Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Moved my mandrake 9.2 from one hosting company to another and the new company didnt block ssh traffic too it, and within 2 days Ive been hacked.
They still havent blocked traffic too it so I now have to shutdown sshd everytime Ive finished working on it
I cannot afford to clear the machine and start again on it so I need to do my best to clean it and lock it down, so I really need some help from you guys and any help at all is appreciated.
Ill just start by saying that I have already deleted several accounts the hacker made and I have also replaced /sbin/init because the system would not let me restart, it kept saying something like:
FUCK: trying to hack kernel
or something like that anyway
Also, this is the bottom of my /etc/rc.d/rc.sysinit file:
Ill post the results from chkrootkit and root kit hunter, along with the history that the user left, and also their ip addresses:
CHKROOTKIT:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/lib/security/.config
/lib/security/.config
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
ROOT KIT HUNTER:
Rootkit Hunter 1.1.1 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Performing 'known good' check...
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ BAD ]
/sbin/ifstatus [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ BAD ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/id [ OK ]
/bin/kill [ OK ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/sh [ OK ]
/bin/su [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ BAD ]
/usr/bin/head [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/login [ BAD ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ BAD ]
/usr/bin/whereis [ OK ]
/usr/bin/who [ OK ]
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is xxxx
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
............
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info: PermitRootLogin yes
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning ]
info: Users can use SSH1-protocol (see logfile for more information).
* Check: Events and Logging
Search for syslog configuration... found
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
and the new company didnt block ssh traffic too it, and within 2 days Ive been hacked.
You didn't restrict access to ssh to "known good" IP ranges like where administrators can ssh in from, you allow ssh root account access and you allow SSHV1 protocol.
I cannot afford to clear the machine and start again on it
Why not? They have breached your box in a way you don't know, they had all the time to plant backdoors, and they got access to any and all of your passwd and other data. Unless you have the knowledge to resurrect a box in a way trust can be restored and came prepared I would strongly advice against trying so. In the mean time shut down all public services and set up itpables so only traffic from your management IP's or range will be allowed.
---
Checking `ifconfig'... INFECTED
Checking `pstree'... INFECTED
Checking `aliens'... /etc/ld.so.hash
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
/lib/security/.config
/lib/security/.config
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
/sbin/ifconfig [ BAD ]
/sbin/syslogd [ BAD ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/usr/bin/find [ BAD ]
/usr/bin/login [ BAD ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/wget [ BAD ]
Rootkit 'Flea Linux Rootkit'... [ Warning! ]
Rootkit 'SHV4'... [ Warning! ]
Rootkit 'SunOS Rootkit'... [ Warning! ]
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: Users can use SSH1-protocol (see logfile for more information).
You really should upgrade to something more recent (Mandrake/Mandriva is still free) since they long ago stopped doing security updates for 9.2. If your ssh is that badly setup or that old that it almost straight away gets cracked when exposed to the net then you have a serious problem with your system. You pretty much have to do a complete reinstall now as unspawn suggested so you may as well reinstall with something new which is supported and doesn't have as many security vulnerabilities.
ok ive upgraded to mandrake 10.1 with iptbales installed and running
I'm sorry if anyone here gave you the wrong impression, but upgrading is not the solution.
What you should do is save your data (that is: database backups and readable data, so no binaries) off-site, have the disks wiped clean and then install the O.S. It may seem over the top, but is unfortunately necessary to be 100 percent sure nothing was left. Anyone with enough knowledge and time to figure out how your box was compromised may take shortcuts but anyone else I wouldn't recommend taking that road.
I'm not sure why you got 10.1 - its 2 versions behind now and probably will stop getting security updates soon, if it hasn't already The latest is Mandriva 2006 and its a free download off their website as normal.
Mandrake uses shorewall to configure iptables so you should add rules using that instead of directly using the iptables command. Its pretty easy, see http://www.shorewall.net/Documentation.html
If you want to use your iptables script or Guarddog or Firestarter instead then just uninstall shorewall.
As suggested in the previous posts, you really should back up your data (NO BINARIES) and wipe the disks, then do a fresh install.
To harden sshd but keep it accessible do the following:
First create a group (such as sshusers) that contains only the users that are allowed to login via ssh, then add those options to /etc/ssh/sshd_config (or it's equivelant in your distro):
PermitRootLogin no
AllowGroups sshusers
Other suggestions to hardening sshd include:
1) Change the default port (22) to something else... this will keep out most script kiddies.
2) Use an ssh lockout script to ban IPs that get too many failed logins. A very good script (which I use on my server) can be found at http://www.zmonkey.org/blog/node/28
Again, note that this script is written for Debian so you mgiht want to tweak it a bit.
<Edit>
To save your iptables rules use:
#iptables -nvL
check that everything is as it should be, then
#/etc/init.d/iptables save
#/etc/init.d/iptables restart
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Ive been hacked
The latest is Mandriva 2006 and its a free download off their website as normal.
