LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-15-2003, 04:34 AM   #1
tantric
LQ Newbie
 
Registered: Oct 2003
Location: Hampshire, UK
Distribution: SuSE 8.2 RH9
Posts: 20

Rep: Reputation: 0
syslog running but not logging


Hi,

I started building a SuSE 8.2 System in the morning, by the evening, there was a new root user with no password.

I have been hacked, Im sure of this and syslog is running but not logging any more. I have rebooted, but to no avail, can anyone shed any light on this one?

I saw the new user log in via SSH and then a few minutes later the log file stops.

I have SSH but not on port 22, and I made sure it is the very latest patched version, but they may have got in before I patched it.

What is the best way forward (without rebuilding the system)??

Thanks

Roland
 
Old 10-15-2003, 07:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,165
Blog Entries: 54

Rep: Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807
Please disconnect your box from the network, now.

I started building a SuSE 8.2 System in the morning, by the evening, there was a new root user with no password.
Then you probably had it connected to the network all the time after you first rebooted from installing Linux. Next time just tear down any network interfaces that are up while you work on hardening the system. If you need a connection, first set up ACL's using (this is an AND list, not an OR list) xinetd, daemon config, tcp wrappers, firewall or close down any network-facing daemons, add firewall rules that will only allow traffic to and from trusted repositories like your vendor's and log traffic. Tear down when done.


I have been hacked, Im sure of this
I'd rather rely on a report from your filesystem integrity checker and running Chkrootkit if you have them. Else you could check the logs leading up to the time you saw the user get in, look for anomalies and try to verify the contents of the drives against a copy of your package managers database.
To do this it is necessary you run all by booting an OS from cdrom or floppy distro and not run the OS on the drives and preferably mount partitions read-only. Any databases you use should be trusted copies, made before the compromise and stored on read-only media.


What is the best way forward (without rebuilding the system)??
If logs and audits indicate your box is compromised, or if you want to make a better start then let me first warn you that NOT rebuilding a system is only for people and cases where one would have
- and enough knowledge of Linux, security, compromises and cracker tools
- and are able to identify exactly how the compromise took place
- and are able to identify exactly what changes where made to the disk, partitions and filesystem.
And even then.
If you are not able to perform those basic auditing and forensic tasks, then the three R's are yours to follow: repartition, reformat and reinstall from scratch.

*You could debate that until anyone gives proof positive your system is compromised it isn't, but that's wrong: you have a doubt, and you have (probably) no means to audit your system. This makes using a system that's untrusted a hazard not only for you, but for any box connected to the same (inter)network. I would like to emphasise there are NO valid reasons for postponing what is necessary: Linux is powerful, and running it comes with advantages and responsabilities. Please don't dodge your responsabilities.

For threads on past compromises please look at these:
http://www.linuxquestions.org/questi...hreadid=104175
http://www.linuxquestions.org/questi...threadid=85786
http://www.linuxquestions.org/questi...threadid=72884

And for more information about compromises, checking for, or recovery please check out the LQ FAQ: Security references, post #1 under "Compromise, breach of security, detection".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging firewall with syslog-ng? RecoilUK Linux - Security 1 08-06-2005 04:28 PM
Syslog logging Cron logins rhoekstra Fedora 4 02-17-2005 02:45 AM
logging information into syslog prisam Linux - Security 1 08-05-2003 09:58 AM
SYSLOG - logging to Remote Host dvong3 Linux - Networking 4 09-24-2002 07:14 AM
Kernel logging failure <<Syslog>> RKris Linux - General 1 09-18-2002 06:40 PM


All times are GMT -5. The time now is 09:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration