LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   help! i've been hacked (https://www.linuxquestions.org/questions/linux-newbie-8/help-ive-been-hacked-210971/)

geo_serban 07-29-2004 06:53 AM
help! i've been hacked
 
Can anyone help me?

I'm hosting a website and i use e-smith (now known as sme server) 4.1.1 (i also tried 4.1.2, 5.0, 5.1.2, 5.6) since 2000 i think. It worked fine until the other day when i've noticed it is down. Ok! i rebooted the machine and when it goes to "Finding module dependencies" it freezes.
Got to save my data and reinstall.
It worked for about two days and i've noticed some commands in .bash_history. I am the only one hwo knows the root password. I also find a .bash_history in / and some files (suckit and psybnc) meticulosly hidden in /usr/somewhere...

Can anyone tell me how the h*** this kid (i think) got in?
How can i shut his door (whatever that is)?
Can he gain acces through smtp?
Anyone care to look at my logs? If yes: geo_serban@yahoo.com.

Thank You.

jomen 07-29-2004 07:11 AM
...about knowing if and how someone got in and what they did: the logfiles could help - but if you where broken into by someone, who was really knowing what he/she was doing, these way have been forged / cleaned of evidence.
I'd update the distribution you are using - preferrably first saving important data and then reinstall from ground up - if you do not know how they came in and what exactly they did, this is the safeest thing to do.
Then get a firewall running - its included in the kernel and information on how to set it up you can find through Google and in your docs...
Then get familiar with tripwire - install it and check _regularly_ against the data it produced when it was running over your _clean_ system.
Close all services your machine may be offering to the outside, exept those you will need to provide the services you want to provide - and know about setting up these services safely before you expose your System to the internet.
Thera are websites like http://www.grc.com which you can use to test your machine/firewall.
Check regularly for needed security-updates of programms you run on your machine.

Jochen

win32sux 07-29-2004 07:20 AM
you're gonna have to re-install from scratch...

but this time make sure your firewall is tight, and all your packages are updated before you go online... you'll also obviously wanna review your configurations and methodologies... for example, using harder passwords, etc...

if you wanna check your system for more damage before you re-install, run rootkit hunter:

http://www.rootkit.nl/


one thing you wanna make sure is that you don't allow root logins via ssh (common mistake)...

you do that with a PermitRootLogin no in your /etc/ssh/sshd_config

RolledOat 07-29-2004 07:24 AM
Everything win32sux said, plus here is a useful tool...

http://www.chkrootkit.org/

RO


All times are GMT -5. The time now is 03:55 AM.