LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > LinuxQuestions.org > Linux - News > Syndicated Linux News
User Name
Password
Syndicated Linux News This forum is for the discussion of Syndicated Linux News stories.

Notices

Reply
 
Search this Thread
Old 09-14-2010, 02:40 PM   #1
LXer
LXer NewsBot
 
Registered: Dec 2005
Posts: 75,206

Rep: Reputation: 87
LXer: What To Do If You Think Your Linux Server Was Hacked


Published at LXer:

There are a number of things you can do if you think your Linux box was hacked. A common myth is to simply and quickly reinstall the OS, however that is the exact opposite of what you want to do, at least initially. What you want to do ASAP is take the box offline. Before you do that, you have an option, you can get some data on what's running and what IPs are currently connected.

Read More...
 
Old 09-15-2010, 07:29 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
This article should be mandatory reading for anyone connecting to the Internet.
 
Old 09-15-2010, 08:19 AM   #3
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by Hangdog42 View Post
This article should be mandatory reading for anyone connecting to the Internet.

I don't really agree with everything that is said, unless it is a server that is being attacked (yes, the article is for a Linux server). If it is my computer I'd take it offline ASAP, running the commands it says are only if you want to report the event (which is often a good idea, but also often completely useless). I've never had anyone respond to me by saying "thank you for your report, we will analyze it and take measures against the offender", in fact they don't even e-mail back, and I bet they don't even care unless it is an important server at an important company.

Now, you'll probably end up running those commands before you even realize that you've been hacked, just save the output then take it offline and continue with the rest.

Overall, I guess it's a decent summary.

Last edited by H_TeXMeX_H; 09-15-2010 at 08:20 AM.
 
Old 09-15-2010, 11:51 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
, running the commands it says are only if you want to report the event
Uh, no. Those commands are to help you investigate what happened so that you can prevent it from happening again. If you just nuke and re-install, you have no clue what went wrong and stand a good chance of putting the same vulnerability back in place. Commands like netstat, ps and lsof can help you look for stuff that shouldn't be there.


Quote:
I've never had anyone respond to me by saying "thank you for your report, we will analyze it and take measures against the offender", in fact they don't even e-mail back, and I bet they don't even care unless it is an important server at an important company.
While I agree with you 99% of the time, I just had a very odd occurrence a couple of weeks ago. My SSH server was getting nailed by some clown who had slowed down the attack to avoid my firewall restrictions (it blocks after 4 attempts in 2 minutes). Just for yucks, I looked up the ISP (Codero) and reported it. About an hour later I got an email back from their abuse people and they had hunted down the clown and took care of the problem. We need more people like that.
 
Old 09-15-2010, 12:02 PM   #5
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by Hangdog42 View Post
Uh, no. Those commands are to help you investigate what happened so that you can prevent it from happening again. If you just nuke and re-install, you have no clue what went wrong and stand a good chance of putting the same vulnerability back in place. Commands like netstat, ps and lsof can help you look for stuff that shouldn't be there.
I see, well to report it you also need the offender's IP at least. I know they won't need lsof or ps, they don't care about that.

Quote:
Originally Posted by Hangdog42 View Post
While I agree with you 99% of the time, I just had a very odd occurrence a couple of weeks ago. My SSH server was getting nailed by some clown who had slowed down the attack to avoid my firewall restrictions (it blocks after 4 attempts in 2 minutes). Just for yucks, I looked up the ISP (Codero) and reported it. About an hour later I got an email back from their abuse people and they had hunted down the clown and took care of the problem. We need more people like that.
That's rare, I never got anything like that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
is my linux server hacked? bbalban Linux - Security 12 07-30-2010 09:13 AM
LXer: Another Debian server has been hacked into LXer Syndicated Linux News 0 09-07-2006 03:03 PM
LXer: How to restore a hacked Linux server LXer Syndicated Linux News 0 07-19-2006 02:03 AM
LXer: Debian Project server hacked LXer Syndicated Linux News 0 07-14-2006 12:03 AM


All times are GMT -5. The time now is 04:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration