|
I got hacked
Hello Friends,
sorry my english is not the best :( i have a big problem , yesterday night sombody did something on my redhat 9 server. I am a linux newbie, The problem is, when i type in root and press enter the mashine crashes and i canīt log in. SSh also doesnīt work anymore. But i can work with samba. It seems like everything is working, but i canīt log on anymore :( greetings john |
Does your regular user account work? (you did create a regular user account, didn't you?)...
If you have a copy of a live distro (Knoppix comes to mind) you could boot that and poke around to see what the "someone" did... Even better is to find that same "someone" and make them come clean... At what point are you typeing in "root" is it the login prompt? Does your system boot loader function correctly? At what point in the boot process does this problem happen? Was this something that was done by somebody verified, or did it happen after you had been doing something as superuser, then powered your box down? If this happened after you shut down, it was very likely to have been a self-hack, as systems are fairly immune to trouble when they are powered down. Trouble is, if you were running as root all along, some things would not show up until after an attempt to reboot. For instance, it is possible, as root, to delete all partitions on all your drives, and run along fine until the system is powered down; then, no power up... More details, please... |
Hi ProfJohn,
thanx for your answer, everything works on the server, when i type in by the regular logon - prompt (i have no X installed) root and i press enter, he doesnīt go to the password prompt and i can wait and wait and nothing happens anymore. I was looking with a boot disk on the file system and everything is there. It looks like o.k. but there was anybody on the server, because in /etc/rc.d somebody was writing in it: cd /usr/local/games cd ./... rm -rf rkid tar xfvz rkid.tar.gz cd rkid ./setup satelit 44 hmm? does that help`? |
|
OK, so you got rootkitted...
*Before you start, each step will take time and effort. It ain't all easy. But remember that with each shortcut you take, with each task you're not willing to invest time in you essentially weaken the security posture of the box. So, since your box is a server connected to the 'net, you eventually will become a liability for others. Please make sure for others you won't.
Investing time now makes it easier to manage/audit later on. Some steps: 0. Alert. Notify any users their passwords are presumed taken off the system and they should take immediate action. If anyone uses your box as gateway to other systems, notify network admins to investigate their machines. 1. Rescue. Power off the box. Boot with a bootable CDR like Knoppix, FIRE, PSK or whatever your distro offers you. Now rescue specific things like /home, config files, database dumps. Whatever you rescue, if it's human readable data: read it. Do save a copy of /var/log. Do not save crontabs or binaries. Do invalidate any backups you made unless you have external means of verifying integrity that can't be tampered with. Do not save /etc/shadow for purposes other than forensics. All passwords are invalidated the moment someone gains root account access. 2. Restore. Use the three R's: repartition, reformat, reinstall Linux from scratch. Do not use a backup unless you can verify integrity. 3. Reconfigure and harden. Set up separate partitions and mount them with appropriate flags (/user=ro, /tmp=nosuid,noexec* etc, etc). *may break some apps. In your case: change all passwords. Install only what you need NOW. Harden your kernel with Grsecurity, OpenWall or LIDS. Do not run services you don't need. Don't run vulnerable services. Do run services under lesser-privileged accounts. Do guard IP-level access to critical services by built-in mechanisms (like OpenSSH and Xinetd have), TCP wrappers and the firewal (and and not or or). Install and configure a filesystem integrity checker like Aide, Samhain or tripwire. Save a copy of the binary and initial databases on read-only media. Install an IDS like Snort or Prelude and watch those logs. Install a tight firewall and only allow access to necessary ports. Run hardening and audit tools like Bastille-Linux and Tiger and chkrootkit (and and not or or). Regularly update software including the kernel. Watch your vendors security bulletins. Before you start, please check out the LQ FAQ: Security references. Any security questions are welcome in the Linux - Security forum. |
| All times are GMT -5. The time now is 03:16 AM. |