With all due respect, that is the wrong way to go about this. This apparently has already happened twice and unless the OP takes the time to figure out why, it will keep happening. A clean install might be helpful, but then again they might just be putting the same vulnerabilities in place. Without an investigation, they simply are guessing.

3 members found this post helpful.

I see your point, I think I was being a little (or rather, extremely) optimistic. When I said 'lock down the box as best as you know how', I really should have said, 'learn as much as you possibly can about securing Linux and put it into practice'. He needs to take a pro-active approach to security, not just wait vulnerabilities to be exploited and then fix them.

That all said, you are right, the OP needs to find the vulnerability - although I fear that it may prove to be little like searching for a hole in a sieve. Hopefully, just the act of trying to find out how his server was exploited will demonstrate just how insecure it (almost certainly) is.

Congratulations! That was the first sane question the thread has seen up to that point. I don't get why it needs to take five posts to get there. Anyone with practical knowledge of GNU/Linux should realize what the OP wants to achieve is not the goal but a symptom of something else.


Yes! One hundred percent on the mark! Kludges, changed permissions, in fact every other suggestion directly addressing the OP's question, is just plain wrong.


As Hangdog42 already suggested: read that link as it provides you with steps to perform and give us details we can work with.
In the meanwhile:
- verbosely list (and save) processes, open files, network connections and user login records,
- shut down your web stack (web server, database) and any other Internet-facing services you don't need to access the machine (you only need SSH),
- raise your firewall to only allow traffic between your server and your (home, management) IP (or range).
That should at least stabilize things while you get a grip on how to collect "evidence".

+1
Hangdog is right.

If it is just that user affected, then you can probably just delete the user (if you are in a hurry) but you must address the security problem.

Note: - something is running rm as a specific user? Has that user installed/run the malware? Why is the whole server dependant on files with user write access?

Just to play devils advocate...

But wouldn't root:root 750 perms stop you?

-C

But that would stop EVERYONE who's not root; not
what he asked for ;}

With all due respect but what he asked for, or any discussion that does not address helping him clean up his act, is only distraction at this point. Let's focus on his cracked machine and what to do with it. If anyone however feels it is worth discussing secondary issues I will happily prune off that part of the discussion to a spanking brand new thread. I hope y'all catch my drift wrt priorities and such.

It was just a side thought, no need for a new thread.

If it bothers you that much then remove the post.

Ahh you're right

-C

Actually now i am planning to improve my security by IDS or a logging s/m
which is the better one logwatch? for IDS snort?

The problem is that the OP is the one that is directing the discussion towards secondary issues...

Probably a worthwhile additional measure, but its not investigating/fixing the basic security problem (or problems); why are you resisting working on the basic problem?

Salasi is right. Unless you're willing to start looking at how you were cracked in the first place, adding logwatch or Snort won't do you any good. Heck, it might even make the situation worse by giving you a false sense of security if you put them on a cracked machine .

True, on a cracked system your logfiles can't even be trusted..

Don't know what distro you're using, but is SELinux available? This cripples a hacker enormously for not being able to use binaries that are not meant for him to run.. I'd imagine that the 'apache' user is not allowed, within his (SELinux) domain, to remove any files. I would have to dig into the TEs for that, but it'd make sense.