Have I been hacked?
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following. If you need other information give me the command I should run and I will update, I am no expert in this area and use the server to host my website and SVN. I am the only person that has access to the server.
Code:
# lsof -u nobody
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
proftpd 1502 nobody cwd DIR 0,81 4096 27889180 /
proftpd 1502 nobody rtd DIR 0,81 4096 27889180 /
proftpd 1502 nobody txt REG 0,81 760920 28216141 /usr/sbin/proftpd
proftpd 1502 nobody mem REG 8,3 28639395 /lib/libssl.so.0.9.8g (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639374 /lib/libcrypt-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28478541 /usr/lib/libkrb5.so.3.3 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639371 /lib/libresolv-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639253 /lib/libkeyutils-1.2.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639449 /lib/libaudit.so.0.0.0 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639436 /lib/libselinux.so.1 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639455 /lib/libcrypto.so.0.9.8g (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639445 /lib/libpam.so.0.81.13 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639264 /lib/libc-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28477777 /usr/lib/libgssapi_krb5.so.2.2 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639384 /lib/libcap.so.2.10 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639444 /lib/ld-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639262 /lib/libcom_err.so.2.1 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639289 /lib/libpthread-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639377 /lib/libnss_dns-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639271 /lib/libdl-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639524 /lib/libattr.so.1.1.0 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639528 /lib/libacl.so.1.1.0 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28478247 /usr/lib/libk5crypto.so.3.1 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639406 /lib/libnss_files-2.9.so (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28639294 /lib/libz.so.1.2.3 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28477856 /usr/lib/libkrb5support.so.0.1 (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28216141 /usr/sbin/proftpd (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28509467 /usr/lib/locale/locale-archive (path dev=0,81)
proftpd 1502 nobody mem REG 8,3 28606782 /usr/lib/gconv/gconv-modules.cache (path dev=0,81)
proftpd 1502 nobody 0u IPv6 1482671657 TCP *:ftp (LISTEN)
proftpd 1502 nobody 3u unix 0xb12bfa40 1482671154 /var/run/proftpd/proftpd.sock
proftpd 1502 nobody 5r REG 0,81 1764 27890370 /etc/passwd
proftpd 1502 nobody 6r REG 0,81 801 27890286 /etc/group
should /etc/passwd and /etc/group really be accessible by nobody?
rkhunter showed the following warnings
Code:
# cat /var/log/rkhunter.log.old | grep Warning
[13:44:48] Warning: Checking for prerequisites [ Warning ]
[13:44:48] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[13:44:54] /usr/bin/ldd [ Warning ]
[13:44:54] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[13:44:57] /usr/bin/whatis [ Warning ]
[13:44:57] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
[13:44:58] /sbin/ifdown [ Warning ]
[13:44:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[13:44:58] /sbin/ifup [ Warning ]
[13:44:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[13:48:36] Checking loaded kernel modules [ Warning ]
[13:48:36] Warning: No output found from the lsmod command or the /proc/modules file:
[13:48:37] Warning: The kernel modules directory '/lib/modules' is missing or empty.
[13:49:27] Checking if SSH root access is allowed [ Warning ]
[13:49:27] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
[13:49:33] Checking for hidden files and directories [ Warning ]
[13:49:33] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[13:50:13] Checking version of GnuPG [ Warning ]
[13:50:13] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[13:50:13] Checking version of Apache [ Warning ]
[13:50:14] Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk.
[13:50:14] Checking version of Bind DNS [ Warning ]
[13:50:14] Warning: Application 'named', version '9.5.1-P3', is out of date, and possibly a security risk.
[13:50:14] Checking version of OpenSSL [ Warning ]
[13:50:14] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[13:50:14] Checking version of PHP [ Warning ]
[13:50:14] Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk.
[13:50:14] Checking version of OpenSSH [ Warning ]
[13:50:14] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
|