LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-23-2008, 03:07 PM   #1
kav
Member
 
Registered: May 2006
Location: USA
Distribution: FreeBSD Ubuntu Debian
Posts: 137

Rep: Reputation: 15
Question script cracked my server


So I'm sitting there in the other room and my server just starts playing music out of the blue. Turns out whatever broke in was typing commands exceedingly fast into the currently active tty which consequently had left mocp running on. I quickly pulled the plug on the switch and the server.

Now I can track down where the attack came from myself with the snort logs I think. What I would love to figure out is what service the attack made it in through. My first thought would be Apache since I haven't bothered to update it in about 3 months and it was running whatever was in Debian Unstable at the time.

So what kind of vulnerability would give the attacker control of the currently active interface? I would rule out ssh since that would give the attacker their own shell not one I had locally logged in. Do I just start digging through apache logs? Where should I start?

Obviously I'll never boot off that drive again. For now I'll yank the HD and put the backup in and do any forensics on that disc off a bootable cd. This should be fun, I've never had the opportunity to track down a breach before
 
Old 08-23-2008, 06:28 PM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Bit lost, did you perhaps get root-kitted at some point? My first guess if it was a root kit would be it was FTP related (FTP is highly insecure, Thus why SFTP and SCP exist). My guess is that something like they placed in some kinda cron job and it was just passing out the information in any relavant open places, like your active shell or what not, could be wrong...

however if you were root-kitted, I'd probably think about reinstalling the machine from scratch, root-kits are horrific after all...
 
Old 08-23-2008, 07:18 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by kav View Post
Where should I start?
In short: start with the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.

What you're looking for is building an understanding of the situation, which is different from "guessing" message the first reply carries. Even without talking about evidence acquired for judicial purposes and court situations, anyone with a structured approach to diagnosing things, any investigator will tell you that guessing is as bad as assuming, and you know what assuming makes... The checklist should guide you through most of the basic needs for gathering information like purpose of the box, date and duration of incident, distro+release+kernel data, audit data (system, daemon and firewall logs), auth data (login db, et cetera), IDS data, installed SW versions, integrity and updates, running services, finding "evidence" like setuid root files or LAMP piggybacking or user shell histories. There's lots of basic forensics docs on the 'net if you're interested in that and you could also search for and read some incident response threads in this particular forum. We've handled a few.

Also often the first thing to do would be doing nothing except for thinking over the sequence of ops and the consequences of performing those on a system. It's not for nothing Wise Hannibal says he loves it when a plan comes together: Think. Plan. Act.
 
Old 08-26-2008, 01:08 PM   #4
immortaltechnique
Member
 
Registered: Oct 2006
Location: Kenya
Distribution: Ubuntu, RHEL, OpenBSD
Posts: 287

Rep: Reputation: 32
For futures sake try and also have an integrity checker in place. Tripwire does a very good job on this though other people may have different utilities for this. Then, whether the results of your forensics point to apache or not, try and keep your box uptodate. Its always best practise to do so.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: PostPath cracked Exchange protocols for Postfix-based mail server LXer Syndicated Linux News 0 07-30-2008 10:12 PM
my pc cracked help me senthil_sivanath General 5 01-09-2007 10:27 PM
cracked or not cracked (tripwire & chrootkit) ddaas Linux - Security 1 04-27-2005 08:29 AM
Possible Cracked.... Aeiri Linux - Security 4 02-22-2005 09:15 AM
Does this mean I have been cracked? BajaNick Linux - Security 4 08-13-2004 11:10 PM


All times are GMT -5. The time now is 11:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration