Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Someone left an ssh port open to the world for a considerable amount of time. I know modern hackers clear syslogs to clear their tracks. What is the best way to find if a rootkit has been installed?
Someone left an ssh port open to the world for a considerable amount of time.
Lots of SSH servers are open to the world 24/7. Do you have reason to believe you had an unauthorized login? Does the system have root login disabled? Does it have any other easily-guessable usernames with login access?
If root login is disabled and you don't have any other guessable usernames, then an attacker is going to have to guess both the username and the password from scratch, the chance that a script-kiddie has in pulling that off is zero. If you were specifically targeted by an individual then maybe they could guess a valid username, but as long as your passwords are reasonably secure the amount of time it would take to brute force one with SSH's default ~3 second delay after an incorrect login attempt means it would take decades (maybe more) to do so.
It's always a good idea to change the default SSH port and install fail2ban or similar to blacklist IPs after a few failed login attempts, but I'd say the chances of your system getting broken into because somebody left the SSH port exposed is INCREDIBLY small, unless you have some stupid login/password combinations like admin/admin going on.
Do you not have a rootkit detector (RootKitHunter perhaps) installed and scheduled for a daily run?
I always try to get rootkit detection, AV, and fail2ban installed on anything with direct access from external networks before user access is allowed.
I'd reload the entire system from clean known good media. I've never had much faith in finding problems. Clean install I know.
If you have a rootkit, they try to hide themselves from all of the normal utilities. If you KNOW you have a rootkit problem, a clean load is always the best answer. It may be overkill in your case, but worth the trouble for your peace of mind.
Just make sure you add rootkit detection or protection before you open services to the internet again, and you should be golden.
It's the old, "Someone broke in and replaced everything with exact duplicates," routine.
I have seen a rootkit infected machine. Acting admin was a CPA, no security training, used short guessable password. That "replaced everything..." is pretty much it.
A few things broke, but most of it kinda worked. For example ps worked, but refused to display the rootkit processes and crashed if there were too many processes (bad code). Top just crashed, but that may have been by intent. I captured some data using a live-cd image from usb and then reimaged the server. Luckily I was called in fast. The server contained no data and had critical configuration files relocated to non-standard paths: the breakers did not get time to figure out why their attempts to subvert the machine were not working.
Re-imaged the machine and re-created the configurations, gave a short workshop on security without humiliating that CPA, advised them to hire a local admin firm or agent to help them protect their network, made sure that they were fully productive and safe, and skipped town. Took a whole two days, and half of that was talking and drinking coffee.
In the extreme case, this is what you should expect and one way to move the client forward after such an exploit.
Off topic: Very nice people, by the way, and I would love to work with them again. Alas, if I did my job right they will never again need me.
I have seen (not where I currently work BTW) an EC2 box with port 22 open being used as a DDOS machine. I ran the RootKitHunter, no errors. But this summary:
I have seen (not where I currently work BTW) an EC2 box with port 22 open being used as a DDOS machine. I ran the RootKitHunter, no errors. But this summary:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
