LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-17-2007, 11:11 AM   #1
natv
Member
 
Registered: Mar 2006
Posts: 66

Rep: Reputation: 15
Red face Best way to re-install after server hacked into


Hi guys,

I'm just starting out learning linux, and learning from a CBT Linux course (didn't get to the security section yet lol)

I have a box at home I set up, there is nothing important on it yet I just installed CentOS to learn on. So I haven't tweaked/secured it yet.

I noticed from doing netstat some IRC servers running, and today I logged in and the last IP that logged in as root was from Romania (I'm in FL) so obviously my server has been hacked into.

Shortly I will be on the chapter in CBT Linux discussing IP tables


Anyway, at that point I will want to delete everything and re-install the OS from scratch, as I'm sure the hackers have modified other files and I'll never be able to figure out what they did.


What is the best way to delete everything to make sure all traces of these hackers are removed? Should I reformat the HD? Or is rebooting on the CentOS CD's and re-installing the system good enough?


Thanks
Nat
 
Old 01-17-2007, 11:17 AM   #2
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 270Reputation: 270Reputation: 270
First, unplug from the net. Secondly, reboot and reinstall by wiping your disks with a format should do the trick.

After installing, learn how to use iptables and setup a good firewall before plugging yourself back into the net. Also skip ahead to the security section.

Even though this machine might not affect you if cracked into or loss of data but most kiddie scripters or crackers will use your machine as another point of attack to other machines and networks. With that said and what mentioned before, it might not harm you but think of it as you're just assisting the crackers to exploit others.
 
Old 01-17-2007, 11:36 AM   #3
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 475Reputation: 475Reputation: 475Reputation: 475Reputation: 475
Because this is a security related question, I have moved this to Linux-Security. There are a number of resources you will find invaluable linked in the sticky thread at the top of that forum.
 
Old 01-17-2007, 11:40 AM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
As you said, it may be nearly impossible but try your best to know how they entered.
In case you don't want to reinstall every week

Change all passwords that may have passed trhough your server (local or local->remote or remote->local access)
 
Old 01-17-2007, 05:01 PM   #5
natv
Member
 
Registered: Mar 2006
Posts: 66

Original Poster
Rep: Reputation: 15
Thanks

Thanks guys

Now really dumb question - how do I format the drdive so I can start all over

Do I just 'fdisk' and remove all partitions and then reboot on install CD's and re-install the OS?

I want to make sure I remove all traces of these hackers. I've learned how to partition drives and create filesystems, but haven't come across anything like "formatting" in my course yet.



Thanks
Nat
 
Old 01-17-2007, 06:37 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
(Regardless what "evidence" you did or did not find) the chance somebody stored goodies in slack or near MBR/PT space is very small. If you however don't want to take a chance (which is a good approach) then boot a Live CD and zero out the drive: "dd if=/dev/zero of=/dev/hda", where "hda" is your target harddisk (and not the one you've been downloading music on for the past five years ;-p). Some Live CD's come with shredders that "securely delete" according to DoD or similar standards but for this purpose 'dd' should be enough. Now your drive is filled with zeroes and can sauted with chopped onions and faba beans. If it's a SCSI disk you should sacrifice a goat first, just in case.
 
Old 01-17-2007, 10:48 PM   #7
natv
Member
 
Registered: Mar 2006
Posts: 66

Original Poster
Rep: Reputation: 15
Thanks

Thanks for the replies.

I've reformatted/re-installed CentOS, enabled the firewall this time (and will soon figure out the iptables stuff), and I installed chkrootkit and aide and will continue to read all the great security info in the sticky

I tried to change my SSH port to another number, but it doesn't seem to be working. I edited the port in:

/etc/services
and
/etc/ssh/ssh_config


was there anywhere else this needs to be changed? I had to put it back to the default port 22 because the new port wasn't taking effect even after a reboot.


Thanks,
Nat
 
Old 01-18-2007, 09:15 PM   #8
dx0r515t
Member
 
Registered: Jan 2005
Location: USA
Distribution: Slackware 10.2 & 11.0
Posts: 155

Rep: Reputation: 30
To change the port that ssh runs on edit this file (at least on slackware 10.2):

/etc/ssh/sshd_config

in that file change the port to a different port like 2222. Also change the protocol to 2 as well to force the use of sshv2. To restart ssh you can run this command (on rc.d):

Code:
/etc/rc.d/rc.sshd restart
If you do that you won't have to reboot the system. Also set your /etc/hosts.deny to ALL:ALL. Once you do this edit /etc/hosts.allow and allow only those things you need such as sshd: 192.168.0.175 if you only wanted to allow ssh access from that IP. You can also do ranges like 192.168.0.0/24. However this is no replacement for a good firewall.
 
Old 01-18-2007, 11:20 PM   #9
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
Please note that the posted code above will more than likely not work for Centos. You must figure out how to restart SSHD in Centos (I don't know) or reboot the box.
 
Old 01-19-2007, 12:34 AM   #10
haxpor
Member
 
Registered: Dec 2006
Distribution: Ubuntu 20.04
Posts: 87

Rep: Reputation: 15
natv if your server are in the boundary of Router or Firewall you must change the incoming port of Router or Firewall to exactly match with the port you edited in sshd_config too, in the case that it will allow the incoming request to sshd.
 
Old 01-19-2007, 10:26 AM   #11
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 37
why is everyone here talking to install a firewall?
isn't ipchains/iptables a firewall?

Quote:
Originally Posted by wikipedia.org
ipchains is a free software based firewall for Linux.
ipchains is superseded by iptables in Linux 2.4 and above.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server has been hacked, help please Seventh Linux - Security 11 09-26-2006 11:57 AM
Why is my server getting hacked so much? dsschanze Linux - Security 17 07-27-2006 01:16 PM
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration