Unfortunately, the system is a remote server so I can't just shut it off... All I can do is reboot but that won't help much.
However, this is what I have done to to help me finding some traces:
- At first I thought the system wasn't compromised since
clamav,
rkrunner, and
rpm -Va did not find any visable traces of abuse. This makes me believe that my system was probably not targeted to be damaged, instead just used as some kind of gateway.
- Then I run
lsof -i but did not find any suspicious information. As Capt_Caveman said, this will show any processes using a connection socket, but it didn't list anything abusive.
-
nmap -sT -0 localhost did not report any suspicious information either... as well as neither did
netstat
- Then I used
iptstate (awesome program) and I located 6 connections on port 1500 all originating from/to 6 different IP address. I am quite sure that there is no service that I run on that port and I have setup my box quite carefully. Also, my abuse logs I received from the reporting provider all stated that the attacks were coming from my IP address on port 1500.. so whalla, there is the intruder connecting.
- Knowing I'm being some how hacked, I did some packet sniffing with tcpdump ...a good way to scan it without all the extra data is:
tcpdump |grep source_ipaddress ...of course, replace the source ip of the incoming IP or other veriation of whatever. Unfortunately, the data didn't make much sense to me but it did show that there was traffic back and forth between the interfaces. Another good packer sniffer is
snort ...but snort gave me more info then I asked for, mostly stuff I didn't understand either.. but it does generate good logs.
- Anyhow, after confirming I actually got hacked and giving the consideration that I did not find any traces of actual file system abuse, I setup a new firewall for my box. I have to admit, my original firewall was weak... the new one thou, I've put in much more work in to and defined majority rule-sets in detail. I've setup the firewall to start on boot time.. and then I rebooted the box. Once to box came back up, there were no more connection present and so far I've been monitoring all connections extremely closely and no attempts to crack my box yet.
I understand that with not reinstalling the OS I'm still taking a risk of being hacked again, but for the pure learning experience I gonna keep this system running for a few days - maybe a week - and see if I get hacked again or not... and then prolly reimage with time. I have colected a TON of data and logs of all the scans I have done and so forth, hopefully I can find some docs on how to read and understand the tcpdump and snort output properly.. if there is anyone that would like to help me analyze it please let me know.
... if there are any other suggestions anyone might have on how to possibly find out more data about the hacking attempt, possibly cool tools to use and so forth please let me know.
The thing that's killing me is.. how the hell did they manage to hack my system.
Jes.