LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-13-2004, 03:37 PM   #1
mnauta
Member
 
Registered: Apr 2003
Posts: 152

Rep: Reputation: Disabled
Angry Hacked by Paul "Rusty" Russell


My webserver got hacked. All commands like LS were compromised. When I rebooted with boot diskette I got the following message:

"Sorry for the inconvenience, Paul "Russty" Russell ....
Netxt time floppy boot will be disabled ..."

Has anyone had this person do this to their server?

Also, how can I reverse the floppy disable boot issue?

thanks
 
Old 11-13-2004, 03:53 PM   #2
ralvez
Member
 
Registered: Oct 2003
Location: Canada
Distribution: ArchLinux && Slackware 10.1
Posts: 298

Rep: Reputation: 30
Once a system has been compromise the only ** true fix ** is to format the system and start from scratch.
I know it's a pain in the ... but there is no way to be absolutely sure that the cracker has not set up back doors. Hope you have done your due diligence with this system and have back ups of important data.
1. First thing to do is "pull the plug" and get the compromised machine off the network / web.
2. If you have the skills to do so, try to determine what was the "hole" that let the intruder in, so that you can block it from now on.
3. Format the HD and start again.

As per that other message about the floppy disk, the only way (that I know off) to disable it would be if your BIOS is not write protected. Check your motherboard data, it may point you to a jumper that "clears" the BIOS chip to it's defaults and then you place the jumper to "no write" so no one can alter your settings but you.

Hope this helps.

R
 
Old 11-13-2004, 03:54 PM   #3
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 475Reputation: 475Reputation: 475Reputation: 475Reputation: 475
Until a security expert comes along, I would say that your first action should be to isolate the box - get it off the internet, get it off your network. Then try to work out how this person gained access to your box - check logs for activity, see who logged in around that time. Then take a deep breath - because your compromised box has become untrusted. The only way you can be sure that it is safe is to wipe it clean and start again.

FWIW, the only way I can think of to disable your floppy boot is via the bios. But then I'm not a security expert.

Edit - darn it, beaten to the post while typing

Last edited by XavierP; 11-13-2004 at 03:55 PM.
 
Old 11-13-2004, 06:03 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I'm sure the name is fake as well. Paul "Rusty" Russell is the author of ipchains and iptables (the linux firewalls) and has spent years contributing and maintaining code for linux. So you can be pretty sure that he hasn't hacked your box.

Also pulling the CMOS battery will often reset the BIOS.
 
Old 11-13-2004, 07:20 PM   #5
mnauta
Member
 
Registered: Apr 2003
Posts: 152

Original Poster
Rep: Reputation: Disabled
Quote:
Originally posted by ralvez
Once a system has been compromise the only ** true fix ** is to format the system and start from scratch.
I know it's a pain in the ... but there is no way to be absolutely sure that the cracker has not set up back doors. Hope you have done your due diligence with this system and have back ups of important data.
1. First thing to do is "pull the plug" and get the compromised machine off the network / web.
2. If you have the skills to do so, try to determine what was the "hole" that let the intruder in, so that you can block it from now on.
3. Format the HD and start again.

As per that other message about the floppy disk, the only way (that I know off) to disable it would be if your BIOS is not write protected. Check your motherboard data, it may point you to a jumper that "clears" the BIOS chip to it's defaults and then you place the jumper to "no write" so no one can alter your settings but you.

Hope this helps.

R

I got all data backed up, data from last month and today. It's just a f..ing pain because of ColdFusion version and MySQL etc etc. I just got a new box going with Fedora C2.

I guess the "not boot from floppy again ..." is a bluff.

Manuel
 
Old 11-14-2004, 02:33 AM   #6
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 256Reputation: 256Reputation: 256
Quote:
Originally posted by mnauta
I got all data backed up, data from last month and today. It's just a f..ing pain because of ColdFusion version and MySQL etc etc. I just got a new box going with Fedora C2.

I guess the "not boot from floppy again ..." is a bluff.

Manuel
Some more key things to remember and practice:

1. Use only strong passwords that mean nothing to you or anyone.
2. Don't login directly as root, setup sudo.
3. Keep your packages updated, mainly security related ones.
4. Try to eliminate any services running you don't need.
5. Setup a firewall to block ports you don't want outside access to access.

Regards.
 
Old 11-14-2004, 12:17 PM   #7
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Also:

do not use any of the same passwords as you did on the old box, ESPECIALLY ROOT. He may have grabbed your shadow file and then used john the ripper to brute force passwords. This would leave your new setup ripe for the picking if you use the same password. Hint: never use the same password as any compromised box.
 
Old 11-15-2004, 11:35 AM   #8
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Rep: Reputation: 30
May I add that in your ssh config do not alow root to login and drop ssh connection after 3 tries.
 
Old 11-15-2004, 12:11 PM   #9
cythrawll
Member
 
Registered: Nov 2004
Location: IL, USA
Distribution: Slackware 10
Posts: 167

Rep: Reputation: 31
install tripwire to keep an eye on important files, (such as ls) tripwire will alert you if and what files have changed. (by email for example). It might not have prevented such attack, but it will give you enough information about who, what, when was changed to help you rescue your system. I would watch out on your box, he could have trojanized anything.
 
Old 11-15-2004, 12:43 PM   #10
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Linux Mint, FreeBSD, Android
Posts: 358

Rep: Reputation: 32
Quote:
Originally posted by trickykid

2. Don't login directly as root, setup sudo.
How does this improve security?

Last edited by Kropotkin; 11-15-2004 at 04:23 PM.
 
Old 11-15-2004, 04:17 PM   #11
The Chain
LQ Newbie
 
Registered: Oct 2004
Location: USA
Distribution: Slackware10.0,SuSE...
Posts: 24

Rep: Reputation: 15
I have a question: let's say somene hacked me too...then I would only have to reformat the partition that was hacked or the whole drive?
 
Old 11-15-2004, 05:18 PM   #12
cyberliche
Member
 
Registered: Aug 2004
Location: Atlanta
Distribution: Slackware 10
Posts: 85

Rep: Reputation: 15
Re-write the partition table and re-format the whole drive. You don't know how advanced the cracker was so you don't know what he might have planted elsewhere. You'd probably be ok just re-formatting the / and /usr partitions, but why take the chance?
 
Old 11-15-2004, 06:35 PM   #13
mnauta
Member
 
Registered: Apr 2003
Posts: 152

Original Poster
Rep: Reputation: Disabled
Quote:
Originally posted by phatboyz
May I add that in your ssh config do not alow root to login and drop ssh connection after 3 tries.
Good point. Any help on the file / syntax would save me time googling.

The hack had to be via port 80. This was the only port open to this server (NAT, CISCO PIX). He (the f..ing jerk) got root access this way because LS and MANY other files in /etc were altered (different date stamp) and message was inserted at run level 5.

Strange thing is that after reboot with floppy (several time) , LS and other command worked fine, even without floppy boot ???

Anyway, I had another server up within hours, including all backups

m.
 
Old 11-15-2004, 10:12 PM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by Kropotkin
How does this improve security?
By allowing direct root logins, you've significantly reduced the complexity of a username-password combo (ie. you already have the username (root), all you need is a password and you have automatic root access). By disallowing root logins, you'd need to guess a valid username and the correct password, so that makes bruteforce techniques virtually impossible.
 
Old 11-15-2004, 10:14 PM   #15
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by mnauta
Anyway, I had another server up within hours, including all backups
I hope that you've made sure that the backups are clean and free of any malicious code as well?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what is "sticky bit mode" , "SUID" , "SGID" augustus123 Linux - General 10 08-03-2012 04:40 AM
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 11:26 AM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 03:07 PM
"Rooted" Hacked or Virus? rixride00 Linux - Security 2 05-20-2005 04:11 PM
Newbie "thinks" his Fedora box may have been hacked linkety Linux - Security 4 08-26-2004 03:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration