Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
my server was hacked(i think), i have php server installed on my RedHat Linux 7.2, one day, I found the website is down, because the php file can find the libraries it needs, so I checked the php.ini and found that it was accessed on Dec/4/2003, not by me, I think someone else changed it, I then changed it back and now the server is up again. But, I found some functions are changed for this website, so I wonder whether there is a way to find out who accessed the php.ini(username, the machine IP address that he/she logs on, access time and other activities he/she has done). I need to know these information to correct my website and improve security, I'm not familiar with the security stuff on linux, Could you guys give me some help. Thanks so........much! Need your help ergent!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well first, if you have physical access to the box, remove the network cable and keep it unplugged until you determine what happened. There's no sense in letting the (possible) cracker back in to do more damage (if the box really was compromised).
You can run "last" and see who has been logged in. Also check in /var/log/secure, assuming it wasn't tampered with (/var/log/wtmp may have been tampered with as well, so "last" won't necessarily tell you anything). In fact, check everything in /var/log for anomalies. Anything there may have been modified to cover up tracks, but on the other hand the attacker may have missed something or might not have been able to escalate privilages (perhaps they were just running amok as "www" or "nobody").
Check each home directory for a .history or .bash_history and see if they contain anything interesting.
Install and run chkrootkit and see if it detects anything. Check the size, date, and permissions of system binaries (ls, ps, top, netstat, w, who, etc) against known good copies, such as from the original install media (CD-ROM?).
Review this thread for other ideas of how to diagnose and deal with system break-ins.
By the way, when all is said and done please consider updating your OS version to something a little more current. If you want to stick with Red Hat, you should consider installing Fedora Linux, since Red Hat will no longer be providing security updates. Whatever you pick, make sure your OS of choice includes regular security updates that you have access to and most importantly, check regularly for such updates and install them! It's quite possible that you were compromised by one of several Apache and/or PHP vulnerabilities.
In fact, i checked all the log files and use the methods the above message advices me, I can't find who did this, because I think there are some logs lost, maybe deleted by the invader. but still thanks that person and your forum very much!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
By the way, you know you can view compressed log files, right? There's very likely a log rotate script on your box that compresses old log files to save space. You can use gzcat and less to view them, such as
$ gzcat /var/log/secure.0.gz | less
Originally posted by chort Well first, if you have physical access to the box, remove the network cable and keep it unplugged until you determine what happened. The rest of the message is cut away
I just want to make a small comment on this statement..
It's _not_ always smart to unplug the computer from the network, either by stopping it command-based or by pulling the network-cable. If you are actually hacked, it doesn't really make a difference with a couple more minutes online, because... In many cases there is a (hidden) script running, which deletes everything on the computer if the network is stopped in any way.. The script is quite simple, and when the network is disabled, it starts a delete-process.. This is because most hackers (both good and bad) know that atleast 99% of sysadmins will respond to the attack by pulling the plug..
There are plenty of ways to "booby-trap" a system that aren't limited to testing if the networking is active (ie checking logs, executing chkrootkit, etc). So you risk shooting yourself in the foot doing alot of things. However, I don't think keeping your network active is necessarily the best solution either. Not only will it give whoever cracked your box a continued point of entry, but if your box is being used to attack a third party then while you diddle around looking at logs, you could be providing an avenue for others to get cracked/dDOSed as well.
I think the best advice is once you detect something strange, poweroff and disconnect your box. Then reboot with a cd-based distro and mount the suspect system read-only to do a thorough check.
I totally agree with you on that! The best thing is to power off, maybe even by pulling the power-cord if that looks like the best solution.. If you do as you say, boot from a cd-distro (or something) and mount the partitions (preferably read-only so you don't destroy evidence), the scripts won't work or do any harm..
But my point was only to let people know that stopping the network isn't always a good idea, even though it might sound like the best solution...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well it depends on the severity of the problem. If something merely "looks funny" then you probably don't want to unplug it. If, on the other hand, you're sending out hundreds of thousands of spam messages per hour and you can't locate the process doing it, I'd say much better to err on the side of mitigating active damage and just yank the cable. What's worse, not finding all the code from the exploit, or having a corporation or ISP come down on you for spamming? Quite likely your ISP would at least susped your account for an incident like that. Same thing if your machine was participating in a DDoS attack vs. some other site, people might want to hold you liable if you knew your machine was acting maliciously yet did nothing to stop it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.