login, I'd configure it to allow it only from certain IPs. If it's possible, do this.
 
Old 04-07-2002, 10:17 PM   #7
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
choose a good password

make your password hard to crack:

ia@#xkd@!9S is a decent example, but its hard as hell to remember!

RedHat 7.2 tells you if you entered bad password or not.
 
Old 04-10-2002, 04:49 AM   #8
russell
LQ Newbie
 
Registered: Mar 2001
Distribution: *Linux*
Posts: 27

Rep: Reputation: 15
Talking

Hi,


use this password for root. it is impossible to crack it.

%$@@54psf*&gneo0






Regards
Russell.
 
Old 04-11-2002, 03:30 AM   #9
bushboy
LQ Newbie
 
Registered: Apr 2002
Posts: 1

Rep: Reputation: 0
In my experience of being hacked twice this year on a full production server (serving approx 30 websites + email) you should be wary of just 'rebooting' the server without finding out what damage has been done first and what tronjans, if any, have been installed.

In some cases, rebooting will basically bork your machine out totally !

In any case, you should consider running :-

1.) Chkrootkit
2.) Logwatch
3.) Tripwire

Also, restrict access in total Paranoid mode -

disable anonymous ftp and consider using sftp
only allow ssh sessions from one fixed IP address
remove any unneccessary running services
keep the amount of users on your system at a bare
minimum - if you have users getting email from your
system but they don't need to ever log into the system,
make sure they don't have a shell account !

After a fresh install and setup, back up your critical server
configuration files - basically just backup the whole of /etc

And of course, check security advisories on a daily basis.
 
Old 04-22-2002, 12:02 AM   #10
sancho5
Member
 
Registered: Jul 2001
Location: Utah
Distribution: RedHat v7.3, OpenBSD 3.3, FreeBSD 5.0
Posts: 327

Rep: Reputation: 30
the coroner's toolkit comes to mind.
 
Old 04-22-2002, 03:35 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally posted by sancho5
the coroner's toolkit comes to mind.
Hmm. I would be surprised if ppl have TCT compiled and ready (anyone tried Biatchux?), read the manuals more than once and practice with it as well. TCT ain't the easiest stuff to start with, you need to have some forensics knowledge and time, like in aeons of time :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked cpanelskindepot Linux - Security 46 07-05-2004 06:19 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM


All times are GMT -5. The time now is 12:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration