LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-26-2004, 07:05 AM   #1
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Rep: Reputation: 15
Server hacked


Hi guys,

Recently my server was hacked. I have lots of questions for you Linux experts.

1.And I was wondering if there is any turnkey solution to check out the vulnerabilities of the server. E.g. the software should be able to simulate a hacker and try to hack into my server then notify me of the vulnerability.

The information on Linux security is just too overwhelming so I was thinking if there is any easier solution for this. If not then someone should try compile one as I believe it would benefit Linux newbies like me.

2.As for my server, someone hacked into it by uploading phpmyshell program.
But how can he gain access to other accounts from there??

3. He was dumb enough to leave traces in my /var/log/wtmp
I got his IP address and the time he logs in.
I went to FTP section and downloaded the raw FTP log.
I nabbed that fella!

212.174.89.155 - - [25/Jun/2004:06:51:20 -0400] "GET / HTTP/1.1" 200 660 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; 118K501TUR)"

Went to http://www.ip2location.com/free.asp to check out the IP:212.174.89.155

"212.174.89.155 TR TURKEY"
Got him!

Then I used IP tables to block the whole class C IP.OK I am mean. lol
iptables -I INPUT -s 212.174.89.0/24 -j DROP

Now what should I do with it?

4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how????

Thanks in advance for your help! I will update you guys regarding the situation.

Last edited by cpanelskindepot; 06-26-2004 at 07:22 AM.
 
Old 06-26-2004, 09:37 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
now that you have done your research, it is always recommended to format and reinstall the OS.
 
Old 06-26-2004, 10:50 AM   #3
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
Don't forget to report him to his ISP.
 
Old 06-26-2004, 05:04 PM   #4
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
The sad part is I am running web hosting service so reinstalling would mean my clients have to upload their site again.

I will try to avoid this if possible that is why I asked question number 4.
4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how????
I wanted to just reverse the damage done to the system.
 
Old 06-26-2004, 05:37 PM   #5
fuubar2003
Member
 
Registered: May 2004
Location: Orlando, Florida
Distribution: SLES10/11, RH4/5 svrs, Fedora, Debian/Ubuntu/Mint; FreeBSD/OpenBSD
Posts: 63

Rep: Reputation: 26
Take a look at the /var/log/security log and messages log. Might give you some clues. If you were not running Tripwire previous to the breakin, then there is no telling what files the hacker changed or created.

I would be real surprised if that IP you got in your research turns out to be the culprit. More than likely, that is just a IP of a system the hacker compromised and used to run the exploit. And that IP is in Turkey.....good luck...he is long gone.

The previous suggestion of format/reinstall is right. After reinstall, but before putting the box back on the network, install and run Tripwire. It will create checksums for all your executables so if anything changes, you will know.

Later...
 
Old 06-26-2004, 07:43 PM   #6
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
Quote:
Originally posted by XavierP
Don't forget to report him to his ISP.
If he has got a router in his home and a proxy server in Iran, it will not do much good too report him to his ISP, as they would probably tell you to speak to their chairman or police and most crackers above the age of knowledge dont like to get arrested.
 
Old 06-26-2004, 09:29 PM   #7
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
He is from Turkey. When he defaced the site it was showing some 'Turkish Pride' message with turkish flags.
 
Old 06-26-2004, 09:55 PM   #8
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Quote:
I wanted to just reverse the damage done to the system.
There may be other trojans/backdoors lurking there which you might detect pretty late. And till the time you weed out all the compromised programs, you will be giving them time to carry on their activities.

If you are really keen, take a dump of the disk for forensics. Repeat, format and reinstall the OS.

Quote:
The sad part is I am running web hosting service so reinstalling would mean my clients have to upload their site again
Although there may be some downtime, you can be rest assured that your new OS is free of all trojans that may be compromising your clients' data.

BTW are your clients aware of this break-in?
 
Old 06-26-2004, 10:13 PM   #9
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
They are aware of it. So it is impossible to reverse all damage?
I really don't want to reinstall as I have done many mods and configurations to the server.
 
Old 06-26-2004, 10:21 PM   #10
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
May be it is possible to reverse all the damage.... but can you be sure there isn't just one more backdoor that has gone undetected?

You can always take a backup of your config files.
 
Old 06-26-2004, 11:39 PM   #11
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
Anyway ever since I used IP tables to block the whole of Turkey from accessing my site I never had anymore break in from them.
They used to break in like everyday
 
Old 06-27-2004, 01:48 AM   #12
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
jut a thought ... perhaps you can setup a honey pot just to monitor the TR user's intentions, etc.
 
Old 06-27-2004, 03:13 AM   #13
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
Youmean honey pot as in real honeypot or somekinda linux software?
sorry Im new to linux but Im learning real fast.

Quote:
Originally posted by ppuru
jut a thought ... perhaps you can setup a honey pot just to monitor the TR user's intentions, etc.
 
Old 06-27-2004, 06:04 AM   #14
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
Quote:
Originally posted by cpanelskindepot
Anyway ever since I used IP tables to block the whole of Turkey from accessing my site I never had anymore break in from them.
They used to break in like everyday
How did you block the entire of Turkey from accessing your Web Servers / Proxy Servers?

If you do not want to reinstall. Change your Root password and User passwords. Make sure passwords are safe (plenty of numbers and no dictionary words). Also consider setting up a firewall.
 
Old 06-27-2004, 06:59 AM   #15
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
Which firewall do you recommend?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM


All times are GMT -5. The time now is 07:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration