LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-15-2011, 10:00 AM   #1
sminogue
LQ Newbie
 
Registered: Dec 2011
Posts: 1

Rep: Reputation: Disabled
Server compromised?


So this seems to be a security related problem I have with my linux server. I run a Linux VPS and received notification that my server was involved in an "attack on a VOIP server". I contacted my provider for more details and they described what my server was doing as: "showing your server walking subnets and trying to register SIP"

In response I have tightened up the security a bit on my server starting with rotating all my passwords, increasing password complexity, removing un-used ssh accounts, limiting what users can ssh to the server, and following some of the steps outlined here: http://www.yolinux.com/TUTORIALS/Lin...tSecurity.html

I dont really do anything on this server which requires outbound connections so I was planning on blocking outbound connections by using iptables.

Needless to say any pointers on what else I should do to tighten up security I would appreciate.

But my real question is this: I assume in order for an attacker to be using my server as a spring board to crawl other servers (I assume thats what walking subnets means) they would have to have installed some software or script on my server. I can block outgoing connections and block what this software or script is trying to do. But how would I go about finding what they installed or created? I was thinking I could find all files changed in the last say... 48hrs and see if any of them jumped out at me? Is there a better way?

Thanks in advance for any help.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 12-15-2011, 11:31 AM   #2
om nom nom
LQ Newbie
 
Registered: Dec 2011
Posts: 1

Rep: Reputation: Disabled
Almost forgot to mention - chkrootkit is another utility you could try. Looks for various anomalies that may lead to exactly what's compromised.
 
Old 12-15-2011, 01:54 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by sminogue View Post
In response I have tightened up the security a bit on my server starting with rotating all my passwords, increasing password complexity, removing un-used ssh accounts, limiting what users can ssh to the server, and following some of the steps outlined here: http://www.yolinux.com/TUTORIALS/Lin...tSecurity.html
While mitigation is good you should really have performed such maintenance already and regularly. It's simply part of good systems administration. Also be aware mitigation may have destruction of any "evidence" as side effect like for instance when you disable and clean up dormant or unwanted accounts. This may hamper your investigation.


Quote:
Originally Posted by sminogue View Post
But my real question is this: I assume in order for an attacker to be using my server as a spring board to crawl other servers (I assume thats what walking subnets means) they would have to have installed some software or script on my server. I can block outgoing connections and block what this software or script is trying to do. But how would I go about finding what they installed or created? I was thinking I could find all files changed in the last say... 48hrs and see if any of them jumped out at me? Is there a better way?
For "walking subnets" just substitute "scanning", but if by "registering SIP" they mean probing accounts for future abuse then there definitely is something running and SIPvicious, a commonly (ab)used VoIP auditing tool, has shown up in some compromised servers.

The problem I have with what you posted about your providers account is there is no tangible data to go on. IP addresses and time stamps for instance may help you find out which accounts were active at the time and which files (if uniquely owned and accessed) were accessed. If you provider didn't provide detailed log ask them for it as it makes things easier.

At LQ we don't believe blanket statements like "reinstall again" or "run tool X" should be issued and never on their own anyway. What you should do is check your system integrity (AIDE, Samhain if you installed that or any package management file verification if available), look at accounts (failed logins, login times, IP addresses), processes and open files (if they still exist), system and daemon logs (use 'logwatch' for generating leads) and any files that seem anomalous like binaries or scripts in users homes and directories holding temporary files. Before you go on however best first read the CERT Intruder Detection Checklist http://web.archive.org/web/200801092...checklist.html. While deprecated it still shows you basic steps to perform.


When you reply please add as much information as possible including:
- distribution and release,
- which services the machine or machines provide including web-based management panels, statistics, web log, forum, shopping cart, plug-ins and other software if any,
- which exact software versions and if the software was kept up to date,
- which logging, access restrictions is in place and hardening was performed,
- if there have been earlier breaches or anomalies,
- results from the actions performed as per the CERT Intruder Detection Checklist.

Complete listings of running (piping to remote over SSH or saving in /dev/shm):
- processes and open files: '/bin/ps acxfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1'
- network connections: 'netstat -anpe 2>&1'
- user data: 'lastlog 2>&1; last 2>&1; who -a 2>&1'
- any package management file verification, for instance '/bin/rpm -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1' if you run RPM,
* and add anything else you think is worth mentioning.

Also run all system and daemon logs (depending on logrotate configuration) through Logwatch with the "--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log" switches (substitute "/path/to/logwatch.log") and read it. Finally please ask specific questions before performing if necessary and please reply as verbose as possible. Also please stay with the thread (subscribe?) until completion and reply as soon as possible when replies are posted.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
server compromised? eco Linux - Security 3 09-03-2010 11:58 AM
my server has been compromised, what next? Kropotkin Linux - Security 15 08-27-2009 06:15 AM
Server Compromised? lss1 Linux - Security 7 12-16-2005 12:49 AM
Server Compromised? stlyz3 Linux - Security 6 09-07-2005 04:28 PM
Server was compromised, need help Asiana Linux - Security 3 06-02-2004 12:39 PM


All times are GMT -5. The time now is 07:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration