Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Our Server (RedHat 7.2) was somehow hacked via ftp , and the intruder just replaced sshd with his own, and the ssh and telnet are not available.
The Problem is that I can not delete his sshd to replace it with mine (working one)
It says to me that I do not have the priviligies to do this / The process is stoped and I'm root /
Try to netstat and ps your processes for future reference, then drop to runlevel 1, this will kill users, daemon processes and network (the regular ones, not rogue processes). Use lsof to see what files are opened to get a grip on the location, and list your modules. If nothing insane turns up, then you prolly run a LKM. In any case it's now time to kill the box.
Kill the box and DO NOT power on again. Use a bootable cd like KNOPPIX, FIRE or PSK to investigate, or add the HD to another machine and mount readonly. If you need the box up, save the auth files and all logfiles, then make a dd copy for future reference. Make sure to wipe the WHOLE disk: repartition, reformat and reinstall from scratch. Don't copy over binaries or stuff that isn't human readable. Don't use a restore from backup unless you've got external (untampered) means of verifying the backup is sane.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The attacker probably changed the extended attributes on the sshd binary. IIRC you can do lsattr on the file to view it's extended attributes, and chattr to change them. There *should* be helpful man pages with more information on each of the above (or do $ apropos attributes).
Like unSpawn said, at this point you're going to have to reinstall the OS from scratch to make sure you really irradicate the cracker. There are simply too many other ways the system could be tampered with and back-doored, so the only way to be sure is to fdisk and reinstall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.