LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Have I been hacked? (https://www.linuxquestions.org/questions/linux-security-4/have-i-been-hacked-818847/)

jax8 07-09-2010 02:31 AM
Have I been hacked?
 
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following. If you need other information give me the command I should run and I will update, I am no expert in this area and use the server to host my website and SVN. I am the only person that has access to the server.


Code:
# lsof -u nobody

COMMAND  PID  USER  FD  TYPE    DEVICE  SIZE      NODE NAME
proftpd 1502 nobody  cwd    DIR      0,81  4096  27889180 /
proftpd 1502 nobody  rtd    DIR      0,81  4096  27889180 /
proftpd 1502 nobody  txt    REG      0,81 760920  28216141 /usr/sbin/proftpd
proftpd 1502 nobody  mem    REG        8,3          28639395 /lib/libssl.so.0.9.8g (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639374 /lib/libcrypt-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28478541 /usr/lib/libkrb5.so.3.3 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639371 /lib/libresolv-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639253 /lib/libkeyutils-1.2.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639449 /lib/libaudit.so.0.0.0 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639436 /lib/libselinux.so.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639455 /lib/libcrypto.so.0.9.8g (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639445 /lib/libpam.so.0.81.13 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639264 /lib/libc-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28477777 /usr/lib/libgssapi_krb5.so.2.2 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639384 /lib/libcap.so.2.10 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639444 /lib/ld-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639262 /lib/libcom_err.so.2.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639289 /lib/libpthread-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639377 /lib/libnss_dns-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639271 /lib/libdl-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639524 /lib/libattr.so.1.1.0 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639528 /lib/libacl.so.1.1.0 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28478247 /usr/lib/libk5crypto.so.3.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639406 /lib/libnss_files-2.9.so (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28639294 /lib/libz.so.1.2.3 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28477856 /usr/lib/libkrb5support.so.0.1 (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28216141 /usr/sbin/proftpd (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28509467 /usr/lib/locale/locale-archive (path dev=0,81)
proftpd 1502 nobody  mem    REG        8,3          28606782 /usr/lib/gconv/gconv-modules.cache (path dev=0,81)
proftpd 1502 nobody    0u  IPv6 1482671657              TCP *:ftp (LISTEN)
proftpd 1502 nobody    3u  unix 0xb12bfa40        1482671154 /var/run/proftpd/proftpd.sock
proftpd 1502 nobody    5r  REG      0,81  1764  27890370 /etc/passwd
proftpd 1502 nobody    6r  REG      0,81    801  27890286 /etc/group
should /etc/passwd and /etc/group really be accessible by nobody?


rkhunter showed the following warnings

Code:

# cat /var/log/rkhunter.log.old | grep Warning

[13:44:48] Warning: Checking for prerequisites              [ Warning ]
[13:44:48] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[13:44:54] /usr/bin/ldd                                      [ Warning ]
[13:44:54] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[13:44:57] /usr/bin/whatis                                  [ Warning ]
[13:44:57] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
[13:44:58] /sbin/ifdown                                      [ Warning ]
[13:44:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[13:44:58] /sbin/ifup                                        [ Warning ]
[13:44:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[13:48:36]  Checking loaded kernel modules                  [ Warning ]
[13:48:36] Warning: No output found from the lsmod command or the /proc/modules file:
[13:48:37] Warning: The kernel modules directory '/lib/modules' is missing or empty.
[13:49:27]  Checking if SSH root access is allowed          [ Warning ]
[13:49:27] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
[13:49:33]  Checking for hidden files and directories      [ Warning ]
[13:49:33] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[13:50:13]  Checking version of GnuPG                      [ Warning ]
[13:50:13] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[13:50:13]  Checking version of Apache                      [ Warning ]
[13:50:14] Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk.
[13:50:14]  Checking version of Bind DNS                    [ Warning ]
[13:50:14] Warning: Application 'named', version '9.5.1-P3', is out of date, and possibly a security risk.
[13:50:14]  Checking version of OpenSSL                    [ Warning ]
[13:50:14] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[13:50:14]  Checking version of PHP                        [ Warning ]
[13:50:14] Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk.
[13:50:14]  Checking version of OpenSSH                    [ Warning ]
[13:50:14] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

linuxlover.chaitanya 07-09-2010 05:04 AM
I am no expert myself but I think the rkhunter may suggest that you are using old packages and this may be because you are using an old unsupported version of Fedora. The latest is F13. Fedora release cycle is short and it attains end of life quite frequently. Not a good choice for server. Upgrading to F13 may remove the rkhunter warnings.

unSpawn 07-10-2010 04:09 AM
Quote:
Originally Posted by jax8 (Post 4028043)
should /etc/passwd and /etc/group really be accessible by nobody?
Short answer: yes.


Quote:
Originally Posted by jax8 (Post 4028043)
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following.
As said F10 is deprecated so no more security updates. Bad. Who was the file owned by? What were the access rights? What does 'stat' return when you run it on the PHP-file-with-usernames-and-passwords. What software is it part of? Are you running the latest version? Did you check your system and web server logs ('Logwatch') for anomalies?

If you have the hunch (it's good to follow those) you've got a potential compromise on your hands please read the Intruder Detection Checklist (CERT, archived): http://web.archive.org/web/200801092...checklist.html).


Quote:
Originally Posted by jax8 (Post 4028043)
has been replaced by a script
Download version 1.3.6 and read the documentation, search the rkhunter-users mailing list archives and see the rkhunter.conf script whitelisting option. The fact you're only showing this now means you never (re-)configured Rootkit Hunter completely.


Quote:
Originally Posted by jax8 (Post 4028043)
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
Well set it.


Quote:
Originally Posted by jax8 (Post 4028043)
Warning: Hidden file found: /usr/share/man/man1/..1.gz
Read the documentation, search the rkhunter-users mailing list archives and see the rkhunter.conf dot-files whitelisting option.


Quote:
Originally Posted by jax8 (Post 4028043)
Warning: Application X, version Y, is out of date, and possibly a security risk.
Read the documentation, search the rkhunter-users mailing list archives, see the rkhunter.conf application check version whitelisting option or disable the application version check.

unSpawn 07-10-2010 04:14 AM
Quote:
Originally Posted by linuxlover.chaitanya (Post 4028136)
I am no expert myself
This is the Linux Security forum. Members may post information about (potential) compromises here. Compromises are bad for the owner, bad for all connected to the same network (meaning all of us) and bad for the GNU/Linux image. This means it needs to be dealt with decisively, correctly and quick. So if you're not familiar with incident response then for you the best thing to do is to wait until somebody comes along who does. Because addressing secondary issues is makes the OP lose focus and is inefficient. If you want to post something then post the Intruder Detection Checklist link I posted in the previous reply. This enables the OP to at least gather more information.

Also upgrading to F13 will not remove the rkhunter warnings.

H_TeXMeX_H 07-10-2010 06:31 AM
Other useful commands:

Code:
netstat -a
nmap localhost
and look for open ports. In case it is using any ports.

clamav or other anti-virus is useful if you suspect a virus or trojan.


All times are GMT -5. The time now is 04:56 AM.