LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-05-2006, 11:40 AM   #1
stuartc1
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Rep: Reputation: 0
Urgent: Server Hacked - please help


Hi,

Someone has managed to compromise my Linux (Fedora) server today. The evil person has added IFRAME's to many of my sites homepages - the iframe loads a remote page which contains a java applet which downloads and attempts to install at least 3 nasty viruses to the clients.


My question is:

How can I find out a list of files edited/create today? is there some command where I can get a list of these files? I know about ls and some basic params, but not sure about finding files by date. Is there a grep or something else for this??


Please please help...
 
Old 08-05-2006, 12:07 PM   #2
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
I think you might be looking for something along the lines of find, as in
Code:
find / -mtime -1
This will find all the files from the root partition down that have been modified (-mtime) 1 day or less ago.

That's probably going to be a very large number of files, so you might want to filter the output through grep to search for certain extensions (like .html and so forth), or use more of the options that the find commmand has to offer.

A word of worning, though--the last time I saw this, the server had actually been compromised, rather than user files being replaced. Turns out that there was a loadable kernel module that caused Apache to write the IFRAME. The issue was resolved by backing up the data and reinstalling the OS. Probably not what you wanted to hear.

Good luck.
 
Old 08-05-2006, 12:37 PM   #3
stuartc1
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks zaichik.

That command works as described.

Looks like whatever got access has created a index.html file in every directory of at least one of my sites.

One of the other files I found actually had:
<?php include 'myhomepage.php'; ?>
<!-- the iframe code here -->

This suggests that it may have been done manually, although perhaps not.

Any advice on trying to pinpoint where the breach came from? (I have WHM/Cpanel and ssh access)

Thanks again...
 
Old 08-05-2006, 12:45 PM   #4
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,207

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
Unfortunately, if your server was truely hacked you won't be able to trust what you find. If someone successfully hacked your server, then they could have successfully changed the timestamps on the files they modified, successfully replaced your ls, find, and other standard commands with their trojan versions, etc. Even if you were able to list all fines modified in the last 24 hours you'd have no idea if that was really an accurate listing.

Things might be a little better if the attacker just found some hole in Apache and got in only with limited Apache permissions (userid www, nobody, etc.) and was not able to escalate to root. If they didn't gain root privilages you have a chance of detecting what they might have done. If they DID gain root, assume that they hid their tracks well and do not trust anything on your system. Chances are they hid their tracks so well that you might not even be able to detect that they gained root in the first place. Disconnect from the network and restore your system from known-clean backups.
 
Old 08-05-2006, 12:51 PM   #5
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,207

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
Also, you should scan your system from another system. i.e., go to a different Linux box and run an "nmap" scan and possibly a "nessus" scan looking for entry points.

If you find something fishy - like your local hacked system says "I'm not listening on port 4078" but an nmap scan from another computer tells you that you are listening ... you've got big problems! Time for a bare-metal restore if you find someting like this.
 
Old 08-05-2006, 12:53 PM   #6
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
Very valid points. It is important that you not confuse a site (or sites) getting hacked, and your server being compromised. The former can be cleaned up and usually involves lax permissions (write permissions for the Apache user, most frequently)or PHP cross-site scripting vulnerabilities or something similar and is relatively innocuous. The latter really requires that the system be reinstalled. Run a rootkit checker--preferably two, like rkhunter and chkroot. If you have any questions about the results, ask.

Last edited by zaichik; 08-05-2006 at 12:56 PM.
 
Old 08-05-2006, 01:32 PM   #7
stuartc1
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks guys.

On further investigation is looks like something has ran and attached the iframe html to the bottom of all index.html files.

I'm getting all backups from the backup server (which will take about 6 hours )

I may write a php script to remove all iframes.

I'll try running those commands you suggested and write back if I find anymore problems.

thanks again.
 
Old 08-05-2006, 02:47 PM   #8
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
Root kit scanners aren't actually commands; you'll have to download and install them.

Some info on root kits is available here

chkrootkit is available here

rkhunter is available here.

Last edited by zaichik; 08-05-2006 at 02:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Why is my server getting hacked so much? dsschanze Linux - Security 17 07-27-2006 02:16 PM
Urgent: Being hacked right now. Actions? prell Linux - Security 15 10-04-2004 09:34 AM
Server hacked php4u Linux - Security 1 07-05-2004 12:34 PM
My Fedora HACKED :( [Urgent] Zi5 Linux - Security 3 06-06-2004 07:00 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 01:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration